Tuesday, November 11, 2014

Deployment tips for Active Directory Certificates Services NDES role

For those who have to setup and environment compliant with SCEP protocol into Microsoft platform, Active Directory Certificate Service has a role called NDES (Network Device Enrollment Service) that simply is the MS implementation for this standard.

I´m not going write a how to, because there are some over internet and the best one, as usual, is the Techect wiki entry that can be found here. My scenario runs on Windows Server 2012 R2.

This guide is quite good, but the product is still, in my humble opinion, in an early stage because the config is based on registry keys (HKLM\Software\Microsoft\Cryptography\MSCEP) and documentation of those keys is limited.

Due this lack of documentation (about reg keys) and an unexisting GUI integrated with Certificate Templates, you can get stuck due the lack of details in logs (EventLog) about what is failing exactly.

If your environment does not require more customization that security settings on default template "IPSec (Offline Request)" just follow the wiki entry and will work smoothly

In my scenario I needed a custom template and our naming convention for certificate template is simply add a prefix to the default template name.
Note that certificate templates have a Template Display name and Template name (usually without blank spaces), so default template has IPSec (Offline request) as Template Display name and IPSECIntermediateOffline as Template name.
Once you duplicate, if you follow our naming convention, brackets symbols will be included on the Template name field.

Beware when you edit EncryptionTemplate, SignatureTemplate, and GeneralPurposeTemplate registry keys to set your custom names, because no error is logged if the name is not valid, NDES service will continue using default values for those keys and you can get crazy troubleshooting.

My advice is use certutil to list the real names of published certiticate templates and simply copy and paste to the proper registry keys. Note that default does not include brackets and duplicated it does

PS C:\Users\artiste-su> certutil -CATemplates
MYCOMPANYIPSec(Offlinerequest): MYCOMPANY IPSec (Offline request) -- Auto-Enroll: Access is denied.
IPSECIntermediateOffline: IPSec (Offline request) -- Auto-Enroll: Access is denied.

The only error registered on EventLog is the following one when you authenticate on https://<ServerName>/certsrv/mscep_admin with a user that has no permissions on default template IPSECIntermediateOffline
 You do not have sufficient permission to enroll with SCEP. Please contact your system administrator. 

Log Name:      Application
Source:        Microsoft-Windows-NetworkDeviceEnrollmentService
Date:          7/10/2014 12:30:27 AM
Event ID:      6
Task Category: None
Level:         Error
User:          MACARIO\rcimas
Computer:      MACLAB-SUBCA02.macario.local

The Network Device Enrollment Service cannot provide its password because the user does not have Enroll permissions on the configured certificate template, or the certification authority is not enabled to issue certificates based on the configured certificate template.

It would be great if future releases allow configure all values  from a GUI and avoid stupid human errors like the one described.

1 comment:

  1. The reordering of ISAPI filters, as documented here (even though I was using a classic service account) helped with this too: