Network Device Enrollment Service Guidance
Applies To: Windows Server 2012 R2, Windows Server 2012
The Network Device Enrollment Service (NDES) allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).
SCEP was developed to support the secure, scalable issuance of certificates to network devices by using existing certification authorities (CAs). The protocol supports CA and registration authority public key distribution, certificate enrollment, certificate revocation, certificate queries, and certificate revocation queries.
The Network Device Enrollment Service performs the following functions:
Generates and provides one-time enrollment passwords to administrators
Submits enrollment requests to the CA
Retrieves enrolled certificates from the CA and forwards them to the network device
NDES configuration settings
The following sections describe the configuration options that you can select after installing the NDES binary installation files.
Configure a service account for NDES
NDES can be configured to run as either of the following:
A user account that is specified as a service account
The built-in application pool identity of the Internet Information Services (IIS) computer
If you select the built-in application pool identity, there is no additional configuration required. However, the recommended configuration is to specify a user account, which requires additional configuration. The user account that is specified as the NDES service account must meet the following requirements:
Be a domain user account
Be a member of the local IIS_IUSRS group
Have Request permissions on the configured CA
Have Read and Enroll permissions on the NDES certificate template, which is configured automatically
Have a service principal name (SPN) set in Active Directory
To create a domain user account to act as the NDES service account
Sign in to the domain controller or administrative computer with Active Directory Domain Services Remote Server Administration Tools installed. Open Active Directory Users and Computers by using an account that has permissions to add users to the domain.
In the console tree, expand the structure until you see the container where you want to create the user account. For example, some organizations have a Services OU or similar account. Right-click the container, click New, and then click User.
In the New Object - User text boxes, enter appropriate names for all the fields so that it is clear that you are creating a user account. Be sure to follow your organization's policy for creating a service account, if such a policy exists. As an example, you could enter the following, and then click Next.
First name: Ndes
Last name: Service
User logon name: NdesService
Ensure that you set a complex password for the account and confirm the password. Configure the password options to correspond to your organization's security policies regarding service accounts. If the password is configured to expire, you should have a process in place to ensure that you reset the password at the required intervals.
Click Next, and then click Finished.
To add the NDES service account to the local IIS_IUSERS group
On the server that is hosting the NDES service, open Computer Management (compmgmt.msc).
In the Computer Management console tree, under System Tools, expand Local User and Groups. Click Groups.
In the details pane, double-click IIS_IUSRS.
In the General tab, click Add.
In the Select Users, Computers, Service Accounts, or Groups text box, type the user sign-in name for the account that you configured to be the service account.
Click Check Names, click OK twice, and then close Computer Management.
You can also use
net localgroup IIS_IUSRS <domain><username> /Add to add the NDES service account to the local IIS_IUSRS group. The command prompt or Windows PowerShell must be run as Administrator. For more information, see Add a member to a local group.
To configure the NDES service account with request permission on the CA
On the CA that is to be used by NDES, open the Certification Authority console with an account that has Manage CA permissions.
Open the Certification Authority console. Right-click the certification authority, and then click Properties.
On the Security tab, you can see the accounts that have Request Certificates permissions. By default the group Authenticated Users has this permission. The service account that you created will be a member of Authenticated Users when it is in use. You do not need to grant additional permissions, if Authenticated Users has the Request Certificates permission. However, if that is not the case, you should grant the NDES service account Request Certificates permission on the CA. To do so:
In the Select Users, Computers, Service Accounts, or Groups text box, type the name of the NDES service account, and click Check Names, and then click OK.
Ensure that NDES service account is selected. Ensure that the Allow check box that corresponds to Request Certificates is selected. Click OK.
To set a service principal name for the NDES service account
Ensure that you are using an account that is a member of the Domain Admins group. Open Windows PowerShell or a command prompt as an administrator.
Use the following command syntax to register the server principal name (SPN) for the NDES service account:
setspn -s http/<computername> <domainname>\<accountname>. For example, to register a service account with the sign-in name NdesService in the cpandl.com domain that is running on a computer named CA1, you would run the following command:
setspn -s http/CA1.cpandl.com cpandl\NdesService
Select a CA for NDES
You must select a CA for the NDES service to use when issuing certificates to clients. If NDES is installed on a CA, you do not have the opportunity to select a CA because the local CA is used. When you install NDES on a computer that is not a CA, you must select the target CA. You can select the CA by the CA name or by the computer name. Click CA name or Computer name, and then click Select. The option you choose will determine the type of dialog box that is presented next.
If you clicked CA name, you will be presented with the Select Certification Authority dialog box, which has a list of CAs from which you can choose.
If you clicked Computer name, you see the Select Computer dialog box where you can set the Locations and enter the computer name that you want to specify as the CA.
Set RA information
On the RA Information page, all the required and optional fields for setting up the service as the RA are collected. The information that you provide here will be used to construct the signing certificate that is issued to the service.
Configure cryptography for NDES
The Network Device Enrollment Service uses two certificates and their keys to enable device enrollment. Organizations might want to use different Cryptographic Service Providers (CSPs) to store these keys, or they may want to change the length of the keys that is used by the service. Only Cryptographic Application Programming Interface (CryptoAPI) Service Providers are supported for the RA keys—Cryptography API: Next Generation (CNG) providers are not supported.
Complete NDES configuration
You can learn more about NDES configuration and operation in the following article Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS). on Microsoft TechNet.
If you require over-the-air enrollment for mobile devices, see Using a Policy Module with the Network Device Enrollment Service.
If you make configuration changes for NDES or to the certificate templates that are used by NDES, you must stop and restart NDES, IIS and the CA service.