This blog is a simple walkthrough of the installation of NDES. The intent of this blog is just to show the steps so that an administrator could follow along with the installation.

For prerequisites and additional information on NDES see: https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx

Preparing Certificate Templates for NDES

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Right-click on Certificate Templates and select New and the Certificate Template to Issue from the context menu

Step 3: Select the CEP Encryption certificate template

Step 4: Repeat Steps 2 and 3 for the Exchange Enrollment Agent (Offline request) and IPSEC (Offline request) certificate templates

When completed you should see all 3 certificate templates listed

Configuring NDES Service Account

Step 1: Open up Active Directory User and Computers (dsa.msc)

Step 2: Right-click on the OU where you store service accounts and then select New then User from the context menu

Step 3: Enter the Full name and User logon name for the service account and then click Next

Step 4: Enter and confirm the password for the service account

Step 5: Select or de-select any desired options and then click Next

Step 6: Click Finish

The service account will now be created

Step 7: Open Server Manager, Select the Tools menu, and the select Computer Management

Step 8: Navigate to Local Users and Groups

Step 9: Navigate to Groups and then open the group named IIS_IUSRS

Step 10: Click Add…

Step 11: Enter the name of the service account that you previously created and click Check Names, and then OK

Step 12: Click OK

Installing NDES

Step 1: Open Server Manager

Step 2: Select the Manage menu and the select Add Roles and Features

Step 3: On the Before you begin page of the wizard, click Next

Step 4: On the Select installation type page of the wizard, select Role-based or feature-based installation, and then click Next

Step 5: On the Select destination server page, click Next

Step 6: On the Select server roles page of the wizard, select Active Directory Certificate Services

Step 7: Click Add Features

Step 8: Click Next

Step 9: On the Select features page of the wizard, click Next

Step 10: On the Active Directory Certificate Services page, click Next

Step 11: On the Select role services page, select Certification Authority Web Enrollment (Note: The reason for selecting this role is so that the CertSrv virtual directory will be visible in IIS)

Step 12: When prompted add the features, click Add Features

Step 13: Select Network Device Enrollment Service and then click Next

Step 14: On the Web Server Role (IIS) page, click Next

Step 15: On the Select role service page, click Next

Step 16: On the Confirm installation selection page, click Install

Step 17: When installation completes, click Close

Step 18: In Server Manager click on the warning symbol and then select Configure Active Directory Certificate Services on th…

Step 19: On the Specify credentials to configure role services page ensure that the account selected is a member of the Enterprise Admins group, and then click Next

Step 20: On the Select Role Services to configure page of the wizard select Certification Authority Web Enrollment and Network Device Enrollment Service, then click Next

Step 21: On the CA for Web Enrollment page, click Select…

Step 22: Select the appropriate CA and then click OK

Step 23: Click Next

Step 24: On the Service Account for NDES page, click Select…

Step 25: Enter the username and password for the NDES service account and then click OK

Step 26: Click Next

Step 27: On the CA for NDES page, click Select…

Step 28: Select the appropriate CA and then click OK

Step 29: Click Next

Step 30: On the RA Information page, fill out any information that your organization requires and then click Next

Step 31: On the Cryptography for NDES page click Next

Step 32: On the Confirmation page, click Configure

Step 33: On the Results page, click Close

Provision Permission to Request Certificates via NDES

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Right-click on Certificate Templates, then select Manage

Step 3: Open the IPSEC (Offline request) certificate template

Step 4: Click the Add… button

Step 5: Enter the name of the user or group for which you want to grant access, click Check Names, and then click OK

Step 6: With that group selected, select Allow Enroll permission, and then click OK

Step 7: Open a web browser running under the context of that newly provisioned user and verify that the user is given an enrollment challenge password.  If they do they have been successfully provisioned.

Enabling SSL on the Web Enrollment Pages and mscep_admin page

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Right-click on Certificate Templates, then click Manage

Step 3: Open the Web Server template or whichever Certificate Template your organization uses to issue SSL certificates

Step 4: Navigate to the Security tab

Step 5: Click Add…

Step 6: Click Object types…

Step 7: Check, Computers and then click OK

Step 8: Enter the hostname of the machine hosting NDES, click Check Names, and then OK

Step 9: Make sure the machine you just added is selected and the click Enroll under the Allow column

Step 10: In the Certification Authority MMC, right-click on Certificate Templates and select New and then Certificate Template to Issue

Step 11: Select the Web Server template or whichever template your organization uses to issue SSL certificates, then click OK

Step 12: On the NDES server, run certlm.msc

Step 13: Within the Certificates MMC locate the Personal node

Step 14: Right-click on the Personal node select All Tasks, and then Request New Certificate…

Step 15: On the Select Certificate Enrollment Policy page, click Next

Step 16: On the Before You Begin page, click Next

Step 17: Select the Web Server certificate template or whichever Certificate Template your organization uses to issue SSL certificates

Step 18: Click the More information is required to enroll for this certificate. Click here to configure settings. hyperlink.

Step 19: On the Subject Tab, under Alternative Name, change the type to DNS

Step 20: Under value enter the DNS name for the NDES server, and then click Add

Below is the result of the previous step.

Step 21: Click on the General tab and under Friendly name type SSL Certificate, then click OK

Step 22: Click Enroll

Step 23: On the Certificate Installation Results page, click Finish

Step 24: Open Server Manager and from the Tools menu select Internet Information Services (IIS) Manager

Step 25: In IIS Manager expand the Server Name node and then the Sites node

Step 26: In the Actions pane, click Bindings…

Step 27: Click Add…

Step 28: Switch type from http to https

Step 29: Switch SSL Certificate from Not selected to SSL Certificate

Step 30: Click OK

Step 31: Click Close

Step 32: Expand Default Web Site and then CertSrv

Step 33: In the middle pane double-click on SSL Settings

Step 34: Check Require SSL and then click Apply

Step 35: Navigate to mscep and the double-click on SSL Settings

Step 36: Uncheck Require SSL and click Apply

Step 37: Verify that an authorized user can access the mscep_admin web page via https

More NDES Articles to com in the upcoming weeks.

-Chris