Replacing the NDES Service Account

chdelay

Replacing the NDES Service Accounts

There may be times when you need to replace the service account for the NDES service. One scenario is if your organizations gets compromised. After a compromise it is common to change the passwords for service accounts and in some cases to replace the service accounts entirely. Of course, there may be other reasons to replace service accounts as well. Today we will review the steps needed to replace the NDES service account and walkthrough the process.

Steps to Replace NDES service account

  • Stop the SCEP Application Pool
  • Create new service account
  • Remove any custom SPNs from the existing service account
  • Add any custom SPNs to the new service account
  • Add the account to the IIS_IUSRS group on the NDES server(s)
  • Add the account to the certificate template that is being provisioned
  • Give the new service account read permissions to the private key of the service certificates
  • Replace the service account in the SCEP Application Pool
  • Start the SCEP Application Pool
  • Remove previous service account from the IIS_IUSRS group
  • Remove previous service account from private key permissions
  • Remove previous service account from certificate template(s)

Service Account Replacement Walkthrough

Stopping the Application Pool

Step 1: On the NDES Server, in Server Manager select Tools, then Internet Information Services (IIS) Manager

Step 2: Navigate to and select Application Pools

Step 3: Right-click on the SCEP Application Pool and then select Stop from the context menu

Creating the Service Account

Step 1: On your Adminstration Workstation open Active Directory Users and Computers

Step 2: Right-click on the OU that contains your service accounts

Step 3: From the context menu select New then User

Step 4: Fill out the Full name and User logon name the click Next

Step 5: Enter and confirm the password and select Password never expires if appropriate, then click Next

Step 6: Click Finish

Managing the SPNs (if applicable)

Step 1: Open an elevated command prompt on your Administration Workstation (as a Domain or Enterprise Admin)

Step 2: Run the following command: setspn -l <NDES Service Account Name>

Step 3: Not any custom SPNs (in my example it is http/ndes.fourthcoffee.com)

Step 4: To remove the SPN run the following command: setspn -D <SPN> <NDES Service Account Name>

Step 5: Add the SPN to the new service account by running the following command: setspn -S <SPN> <New NDES Service Account Name>

Adding the Service Account to the IIS_IUSRS group

Step 1: In Server Manager select Tools then Computer Management

Step 2: Navigate to Local Users and Groups, then Groups

Step 3: Open the IIS_IUSRS group

Step 4: Click Add…

Step 5: Enter the new service account and click OK

Step 6: Click OK

Managing Service Certificates Private Keys

Step 1: As a user that is local administrator on the NDES server open certlm.msc

Step 2: Navigate to Personal and then Certificates

Step 3: Locate the CEP Encryption certificate

Step 4: Right-click on the certificate and click All Tasks then Manage Private Keys…

Step 5: Click Add…

Step 6: Enter the service account and click OK

Step 7: Provision the new service account with just Read permissions

Step 8: Click OK

Step 9: Locate the Exhange Enrollment (Offline Request) certificate

Step 10: Right-click on the certificate and click All Tasks then Manage Private Keys…

Step 11: Click Add…

Step 12: Enter the service account and click OK

Step 13: Provision the new service account with just Read permissions

Step 14: Click OK

Give the New Service Account Enroll Permissions on the Certificate Template

Determine the certificate template(s) you are distributing with NDES

Step 1: On the CA logon as an Enterprise Admin

Step 2: Open the Certification Authority MMC

Step 3: Right-click on Certificate Templates and then select Manage from the context menu

Step 4: Navigate to the certificate template you are distributing with NDES

Step 5: Right-click on the certificate template and select Properties from the context menu

Step 6: On the certificate template click Add…

Step 7: Enter the new service account name and click OK

Step 8: Give the account Enroll permissions

Changing the Service Accounts in the SCEP Application Pool

Step 1: Open Internet Information Services (IIS) Manager on the NDES server as a member of the local administrators group

Step 2: Navigate to Application Pools

Step 3: Right-click on the SCEP application pool and select Advanced Settings…

Step 4: In Advanced Settings click on the after the current service account (Identity)

Step 5: Click Set…

Step 6: Enter the service account in domain\user format and then enter and confirm the account password

Step 7: Click OK

Step 8: Click OK

Step 9: Click OK

Step 10: Return to the SCEP application pool

Step 11: Right-click on the SCEP application pool and select Start from the context menu

De-provisioning steps

The following steps need to be completed to deprovision the previous service account. However, these steps will not be covered by this walkthrough as those steps should be obvious after completing the above walkthrough.

  • Remove previous service account from the IIS_IUSRS group
  • Remove previous service account from private key permissions
  • Remove previous service account from certificate template(s)

-Chris