Tag: ndes

Replacing the NDES Service Account

chdelay

Replacing the NDES Service Accounts

There may be times when you need to replace the service account for the NDES service. One scenario is if your organizations gets compromised. After a compromise it is common to change the passwords for service accounts and in some cases to replace the service accounts entirely. Of course, there may be other reasons to replace service accounts as well. Today we will review the steps needed to replace the NDES service account and walkthrough the process.

Steps to Replace NDES service account

  • Stop the SCEP Application Pool
  • Create new service account
  • Remove any custom SPNs from the existing service account
  • Add any custom SPNs to the new service account
  • Add the account to the IIS_IUSRS group on the NDES server(s)
  • Add the account to the certificate template that is being provisioned
  • Give the new service account read permissions to the private key of the service certificates
  • Replace the service account in the SCEP Application Pool
  • Start the SCEP Application Pool
  • Remove previous service account from the IIS_IUSRS group
  • Remove previous service account from private key permissions
  • Remove previous service account from certificate template(s)

Service Account Replacement Walkthrough

Stopping the Application Pool

Step 1: On the NDES Server, in Server Manager select Tools, then Internet Information Services (IIS) Manager

Step 2: Navigate to and select Application Pools

Step 3: Right-click on the SCEP Application Pool and then select Stop from the context menu

Creating the Service Account

Step 1: On your Adminstration Workstation open Active Directory Users and Computers

Step 2: Right-click on the OU that contains your service accounts

Step 3: From the context menu select New then User

Step 4: Fill out the Full name and User logon name the click Next

Step 5: Enter and confirm the password and select Password never expires if appropriate, then click Next

Step 6: Click Finish

Managing the SPNs (if applicable)

Step 1: Open an elevated command prompt on your Administration Workstation (as a Domain or Enterprise Admin)

Step 2: Run the following command: setspn -l <NDES Service Account Name>

Step 3: Not any custom SPNs (in my example it is http/ndes.fourthcoffee.com)

Step 4: To remove the SPN run the following command: setspn -D <SPN> <NDES Service Account Name>

Step 5: Add the SPN to the new service account by running the following command: setspn -S <SPN> <New NDES Service Account Name>

Adding the Service Account to the IIS_IUSRS group

Step 1: In Server Manager select Tools then Computer Management

Step 2: Navigate to Local Users and Groups, then Groups

Step 3: Open the IIS_IUSRS group

Step 4: Click Add…

Step 5: Enter the new service account and click OK

Step 6: Click OK

Managing Service Certificates Private Keys

Step 1: As a user that is local administrator on the NDES server open certlm.msc

Step 2: Navigate to Personal and then Certificates

Step 3: Locate the CEP Encryption certificate

Step 4: Right-click on the certificate and click All Tasks then Manage Private Keys…

Step 5: Click Add…

Step 6: Enter the service account and click OK

Step 7: Provision the new service account with just Read permissions

Step 8: Click OK

Step 9: Locate the Exhange Enrollment (Offline Request) certificate

Step 10: Right-click on the certificate and click All Tasks then Manage Private Keys…

Step 11: Click Add…

Step 12: Enter the service account and click OK

Step 13: Provision the new service account with just Read permissions

Step 14: Click OK

Give the New Service Account Enroll Permissions on the Certificate Template

Determine the certificate template(s) you are distributing with NDES

Step 1: On the CA logon as an Enterprise Admin

Step 2: Open the Certification Authority MMC

Step 3: Right-click on Certificate Templates and then select Manage from the context menu

Step 4: Navigate to the certificate template you are distributing with NDES

Step 5: Right-click on the certificate template and select Properties from the context menu

Step 6: On the certificate template click Add…

Step 7: Enter the new service account name and click OK

Step 8: Give the account Enroll permissions

Changing the Service Accounts in the SCEP Application Pool

Step 1: Open Internet Information Services (IIS) Manager on the NDES server as a member of the local administrators group

Step 2: Navigate to Application Pools

Step 3: Right-click on the SCEP application pool and select Advanced Settings…

Step 4: In Advanced Settings click on the after the current service account (Identity)

Step 5: Click Set…

Step 6: Enter the service account in domain\user format and then enter and confirm the account password

Step 7: Click OK

Step 8: Click OK

Step 9: Click OK

Step 10: Return to the SCEP application pool

Step 11: Right-click on the SCEP application pool and select Start from the context menu

De-provisioning steps

The following steps need to be completed to deprovision the previous service account. However, these steps will not be covered by this walkthrough as those steps should be obvious after completing the above walkthrough.

  • Remove previous service account from the IIS_IUSRS group
  • Remove previous service account from private key permissions
  • Remove previous service account from certificate template(s)

-Chris

NDES Test Tool

chdelay

I wanted to draw some attention to an NDES test tool that I have been using for a while. My thanks to the author (Hasain Alshakarti) of the toolbox and steps as it is one of the few ways that I am aware of to test NDES without access to actual hardware or an MDM solution. I am going to cover the steps to use the tool. I understand that the instructions on the authors website are pretty straight forward and pretty easy to follow. However, I think the screenshots may give you all an idea of what to expect when using the tool.

The tool and instructions for the tool are available here: http://secadmins.com/index.php/ndes-scep-windows-test-tool/.

Once you have downloaded an extract the tool and perform the following steps:

Step 1: Access the mscep_admin site on your web server as a Device Admin. In my example this is http://fcndes01.fourthcoffee.com/certsrv/mscep_admin. Note: My certsrv directory is not protected with TLS. As a best practice it should be protected with TLS.

Step 2: Copy the enrollment challenge password for later use. In my example the password is BA86D09D04DAC557

Step 3: Open a command prompt and navigate to the directory where the tools were extracted

Step 4: Run openssl.exe req -config scep.cnf -new -key priv.key -out test.csr, to generate the reques

Step 5: Enter the Common Name (subject) for the certificate and click Enter

Step 6: Paste or manually enter the enrollment challenge password, then click Enter. In my example it is: BA86D09D04DAC557

Step 7: To retrieve the CA certificate (which is part of the NDES enrollment process), run the following command: sscep.exe getca -u http://<your NDES server DNS Name or IP address here>/certsrv/mscep/ -c ca.crt

The output you receive will look something like this:

Step 8: Run the following command to enroll for the certificate: sscep.exe enroll -u http://<your NDES server DNS Name or IP address here>/certsrv/mscep/> -k priv.key -r test.csr -l test.crt -c ca.crt-0 -e ca.crt-1

Step 9: Verify the pkistatus is Success

You can also open test.crt to verify the result:

In addition you can view the request in the IIS logs of the NDES server:

Thanks to Hasain Alshakarti for putting the toolbox and process to test NDES enrollment.

-Chris

Resetting the NDES Service Account Password

chdelay

The following steps are the steps to reset the NDES service account password. This is pretty simple and straight forward.

Step 1: As a Domain Administrator or a user that has been delegated the ability to reset passwords open up Active Directory Users and Computers (dsa.msc)

Step 2: Locate the service account

Step 3: Right-click on the account and select Reset Password…

Step 4: Enter and confirm a password and click OK

Step 5: Click OK to acknowledge the prompt

Step 6: On the NDES server open Server Manager

Step 7: From the Tools menu select Internet Information (IIS) Manager

Step 8: Navigate to Application Pools

Step 9: Right-click on the SCEP application pool and select Stop

Step 10: Right-click on the SCEP application pool and select Advanced Settings…

Step 11: Click the 3 dots after the service account under Identity

Step 12: In the Application Pool Identity window click the Set… button

Step 13: Enter the service account name in domain\user format

Step 14: Enter and confirm the password

Step 15: Click OK

Step 16: Click OK

Step 17: On Advanced Settings click OK

Step 18: Right-click on the SCEP application pool and select Start

That’s it. I’m going to continue writing NDES articles until I exhaust the topics that come to mind. At some point I will move on to configuration and known issues with the Web Enrollment Proxy.

-Chris

Steps for renewing NDES Service Certificates

chdelay

Hello, this blog covers the process I developed to renew the NDES Service Certificates. I thought I had also created a blog with steps to enable these to autoenroll, but I can’t find it at the moment. Basically, NDES uses a CEP Encryption certificate and Exchange Enrollment Agent certificate. Unless things have changed recently there is no obvious ways to renew them hence this article. If you have a better solution feel free to let me know. Another option is to simply uninstall and then re-install NDES using the same service account.

In an upcoming article I will cover how change the service account passwords and how to replace the NDES service account in case of a compromise or security concerns around the service account.

Step 1: First give the NDES Server Read and Enroll permission to the CEP Encryption Certificate Template.

Step 2: Open the certificates MMC targeted to the computer.  Expand Personal.  Right-click on Certificates.  From the context menu select All Tasks then Renew Certificate with New Key…

Step 3: On the Before You Begin page of the wizard, click Next.

Step 4: On the Request Certificates page, click Enroll.

Step 5: On the final page of the wizard, click Finish.

Step 6: Open Certmgr.msc as a user that has Read and Enroll permissions to the Exchange Enrollment Certificate Template.  Expand Personal, right click on Certificates.  Select All Tasks, and then Request New Certificate…

Step 7: On the Before You Begin page, click Next.

Step 8: On the Select Certificate Enrollment Policy page, click Next.

Step 9: Select the Exchange Enrollment Agent certificate template, and click the More information is required to enroll for this certificate. Click here to configure settings. link.

You will want to user the same Subject Name that is in your current Exchange Enrollment certificate. The following steps illustrate the steps needed to do this. You can find the current subject name by opening the Certificates MMC targeted to the local machine and then open the existing Exchange Enrollment Agent certificate. In my example the name was CN=FCNDES01-MSCEP-RA,C=US.

Step 10: Under Subject Name ensure that Common Name is selected and under Value enter the common name that is in your existing certificate. Then click Add.

Step 11: Change the Type to Country and under Type the country code that is your existing Exchange Enrollment Agent certificate.

Step 12: Click Add

Step 13: On the Private Key tab, select Make private key exportable.  Then click OK.

Step 14: Then click Enroll.

Step 15: Right-click on the Exchange Enrollment certificate in the users personal store.  Select Export…

Step 16: When the Certificate Export Wizard opens, click Next.

Step 17: On the Export Private Key page, select Yes, export the private key.

Step 18: On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX)

Step 19: On the Password page, enter a password and click Next.

Step 20: On the File to Export page, click the Browse… button.  Select the file name and save location.  When finished click Next.

Step 21: n the final page of the wizard, click Finish.

Step 22: Then click OK.

Step 23: In the Certificate MMC on the NDES Server that is targeted to the computer, expand Personal.  Right-click on Certificates.  From the context menu, select All Tasks and then Import…

Step 24: On the Welcome page, click Next.

Step 25: Browse to the PFX file you previously created, and click Next.

Step 26: On the Password page, enter the password associated with the PFX file.

Step 27: On the Certificate Store page, click Next.

Step 28: On the final page of the wizard, click Finish.

Step 29: Then click OK.

Step 30: In the Certificate MMC on the NDES Server that is targeted to the computer, expand Personal.  Right-click on the old Exchange Enrollment certificate, and select Delete. 

Step 31: Then click Yes, to accept the deletion.

Step 32: Right click on the new Exchange Enrollment certificate.  From the context menu, select All Tasks then Manage Private Keys…

Step 33: Add the NDES service account and ensure that it just has Read permission.  Click OK.

Step 34: Right click on the new CEP Encryption certificate.  From the context menu, select All Tasks then Manage Private Keys…

Step 35: Add the NDES service account and ensure that it just has Read permission.  Click OK.

Step 36:  Reset IIS using iisreset command.

Feel free to contact me with any topics you would like me to cover with a future blog posting or YouTube video.

-Chris

NDES Installation Walkthrough

chdelay

This blog is a simple walkthrough of the installation of NDES. The intent of this blog is just to show the steps so that an administrator could follow along with the installation.

For prerequisites and additional information on NDES see: https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx

Preparing Certificate Templates for NDES

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Right-click on Certificate Templates and select New and the Certificate Template to Issue from the context menu

Step 3: Select the CEP Encryption certificate template

Step 4: Repeat Steps 2 and 3 for the Exchange Enrollment Agent (Offline request) and IPSEC (Offline request) certificate templates

When completed you should see all 3 certificate templates listed

Configuring NDES Service Account

Step 1: Open up Active Directory User and Computers (dsa.msc)

Step 2: Right-click on the OU where you store service accounts and then select New then User from the context menu

Step 3: Enter the Full name and User logon name for the service account and then click Next

Step 4: Enter and confirm the password for the service account

Step 5: Select or de-select any desired options and then click Next

Step 6: Click Finish

The service account will now be created

Step 7: Open Server Manager, Select the Tools menu, and the select Computer Management

Step 8: Navigate to Local Users and Groups

Step 9: Navigate to Groups and then open the group named IIS_IUSRS

Step 10: Click Add…

Step 11: Enter the name of the service account that you previously created and click Check Names, and then OK

Step 12: Click OK

Installing NDES

Step 1: Open Server Manager

Step 2: Select the Manage menu and the select Add Roles and Features

Step 3: On the Before you begin page of the wizard, click Next

Step 4: On the Select installation type page of the wizard, select Role-based or feature-based installation, and then click Next

Step 5: On the Select destination server page, click Next

Step 6: On the Select server roles page of the wizard, select Active Directory Certificate Services

Step 7: Click Add Features

Step 8: Click Next

Step 9: On the Select features page of the wizard, click Next

Step 10: On the Active Directory Certificate Services page, click Next

Step 11: On the Select role services page, select Certification Authority Web Enrollment (Note: The reason for selecting this role is so that the CertSrv virtual directory will be visible in IIS)

Step 12: When prompted add the features, click Add Features

Step 13: Select Network Device Enrollment Service and then click Next

Step 14: On the Web Server Role (IIS) page, click Next

Step 15: On the Select role service page, click Next

Step 16: On the Confirm installation selection page, click Install

Step 17: When installation completes, click Close

Step 18: In Server Manager click on the warning symbol and then select Configure Active Directory Certificate Services on th…

Step 19: On the Specify credentials to configure role services page ensure that the account selected is a member of the Enterprise Admins group, and then click Next

Step 20: On the Select Role Services to configure page of the wizard select Certification Authority Web Enrollment and Network Device Enrollment Service, then click Next

Step 21: On the CA for Web Enrollment page, click Select…

Step 22: Select the appropriate CA and then click OK

Step 23: Click Next

Step 24: On the Service Account for NDES page, click Select…

Step 25: Enter the username and password for the NDES service account and then click OK

Step 26: Click Next

Step 27: On the CA for NDES page, click Select…

Step 28: Select the appropriate CA and then click OK

Step 29: Click Next

Step 30: On the RA Information page, fill out any information that your organization requires and then click Next

Step 31: On the Cryptography for NDES page click Next

Step 32: On the Confirmation page, click Configure

Step 33: On the Results page, click Close

Provision Permission to Request Certificates via NDES

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Right-click on Certificate Templates, then select Manage

Step 3: Open the IPSEC (Offline request) certificate template

Step 4: Click the Add… button

Step 5: Enter the name of the user or group for which you want to grant access, click Check Names, and then click OK

Step 6: With that group selected, select Allow Enroll permission, and then click OK

Step 7: Open a web browser running under the context of that newly provisioned user and verify that the user is given an enrollment challenge password.  If they do they have been successfully provisioned.

Enabling SSL on the Web Enrollment Pages and mscep_admin page

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Right-click on Certificate Templates, then click Manage

Step 3: Open the Web Server template or whichever Certificate Template your organization uses to issue SSL certificates

Step 4: Navigate to the Security tab

Step 5: Click Add…

Step 6: Click Object types…

Step 7: Check, Computers and then click OK

Step 8: Enter the hostname of the machine hosting NDES, click Check Names, and then OK

Step 9: Make sure the machine you just added is selected and the click Enroll under the Allow column

Step 10: In the Certification Authority MMC, right-click on Certificate Templates and select New and then Certificate Template to Issue

Step 11: Select the Web Server template or whichever template your organization uses to issue SSL certificates, then click OK

Step 12: On the NDES server, run certlm.msc

Step 13: Within the Certificates MMC locate the Personal node

Step 14: Right-click on the Personal node select All Tasks, and then Request New Certificate…

Step 15: On the Select Certificate Enrollment Policy page, click Next

Step 16: On the Before You Begin page, click Next

Step 17: Select the Web Server certificate template or whichever Certificate Template your organization uses to issue SSL certificates

Step 18: Click the More information is required to enroll for this certificate. Click here to configure settings. hyperlink.

Step 19: On the Subject Tab, under Alternative Name, change the type to DNS

Step 20: Under value enter the DNS name for the NDES server, and then click Add

Below is the result of the previous step.

Step 21: Click on the General tab and under Friendly name type SSL Certificate, then click OK

Step 22: Click Enroll

Step 23: On the Certificate Installation Results page, click Finish

Step 24: Open Server Manager and from the Tools menu select Internet Information Services (IIS) Manager

Step 25: In IIS Manager expand the Server Name node and then the Sites node

Step 26: In the Actions pane, click Bindings…

Step 27: Click Add…

Step 28: Switch type from http to https

Step 29: Switch SSL Certificate from Not selected to SSL Certificate

Step 30: Click OK

Step 31: Click Close

Step 32: Expand Default Web Site and then CertSrv

Step 33: In the middle pane double-click on SSL Settings

Step 34: Check Require SSL and then click Apply

Step 35: Navigate to mscep and the double-click on SSL Settings

Step 36: Uncheck Require SSL and click Apply

Step 37: Verify that an authorized user can access the mscep_admin web page via https

More NDES Articles to com in the upcoming weeks.

-Chris