Windows Server 2012 – Install and Configure NDES


KB ID 0000947 Dtd 14/05/14


NDES, is the name for what we used to call MSCEP, which was an 'add-on' for the Server 2003 family of servers. In Server 2008 it was renamed to NDES. It is a role service that runs on a Certificate Services Server, and is used to create a registration authority (RA) that can issue certificates from your PKI infrastructure to network devices, i.e. Routers, Firewalls and Switches.


Installing Network Device Enrollment Service

I'm assuming you already have an Active Directory Certificate Services Server setup, if not you can deploy that and add in NDES at the same time.

1. Either: Launch Server Manager > Manage > Add Roles and Features > Below Active Directory Certificate Services select Network Device Enrollment Service.

Install NDES 2012

2. Or: From within PowerShell run the following command;

Install-WindowsFeature –Name ADCS-Device-Enrollment

Add NDES to Server 2012

Configuring Network Device Enrollment Service

1. Create a domain user (below I've called it SVC_NDES) > Add that user to the IIS_IUSRS group on the CA server.

MSCEP user

2. From within Server Manager launch the post deployment configuration wizard.

Configure SCEP Windows

3. Next.

NDES Role Service

4. Select Network Device Enrollment Service, (if not already selected).

Cisco to Windows NDES

5. Change the account details, to the service account you created above.

Windows SCEP domain user

6. Enter the details that will be used to enroll the RA certificate.

RA certificate

7. Accept the defaults > Next.

NDES cryptography

8. Configure.

Enrol cisco router

9. Close.

NDES Wizard

10. Launch the Certificate Authority management console > Certificate Templates > Right Click > Manage.

IPSEC certificate template

11. Open the properties of the 'IPSec (Offline request)' certificate > Security Tab > Make sure the account you created (above) has the 'Enroll' permission.

enroll permissions ndes

NDES Disable Password Requirement.

I've read a few blogs and articles that say;

"There is no way for Cisco devices to supply the required password to enroll with NDES/MSCEP, so you need to disable the requirement for a password."

This is NOT TRUE, however the whole point of issuing certificates via your PKI infrastructure, is that it can scale dramatically. If you are creating passwords and embedding those passwords in all your enrollments, it can get a little unwieldy. So it may be sensible to remove the password requirement.

1. Windows Key+R > regedit {Enter} > Navigate to;

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > EnforcePassword > EnforcePassword

To disable change the value to 0 (zero).

Disable NDES Password Enforce

Below you can see the difference, with the password requirement enforced, and without.

Get NDES password

2. Restart the Certificate Services Service;

net stop certsvc net start certsvc

Restart Certificate Services

NDES More Password Options and Renewing Certificates

If you do want the more secure option of using passwords, but don't want to ad a new password every time you have a new enrollment, you can specify that the password does not expire after the default 60 minutes, in fact it never expires. This is handy if you want to renew certificates without generating new passwords. To do that carry out the following procedure;

1. Windows Key+R > regedit {Enter} > Navigate to;

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > UseSinglePassword > UseSinglePassword

Set the value to 1 (one).

NDES use single password

2. Navigate to;

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP

Create a new 32 bit DWORD value called 'DisableRenewalSubjectNameMatch' Set the value to 1 (one).

NDES renew certificate

3. If (as above), you are running NDES under a service account, ensure that account has full control of the MSCEP key. (Again don't forget to restart the Certificate Server service.)

NDES renew certificate

IIS Query String Problem

You may find that with the default IIS settings you may encounter some problems. This is because (by default) IIS will only accept a Query String that's less than 2048 characters long. If that happens you may see the following errors;

  • Request URL Too Long
  • HTTP Error 414. The request URL is too long.
  • HTTP Error 404.15 – Not Found
  • The request filtering module is configured to deny a request where the query string is too long.

In the IIS logs you will see errors like;

2014-05-14 16:12:39 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=hsca04 80 - Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 218

2014-05-14 16:12:39 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=PKIOperation&message=<base64 encoded certificate request> 80 - - 404 15 0 15

2014-05-14 16:19:21 GET /certsrv/mscep/ operation=GetCACert&message=any 80 - - 200 0 0 328

2014-05-14 16:19:21 GET /certsrv/mscep/ operation=PKIOperation&message=<base64 encoded certificate request> 80 - - 404 15 0 703

To stop that happening open a command window (Run as Administrator), and execute the following command;

Note: If this 'wraps' in your browser, it is one command!

%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"4096" /commit:apphost 

Then restart the web services;

iisreset /noforce

IIS Query String is too long

Now you can get your network devices to enroll, in the next couple of days, I will post how to enroll from both a Cisco ASA, and a Cisco Router.

Note: If you devices are going to be checking your PKI's CRL then you will need to set that up.

Windows Certificate Services - Setting up a CRL

Related Articles, References, Credits, or External Links

Cisco ASA - Enrolling for Certificates with NDES

Author: Migrated

Share This Post On