Before you can use SCEP to provision certificates in Mobility Suite, you must configure the following:
The domain user running the Symantec ADCS Comms. Service must have permission to call the/certsrv/mscep_adminpage on the NDES machine.
The domain user running the Symantec ADCS Comms. Service must have Read and Enroll permissions on the templates used by NDES. The template names are in the Registry on the NDES machine underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP and are called EncryptionTemplate, GeneralPurposeTemplate, and SignatureTemplate. After you verify the names, you must set the permissions for the template(s) on the CA machine.
The installer for the Symantec ADCS Communication Service has been updated with a new NDES Challenge URL field. This field is optional (in case NDES is not used), but is needed if you want to obtain SCEP challenges.
By default, challenges are eight bytes long, expire after 60 minutes, and only five unexpired challenges may be outstanding at one time. Challenges will also expire if you reboot IIS on the NDES machine, reboot the NDES machine, or if they are used (successfully or unsuccessfully) to obtain a certificate.
These settings can be changed in the Registry on the NDES machine. The registry key is HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP. Each of the following keys and value names do not exist by default, so an administrator must create them in order to change the defaults. They are:
PasswordMax - maximum number of outstanding challenges
PasswordValidity - number of minutes the challenge is valid
PasswordLength - length of the challenge
UseSinglePassword - when set to false (0), prevents the use of a one-time certificate enrollment password.
For security reasons, setting to True (1) is not recommended.
EnforcePassword - when set to True (1), enforces the use of a certificate enrollment password.
For security reasons, setting to False (0) is not recommended.
These settings should be set according to number of devices in your environment, and how Mobility Manager sends the SCEP payloads to devices. For example, if you have 100 devices and Mobility Manager sends all the devices a SCEP payload at once, the value ofPasswordMax should be at least 100. If the devices could take up to 4 hours to check in, the value ofPasswordValidityshould be at least 240.