SMM for SMP: Network Device Enrollment Service (NDES/SCEP)
In an MPKI network where client certificates are required, the standard method to issue certificates for network devices is via a NDES.Currently iOS devices require a Simple Certificate Enrollment Protocol (SCEP) upon enrollment.In SMM for SMP, the NDES role resides on a Windows server in the environment.NDES requires a CA exist within the environment, the CA may be on the same server as the NDES role, although it is not recommended.The NDES role may be installed on the MMS but the CA role cannot be on the MMS (due to self-signed certificate limitations).
·Windows Server 2008 R2
·Domain Account with Cryptographic Privileges
1.To add the NDES role go to the Server Manager and add the “Active Directory Certificate Services”.
2.Next through to the “Select Role Services” options page and check the “Network Device Enrollment Service” and the “Certificate Enrollment Web Service” (CEWS).
Note: If this is not the CA, uncheck the “Certificate Authority” role to be able to add the two additional roles.Additionally: If this is being installed on the MMS, do NOT add the CA role to the MMS.If this is an off-box CA, install the CA role, with role defaults using at least 2048 strength cypher.The NDES role and CEWS roles may be added later.
3.ClickNext and specify a user account for the role service.
Note: This service account does not need to have an SPN set but it will need to be added to the local machine “IIS_IUSRS” group.
4.Next, specify a CA for NDES enrollment by selecting “Browse…” and navigating to a qualified CA.
5.Specify a Registration Authority (RA) name.
6.For the “Signature key CSP” and “Encryption key CSP” select “Microsoft Strong Cryptographic Provider”.
7.Specify a CA for the SCEP service.
8.Set “Authentication Type”.
9.Specify an Account Credential for SCEP.
10.Next, leave the default role services as they are and Next through to Installation.
Set SCEP password to never expire
11.Once the installation is complete open regeditand change the “UseSinglePassword” value from “0” to “1”, located in:
13.Obtain the CA Certificate “HASH” value and enrollment password by going to https://localhost/certsrv/mscep_admin logging in with either a Domain Administrator or the service account used from step 3.
14.Copy the hash and challenge password to the “SCEP Servers” settings section of the Mobile Management Console.
Note: The “URL” needs to be accessible from the enrolling device.The default enrollment URL is https://<FQDN>/CertSrv/MSCEP/MSCEP.dll
15.From the “iOS Enrollment” settings page of the Mobile Management Console select the icon next to “Cryptographic credential used for authentication”.
Add a new SCEP setting selecting the newly created SCEP configuration from “SCEP Server” list.Set the Subject to something simple like “CN=MobileSCEP” and Set the “Key Size” to 2048; Save Changes.
16.Close the sub-window and select the newly created credential and Save changes.