Support Tip - How to configure NDES for SCEP certificate deployments in Intune
Published Apr 15 2019 09:35 AM 204K Views
Microsoft

Hi everyone, today we have another post from Intune Support Escalation Engineer Mingzhe Li. In this post, Mingzhe goes through setting up and configuring NDES for SCEP certificate deployments in Intune. There are a few different ways you can setup NDES and we have our official documentation on this here, but if you’re looking for a simple step-by-step guide for a single certificate scenario with lots of details and screen shots, this post is for you.

 

=====

 

The purpose of this post is to provide an easy, end-to-end guide on setting up a SCEP infrastructure for Microsoft Intune. When working on this topic as a Support Engineer, many customers ask me for a simple tutorial with as many screenshots as possible. In response to that, I decided to write this article with the hopes that it will help you too and make getting this setup as easy as possible.

 

When talking about NDES and SCEP, I like breaking the process up into three parts:

 

  1. Installing the NDES server
  2. Configuring the NDES server
  3. Creating the SCEP profile in the Intune portal

We’ll walk through each of these in order, however before you start please go through the pre-requisites for setting up SCEP which are described here: https://docs.microsoft.com/en-us/intune/certificates-scep-configure.

 

1. Installing the NDES server

Before we install the NDES server, we first need to create a new service account in your Active Directory domain using Active Directory Users and Computers. This is the account that will be used to request the SCEP certificate from your Enterprise Certification Authority (CA).

 

100211-jc1.png100211-jc2.png

Once the account is created, go to the computer you want to use for the NDES role and run compmgmt.msc (Note that the NDES computer should be running Windows Server 2012 R2 or later). Add the newly created account into the local group IIS_IUSRS:

 

100211-jc3.png100211-jc4.png

 

Next, we need to add the proper permissions for this account on your Enterprise CA. Logon to your Enterprise CA and add the NDES service account on the Security tab with ‘Request Certificates’ permissions:

 

100211-jc5.png100211-jc6.png

Now we need to set the SPN for the NDES service account. Logon to your NDES server, open command prompt, then run the command below:

 

setspn -s http/<computer name of NDES server> <domain name>\<NDES service account name>

 

This will set the SPN for your NDES service account.

 

100211-jc7.png

 

That’s it for the account, so now we can start with the configuration of the NDES computer. On the computer you want to use for the NDES role, open Server Manager and select Add Roles and Features:

 

100211-jc8-2.png

 

Choose Role-based or feature-based installation:

 

100211-jc9.png

 

Add the ADCS role:

 

100211-jc10.png

 

Add the NDES role:

 

100211-jc11.png

 

Wait until installation completes, then start the post-installation steps:

 

100211-jc12.png

 

Choose Network Device Enrollment Service:

 

100211-jc13.png

 

Next, choose the NDES service account you created for the service account:

 

100211-jc14.png

 

Now we need to connect your Enterprise CA with the NDES server. Please note that the CA and the NDES server must be installed on separate servers.

 

100211-jc15.png

 

Leave RA Information set to the defaults. This information will be used when the signing certificate is created:

 

100211-jc16.png

 

Configure the cryptography as shown below:

 

100211-jc17.png

 

Continue through the wizard to complete the installation of NDES. Once the installation completes, we now need to do a few steps to finish configuring the NDES computer.

 

2. Configuring the NDES server

 

The NDES server needs to accept long URL requests so we first need to configure IIS accordingly. On the NDES computer, open IIS Manager and select Default Website -> Request Filtering then select Edit feature settings’:

 

100211-jc20.png100211-jc21.png

 

Configure Maximum URL length and Maximum query string as shown below:

 

100211-jc22.png

 

Next, launch Registry Editor (regedit) and go to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters, then edit the values as shown here:

 

100211-jc23.png

 

These settings will make sure that the NDES server can receive https requests which are large in size. If this is not done, none of your devices will be able to receive a SCEP certificate profile and you’ll see the following authentication error messages within the Intune Ibiza portal:

 

Experiencing authentication issues

The portal is having issues getting authentication tokens for Microsoft_Intune_DeviceSettings

 

As a next step, we need publish your NDES server to the Internet and generate an external FQDN. In this article we do this using Azure Application Proxy, however you can achieve the same by using the Windows Application Proxy (WAP).

 

Open your Azure portal and go to Enterprise Applications:

 

100211-jc24.png

 

Click on ‘Add application’ and select the ‘On-premises application’.

Configure the settings as shown below, using the internal FQDN of your NDES server for Internal URL:

 

100211-jc25.png

 

Make a note of External Url (this will be generated automatically). You will need this at a later point in time.

 

Now we need to create an SSL certificate template on the Enterprise CA and assign a client/server authentication certificate to the NDES server. The reason behind this is that all certificate requests to the NDES server will come from the Internet and therefore, the communication needs to be encrypted.

 

Log on to your Enterprise CA and launch the CA console. Go to Certificate Templates and right-click on Manage, then duplicate the Web Server template:

 

100211-jc26.png100211-jc27.png

 

Assign an appropriate name to the duplicated certificate template (e.g. NDES SSL certificate).

 

The certificate should include both client and server authentication under Extensions tab -> Application policies. On the Security tab, the computer account of the NDES server should have Read and Enroll permission:

 

100211-jc28.png100211-jc29.png

 

On the Subject Name tab, make sure that Supply in the request is checked.

 

Now we need to issue the new template. Go to Certificate Templates and right-click on New, select Certificate Template to Issue then choose the SSL template you just created:

 

100211-jc30.png

 

Now we need to go to the NDES computer and add the client/server authentication certificate. Open the MMC console on your NDES server and add the certificate snap-in for the local computer. Request a new certificate under Personal -> Certificates -> All Tasks -> Request New Certificate:

 

100211-jc31.png

 

Select the SSL certificate template you just created on the Enterprise CA as shown below:

 

100211-jc32.png

 

Fill in the information on the next screen according to the guidelines below:

 

Subject name:

  1. Type = Common name

Value = <NDES server internal FQDN>

Alternative name:

  1. Type = DNS

Value = <NDES server internal FQDN>

  1. Type = DNS

Value = <NDES server external FQDN>. This is the external FQDN that was previously generated on the Azure Application Proxy:

 

100211-jc33.png

 

Here is an example:

 

100211-jc34.png

 

Click OK to finish adding the certificate.

 

Now we need to bind our server authentication certificate in IIS. On the NDES computer, connect to your IIS console and go to Default Web Site -> Bindings. Click Add and bind the certificate on https port 443. Select the SSL certificate template you just created on the Enterprise CA.

 

100211-jc35.png

 

Restart your NDES server.

 

The next step is to create the NDES certificate template. This template will be used to issue certificates to our Intune devices. Log on to your Enterprise CA and start the CA console. Right-click on Certificate Templates and select Manage), then duplicate the User template:

 

100211-jc36.png

 

Give your new template a display name and make a note of the generated Template name as you will need this later. On the Subject Name tab, select the Supply in the request option:

 

100211-jc37.png100211-jc38.png

      

On the Extensions tab, make sure that Client Authentication is available under Application Policies.

 

100211-jc39.png

 

On the same tab, click on Edit and un-check the option Signature is proof of origin (nonrepudiation). This is required if the certificate is going to be assigned to iOS devices. Also make sure that you do not allow the private key to be exported on the Request Handling tab:

 

100211-jc40.png100211-jc41.png

 

Now, add Read and Enroll permission to the NDES service account for the new template on the Security tab. On the Cryptography tab, the minimum key size should be 2048.

 

100211-jc42.png100211-jc43.png

 

Go back to the Certificate Authority management console and select Certificate Templates. Right-click and choose New -> Certificate Template to Issue, then select the template you just created:

 

100211-jc44.png

 

Now the question is ‘How does the NDES server know which certificate template to request from the CA?’ The first step is to identify the purpose of the template that you just created which can be checked on the Request Handling tab:

 

100211-jc45.png

 

In our example, the purpose is Signature and encryption. We need to map this information to the registry keys on the NDES computer. To do this, logon to your NDES computer, run regedit and navigate to HKLM\Software\Microsoft\Cryptography\MSCEP. You will see 3 registry entries:

 

  • SignatureTemplate (corresponds to Signature purpose)
  • EncryptionTemplate (corresponds to Encryption purpose)
  • GeneralPurposeTemplate (corresponds to Signature and encryption purpose)

We have selected Signature and encryption as the template purpose, so we need to enter the template name as a key value for the GeneralPurposeTemplate key:

 

100211-jc46.png

 

At this point you might have noticed that so far, our actions were not related to Microsoft Intune and we have done everything on our on-premise servers. With this complete, now it’s time to connect our on-premise service to the Microsoft Intune cloud. The interface between Intune and your NDES computer is the Intune Connector which we will install now.

 

Logon to the Intune Portal and navigate to Device Configuration -> Certificate Connectors -> Add and download the connector installation file:

 

100211-jc47.png100211-jc48.png

Copy the file to your NDES server and start the installation with Administrative rights. When the wizard starts, first select the option below:

 

100211-jc49.png

 

Follow the instructions and select the correct NDES SSL certificate:

 

100211-jc50.png

 

Please note that the certificate chosen here is the SSL certificate for client/server authentication which we created in the beginning!

 

Once the installation finishes you will see the screen below. Sign-in into your Intune tenant:

 

100211-jc51.png

 

IMPORTANT The sign-in account needs to be a Global Administrator or an Intune Administrator!

Once the sign-in is completed, Intune can now communicate with your NDES computer. Note that you can re-launch the above screen any time by running <Intune_Connector_Install_Path>\NDESConnectorUI\NDESConnectorUI.exe.

 

Restart the NDES server after the installation of Intune Connector.

 

3. Creating the SCEP profile in the Intune portal

 

At this point we’ve completed the installation and configuration of our NDES server and connected our on-premise environment to Intune, so now it’s time to create the SCEP profile in the Intune portal and deploy it to our target devices.

 

A requirement for deploying a SCEP profile is the successful deployment of the trusted root certificate from your CA to your targeted devices, as they will only accept certificates from a trusted certification authority. Logon to you CA, open a Command prompt and run the following command:

 

certutil -ca.cert C:\root.cer

 

This command will export the root certificate to the C:> drive as root.cer. Note that you can use any other name for the file and store it in any other location, we’re just using this in our example.

 

NOTE If you are going to deploy SCEP certificates to Android devices, you will need to export the root certificate from both the root CA and the issuing CA (if it exists). For iOS devices, you only need to export the root certificate from the root CA.

 

Next, logon to your Intune portal and create a trusted certificate profile first. In my example I created a profile for iOS devices:

 

100211-jc52.png

 

When you create your profile, you need to upload the root certificate that you just exported from the root CA and deploy the trusted certificate profile to your target devices. If you plan to deploy SCEP profiles to Android devices, and if you have both a root CA and an issuing CA, you need to create one trusted certificate profile for the root CA and another one for the issuing CA. For iOS devices, you only need to deploy the trusted certificate profile including the root certificate from the root CA.

 

Once the trusted certificate profile has been successfully deployed to your devices, you can now create the SCEP profile itself. In this example I will again create a sample profile for iOS devices:

One important step is to define the key usage:

 

100211-jc53.png

 

Do you still remember the certificate purpose registry keys we configured on the NDES server?

 

100211-jc54.png

 

We need to map again the key usage from our SCEP profile to the registry keys we defined on the NDES server. If you select Digital signature in the SCEP profile, the Intune connector will read the value SignatureTemplate key and the NDES server will request the certificate based on the template name defined in the key value. If Key encipherment is selected, the connector will read the EncryptionTemplate key, and if both are selected in the SCEP profile the connector will read the GeneralPurposeTemplate key.

 

Select the trusted certificate profile we created earlier:

 

100211-jc55.png

 

 

Define the key usage:

 

100211-jc56.png

 

As a last step, specify the external FQDN of our NDES server in the SCEP profile:

 

100211-jc57.png

 

The format needs to be as below:

 

https://<external FQDN of the NDES server>/certsrv/mscep/mscep.dll

 

In this example, we have previously generated the external FQDN with Azure Application Proxy:

 

100211-jc58.png

Once you’re finished configuring your profile, all you need to do now is assign the SCEP profile to your target devices/users. Once the users/devices receive the profile, they will then retrieve a SCEP certificate. A brief overview of this process is shown below.

 

100211-jc59.png

 

Additional Resources

Troubleshooting NDES configuration for use with Microsoft Intune certificate profiles

Troubleshooting SCEP certificate profile deployment in Microsoft Intune

Configure and use SCEP certificates with Intune

 

Mingzhe Li

Intune Support Escalation Engineer

28 Comments
Brass Contributor

NDES can be a bit of a bear to setup, great to see such succinct instructions!

 

Now the million dollar question @J.C. Hornbeck: will there come a day when we can use these shiny new client certificates to authenticate to unfederated AzureAD?  Works great for ActiveSync to EXO already.

Great write-up J.C thanks!

Copper Contributor

Very helpful guide, thank you so much. I only want to add that on the server certificate request,  "Common Name=Internal FQDN" didn't work for me. I had to change it to "Common Name= External FQDN" as per the the Microsoft guide:

"Troubleshooting SCEP: STEP 3 (https://support.microsoft.com/en-us/help/4457481/troubleshooting-scep-certificate-profile-deployment...:(

In this case, issue the web server SSL certificate with the following attributes for Common Name and Subject Alternative Name, and then bind it to port 443 in IIS:

  • Subject name
    CN = external server name
  • Subject Alternative name
    DNS Name= external server name
    DNS Name= internal server name
Brass Contributor

@J.C. Hornbeck   Had troubles today where the downloaded Intune Connector installer was firing up but then immediately quitting before installing anything. The setup logs showed that because I was running EN-UK for my server's Windows display language rather then usual EN-US, the installer was trying to find a .mst transform file that isn't present in the current NDESConnectorSetup.exe package (checked with 7-Zip).

 

Changed the Windows display language back to EN-US, logged out, logged back in and tried again and it worked. Suggest someone tests the current NDESConnectorSetup.exe (6.1904.1.0.650590e1) against a non EN-US system!

 

 

 

 

 

 

Brass Contributor

it would be great to see a few examples of what the client experience is when using client certs. 

Is this the setup for client cert that would be required for cloud app security client cert session policy validation? 

 

Brass Contributor
Also what is the security model for the NDES/SCEP. based on this doc it looks like its being configured for a application proxy with no authentication? (pre auth - passthrough)
Brass Contributor

@gd-29 : The NDES/SCEP server is going to check with Microsoft Intune (via the Intune Connector) to see if the certificate request is valid (see the very last picture 'How it works (simplified)', and only issue the certificate if Intune gives the thumbs up.

Brass Contributor
@Steve Burkett thanks, i missed that diagram. I still have questions if the URL is one time use etc. Right now i'm more focused on getting a test certificate to work with Microsoft Cloud Security. I can't seem to get it prompt my client for valid client certificate. I wasnt sure if this intune configuration was required, but for now i manually issued a client cert and imported it to my device for testing.
Copper Contributor

@J.C. Hornbeck very informative, thank you.

 

I am trying to find out the sever spec for hosting the Intune certificate connector and the NDES server role.

 

Can you advice where I can find this?

Microsoft

You can find the specs in https://docs.microsoft.com/en-us/intune/certificates-scep-configure under 'Prerequisites'.

Copper Contributor

Hello @Mingzhe_Li thank you for your response.

 

I did check the link previously but it does not list the hardware specs for the server required to host the NDES role and the Intune certificate connector? 

Hello @Mingzhe_Li 
We are setting up NDES and are facing an issue with the NDES Connector. As soon as we start the NDES Connector it shows this status:
An error occurred while connecting to the Intune service. Error code is 0x80004003. The NDES Connector will retry the connection as soon as possible.
It shows this error no matter which account we use to sign in to the server and start the Connector, with or without an Intune license.
When we click on Sign in, it takes a long time before some thing happens (white screen) before is shows:
Navigation to the webpage was canceled.

If we click refresh the page we get the error:
This page can`t be displayed.
Turn on TLS 1.0, TLS 1.1, and TLS 1.2...... and try connecting to https://login.windows.net

The whitlisting on the proxy contains login.windows.net, login.microsoftonline.com, *.manage.microsoft.com

Any thoughts on this issue, where to have a look for the cause in event, logs etc?

Microsoft

Hi Peter,

 

please check if you have whitelisted all required domains according to:

 

https://docs.microsoft.com/en-us/intune/fundamentals/network-bandwidth-use

 

Cheers

Copper Contributor

Hi, is there a tool to modify the NDES setting after install and configuration it.  I need to change the NDES RA Certificate private key protection with nCipher Enhanced Cryptographic Provider.

Microsoft

Hi Ttran,

 

changing the RA cert configs after installing the NDES server is not a supported scenario and can lead to NDES stop working. Therefore, all settings for the RA cert should be configured during NDES installation.

Copper Contributor

After speaking with Intune Support, it would appear that the part where you must sign into your account to establish the connection is misleading. It says you must be Global or an Intune Administrator, however, after constantly getting access denied on my end, it turns out my administrative account did not have an Intune License, only the Global Admin role. I'm not sure if an Intune Administrator is all that is needed, but in my case I did need an Intune License despite being a global administrator. Hope this helps someone.

 

 

Copper Contributor

Excellent and most helpful post.

How do we update the Intune Connector certificate when it expires?  I'm getting a 403.17  - Forbidden error in the NDESPlugin.log.  I updated the IIS cert but that didn't help, so perhaps it's the connector certificate?

Copper Contributor

Thanks for this useful documentation.

My CA server version is 2008 R2, and there is no "Microsoft Enhaniced Cyptographic Provider v1.0" option under Provider category while creating certificate template for intune users. Do you have any idea ?

 

 

Brass Contributor

Make sure you delete the host name when setting up the IIS site. It defaults to the machine name. Took me ages to spot.

Brass Contributor

@OffColour1972 Sorry, can you expand on this please? I'm not sure what setting you're referring to or what step in the above guide.

 

Thanks

Brass Contributor

@Durrante There's a screenshot of adding the certificate to the binding in IIS. You'll see the Host Name field is empty. When you add that new binding that field will default to the machine name. Make sure you remove the machine name.

Copper Contributor
Copper Contributor

Hi,
I have a doubt. We provide the server FQDN ex https://ndesserverfqdn in App proxy as internal URL. However when we browse it for testing it shows default IIS webpage. Is this correct configuration?


Or we should provide internal NDES URL like -
https://ndesserverfqdn/certsrv/mscep

NDES server is installed and configured. App proxy connector also installed.

 

Copper Contributor

Hi, @Mingzhe_Li 

can we configure two NDES servers on-premises to be redundant? Not clear about this in Microsoft InTune document 

https://docs.microsoft.com/en-us/intune/certificates-scep-configure.

 

Thanks!

Dean

Copper Contributor

Hi, I am hoping to understand the significance of using the proxy server, when we also use the connector?  Doesn't the connector facilitate a local connection between intune and the ndes server?  

What then is the aim of using an external url?

 

Further, the instructions for the proxy don't exactly match my azure AD console, though full disclosure, I don't yet have a license for it. I probably will have a license by tomorrow.  Is this a software that installs locally? Otherwise how does it proxy the connection?  So then if the proxy is installed locally, why do we also use the connector?

 

Microsoft

@Canyon_IT, the short answer is that the Azure AD app proxy acts as a reverse proxy so you don't have to directly expose the NDES server to the internet.  

 

Here's the recommendation in the docs:

We recommend publishing the NDES service through a reverse proxy, such as the Azure AD application proxy, Web Access Proxy, or a third-party proxy. If you don't use a reverse proxy, then allow TCP traffic on port 443 from all hosts and IP addresses on the internet to the NDES service.

Configure infrastructure to support SCEP certificate profiles with Microsoft Intune - Azure | Micros...

 

To further clarify in case I've missed answering your question:

There are two "connectors" in play here.  Each is installed on an on-prem server to facilitate communication for different purposes.  One to allow communication from NDES to Intune and the other to more securely allow client's to connect from the internet to your NDES service.

1. The Application Proxy connector connects your Azure AD application proxy (and thereby any client on the internet) to your on-prem environment/application (in this case NDES).  This is so that it can proxy traffic in (often called reverse-proxy) so that your NDES server isn't directly exposed to the internet and thereby the attack surface is reduced.

Note: Azure AD app proxy actually only requires outbound firewall rules (no inbound needed), so it's super secure - Understand Azure AD Application Proxy connectors | Microsoft Docs

2. The other connector, that you install on your NDES server, is the Intune connector that facilitates communication solely between the NDES service and Intune.  This connector exists so that NDES can validate the challenge presented by the client with Intune (i.e. it's just an additional layer of validation). Intune only returns a positive or negative response.

 

The external URL referenced in the post above is the one provided by the Azure AD application proxy.  This is the one used in the Intune certificate profile and is the URL the client reaches out to with it's request.  The app proxy then proxies the communication with the NDES server, because you have added the internal URL of the NDES server to the Azure AD app proxy configuration.

 

As far as not matching the console, that's not too surprising.  Things change often in Azure and this post is pretty old by cloud standards.  If you find you have a specific question once you have a license, don't hesitate to ask.

 

 

Copper Contributor

Great extensive post!

 

I'm still confused about the relation with a third party on-prem forward proxy and Azure Application (reverse) proxy.

 

I cannot get an Internet connection through our forward on-prem proxy when signing in to Azure via the Intune certificate connector.

However, if I browse to that URL via IE on my NDES server to https://portal.manage.microsoft.com, I get an HTTP 403 'forbidden'. This makes sense since we have to authenticate through our on-prem proxy with an account.

 

But after authenticating and configuring this proxy in the Intune Connector configuration, I still don't get access.

 

Any help would be appreciated, thanks!

Copper Contributor

Hello,

 

How will be the flow if an device is enrolling to Intune in LAN? Any documentation on LAN connectivity to the NDES server. What all ports needs to be allowed for certificate deployment. 

 

Thanks

 

 

Version history
Last update:
‎May 06 2019 08:24 AM
Updated by: