Category: Network Device Registration Service (NDES)

Unable to install Network Device Enrollment Service (NDES) at a site with read-only domain controllers

Assume the following scenario:

  • A network device registration service (NDES) is to be implemented in the network.
  • Read Only Domain Controllers (RODC) are located at the Active Directory site of the NDES server.
  • NDES role configuration fails with the following error message:
Failed to add the following certificate templates to the enterprise Active Directory Certificate Service or update security settings on those templates:
EnrollmentAgentOffline
CEPEncryption
IPSEC(Offline request)
A referral was returned from the server. 0x8007202b (WIN32:8235 ERROR_DS_REFERRAL)
Continue reading „Keine Installation des Registrierungsdienstes für Netzwerkgeräte (NDES) an einem Standort mit nur schreibgeschützten Domänencontrollern möglich“

Requesting certificates for endpoints managed with Microsoft Intune

In a networked world, it has become standard to work from anywhere, and also to work with mobile end devices such as smartphones or tablets in addition to classic desktop computers. Such end devices are usually connected by means of Mobile Device Management (MDM) managed by systems such as Microsoft Intune.

In most cases, users of mobile devices need digital certificates to prove their identity in order to gain access to corporate resources. Thus, it is necessary to provide these devices with an automatable yet secure interface for applying for these certificates.

Continue reading „Beantragung von Zertifikaten für mit Microsoft Intune verwaltete Endgeräte“

Renewal of a certificate via the Network Device Enrollment Service (NDES) fails with error code CERT_E_UNTRUSTEDCA

Assume the following scenario:

  • A certificate is requested through the Network Device Enrollment Service (NDES).
  • Renewal mode is used here, i.e. the certificate request is signed with an existing certificate.
  • The request for the new certificate fails with the following error message:
A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Erneuerung eines Zertifikats über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlercode CERT_E_UNTRUSTEDCA“

List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known

As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.

Below is a list of use cases for which I am aware of compatibility.

Continue reading „Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist“

Configuring the Network Device Enrollment Service (NDES) to work with a domain account.

The Network Device Enrollment Service (NDES), because it implements the web-based Simple Certificate Enrollment Protocol (SCEP), is mapped as a web application in Microsoft Internet Information Service (IIS). Here, the service runs in an application pool called "SCEP". In many cases it is sufficient to use the integrated application pool identity for it.

However, there are cases where you want to use a domain account. An example of this is the Certificate Connector for Microsoft Intune, which requires this.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem Domänenkonto konfigurieren“

Enabling Basic Authentication for the Network Device Enrollment Service (NDES)

If the Network Device Enrollment Service (NDES) is reinstalled (Preferably without Enterprise Administrator permissions), only the Windows-integrated authentication for the administration web page is activated at first. With this (via NT LAN Manager, NTLM) protocol, authentication via user name and password is also possible. However, not all client applications support this.

Likewise, a company might be willing to, Disable NTLM where possible and enforce Kerberos for login. Enforcing Kerberos removes the ability to log in to the Network Device Registration Service administration page via username and password (since this is done with NTLM credentials). However, Basic Authentication can be retrofitted to provide an option here again.

One way out of this dilemma can be Basic Authentication, the setup of which will be explained below.

Continue reading „Aktivieren der Basic Authentication für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Disabling NTLM and enforcing Kerberos at the Network Device Enrollment Service (NDES) administration web page.

Many companies pursue the strategy of (largely) disabling the NT LAN Manager (NTLM) authentication protocol in their networks.

This is also possible for the administration web page of the network device registration service (NDES). How exactly this is implemented and how this may change the application behavior is explained below.

Continue reading „Deaktivieren von NTLM und erzwingen von Kerberos an der Administrations-Webseite des Registrierungsdienstes für Netzwerkgeräte (NDES)“

Selecting the identity for the IIS Network Device Enrollment Service (NDES) application pool.

If one installs a Network Device Enrollment Service (NDES), one is faced with the question under which identity the IIS application pool should be operated. In the following, the individual options are examined in more detail in order to facilitate a selection.

Continue reading „Auswahl der Identität für den IIS Anwendungspool des Registrierungsdienstes für Netzwerkgeräte (NDES)“

Limits of Microsoft Active Directory Certificate Services

Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.

People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.

What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.

Continue reading „Grenzen der Microsoft Active Directory Certificate Services“

Login to the Network Device Enrollment Service (NDES) administration web page fails with HTTP error code 401 "Unauthorized: Access is denied due to invalid credentials."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the NDES administration web page (certsrv/mscep_admin) is not possible.
  • After several unsuccessful login attempts, the following HTTP error message is returned:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „Die Anmeldung an der Administrations-Webseite für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit HTTP Fehlercode 401 „Unauthorized: Access is denied due to invalid credentials.““

Details of the event with ID 86 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:86 (0xC25A0056)
Event log:Application
Event type:Error
Event text (English):SCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
Event text (German):Error during initialization of SCEP certificate registration for %1 via %2: %3 Method: %4 Phase: %5 %6
Continue reading „Details zum Ereignis mit ID 86 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 87 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:87 (0xC25A0057)
Event log:Application
Event type:Error
Event text (English):SCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
Event text (German):SCEP certificate registration error for %1 over %2: %3 Method: %4 Phase: %5 %6
Continue reading „Details zum Ereignis mit ID 87 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Certificate request fails with error message "The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)".

Assume the following scenario:

  • A certificate is requested from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The request fails with the following error message:
An error occurred while enrolling for a certificate.
The certificate request could not be submitted to the certification authority.
Url: CA02.intra.adcslabor.de\ADCS Lab Issuing CA 1
Error: The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)““

From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It

In the following, I would like to present a highly dangerous PKI configuration, perhaps not necessarily known to the general public, which can probably be encountered quite frequently in this way in corporate networks.

I show how, by exploiting various unfortunate circumstances in the Windows PKI, it is possible to elevate privileges from mere network access to complete Active Directory takeover.

The initial point of attack in this example is the Network Device Enrollment Service (NDES).

Continue reading „Von Null auf Enterprise Administrator durch den Registrierungsdienst für Netzwerkgeräte (NDES) – und was dagegen getan werden kann“

Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““
en_USEnglish
de_DEDeutsch en_USEnglish