For security reasons, it may make sense to operate NDES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
Restrictions on the use of a gMSA
However, there are some limitations to using a Group Managed Service Account with NDES:
- If NDES is to be operated with a static password, it is necessary that a user profile is created for the service account. Thus, the use of Group Managed Service Accounts is not possible in this constellation.
- Provided NDES is used with Intune, the use of a Group Managed Service Account is not supported by the Intune product group.
Implementation
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Requirements for the NDES Service Account
The NDES service account...
- must be a member of the IIS_IUSRS local group.
- requires read permissions to the private keys of the Registration Authority (RA) certificates.
- requires the right to request certificates from the configured certificate authority.
- requires enroll permissions on the for the device certificate template.
- requires a service principal name (SPN), if an alias is to be used for the connection to the administration web page
Creating the gMSA for the Network Device Enrollment Service
The gMSA for NDES can be created with the following PowerShell command, provided that a KDS root key is created in the Active Directory forest was:
New-ADServiceAccount -Name gMSA_NDES -PrincipalsAllowedToRetrieveManagedPassword NDES01$ -DNSHostName gMSA_NDES.intra.adcslabor.de
The given arguments mean the following:
- The Name argument specifies the name of the gMSA.
- The PrincipalsAllowedToRetrieveManagedPassword specifies the server which is allowed to retrieve the service account password.
- The DNSHostName argument specifies the contents of the account's dNSHostName attribute, since a gMSA technically functions like a computer account.
Installing the gMSA on the NDES Server
First, the Active Directory management tools for PowerShell must be installed on the NDES server.
Add-WindowsFeature RSAT-AD-PowerShell
After that, the service account can be installed on the server with the following PowerShell command.
Install-ADServiceAccount gMSA_NDES
The command returns nothing if it was successful.
You can check if this is really the case with the following command line command.
Test-ADServiceAccount gMSA_NDES
This command returns True back when the gMSA has been successfully installed.
Add gMSA to the IIS_IUSRS group on the NDES server.
The configured gMSA must now be added to the local security group IIS_IUSRS so that it can be used by NDES. This can be done via the management console for local users (lusrmgr.msc).
Configuring the gMSA in the SCEP application pool
In order for the NDES service to work with the installed gMSA, it must be configured in the SCEP application pool in the Internet Information Server (IIS) management console. This is done by right-clicking on the SCEP application pool and selecting the "Advanced Settings..." option.
In the "Identity" option, click on the "..." button on the right side. button.
In the following dialog, select "Custom account" and click on "Set...".
When specifying the identity in the following dialog, some special features have to be considered:
- It is mandatory to specify the domain name.
- Since a gMSA works similarly to a computer account, a dollar sign must be specified at the end of the account noun.
- With a gMSA, no password is specified, so the two fields must remain empty.
Other special features
If the NDES service was configured with a static password, the permissions in the registry for the gMSA must still be adjusted. How this is done is described in this article described.
Restart of the NDES service
The NDES service is then restarted with the iisreset command.
Related links:
- Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions
- Configuring the Network Device Enrollment Service (NDES) to work with a static password.
- The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot create or modify the registry key Software\Microsoft\Cryptography\MSCEP\EncryptedPassword."
External sources
- Setting up NDES using a Group Managed Service Account (gMSA) (Microsoft, archive.org)
- Using Certificates for AAD On-premises Single-sign On (Microsoft)
English 
Deutsch
7 thoughts on “Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren”
Comments are closed.