Change the static password of the Network Device Enrollment Service (NDES)

Assume the following scenario:

An NDES server is configured on the network.
The NDES server is configured to use a static password.
The static password should be changed.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Solution

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

This is achieved by deleting the EncryptedPassword value below the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptedPassword

Afterwards, the NDES service must be restarted by the iisreset command.

Now the NDES administration web page (mscep_admin) must be called once so that a new password is generated.

Of course, the new static password must now be entered in the corresponding applications that use the NDES.

Changing the password regularly

See article "Regular password change when configuring the Network Device Enrollment Service (NDES) with a static password.„.

Change the static password of the Network Device Enrollment Service (NDES).

Solution

Changing the password regularly

Related links: