This part of the blog series will go into details about the required certificate templates and other prerequisites in terms of user and group configuration required.
Blog series overview
- Certificate deployment for mobile devices using Microsoft Intune – Part 1 – Overview
- Certificate deployment for mobile devices using Microsoft Intune – Part 2 – Certificate templates
- Certificate deployment for mobile devices using Microsoft Intune – Part 3 – Install NDES
- Certificate deployment for mobile devices using Microsoft Intune – Part 4 – Install Intune Certificate Connector
- Certificate deployment for mobile devices using Microsoft Intune – Part 5 – Deploy SCEP Certificate profile
Prerequisites
Before we get started with creating any certificate templates, we need to perform a few different tasks. We need to:
- Create an Active Directory service account that the NDES service will run as
- Create an Active Directory group named e.g. NDES Servers (optional, but recommended)
NDES service account
The service account is fundamentally important, since the NDES service will have to run under that identity. Create a new user in your Active Directory and name it e.g. SVC_NDES_Intune or better yet, follow your internal naming convention. This service account does not require any delegated permissions at this point. Make sure the user has the default rights, Logon Locally, Logon as a Service and Logon as a batch job rights. In some organizations, hardened policies may disable those rights.
NDES Server group
Create a new group named e.g. NDES Servers and add the member server that will have the NDES server role and Intune Certificate Connector installed to that group. Make sure that you remember to restart the member server after adding it to this group. Additionally from creating a group, we also need a NDES service account. This group will be given permissions on the certificate templates so that the member server meant for NDES will have certificate enrollment permissions. This group is not a requirement thought, I should point out. But if you’re going to deploy NDES in a High-Availability setup, it’d make it easier to simply add a new server to a group than edit permissions on a certificate template.
Certificate templates overview
Distributing certificates from an internal PKI requires certificate templates to be made available for identities to enroll. It’s not an absolute requirement that you follow the following certificate template configuration outlined in this blog post, in fact I’d recommend that you follow your internal organization policies around the topic of certificate template management. However, I must point out that it’s important that you ensure that you’ve configured the certificate templates accordingly with what’s presented in this part of the series, otherwise it could lead to issues in the next parts of the series that’s hard to troubleshoot.
As for the validity period on certificate templates, iOS and macOS will always use what’s configured in the certificate template. However it’s possible to configure your Certificate Authority to honor what’s specified within the request for a certificate. Microsoft Intune supports specifying this when creating the SCEP Certificate profile.
On your Certificate Authority, run the following command in the given sequence to enable this capability:
- certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
- net stop certsvc
- net start certsvc
NDES Server certificate template
This certificate template serves two purposes. It’ll be used for issuing a SSL certificate for binding in IIS to enable HTTPS on the NDES server. Secondly, we require another certificate for the Intune Certificate Connector setup. More about the two certificates will be covered in the next part of this series. Below you’ll find the required configuration of this certificate template.
- In the Certificate Authority management console, right-click on Certificate Templates and select Manage.
- Right-click and duplicate the Web Server certificate template in the Certificate Templates console that just opened.
- Name the certificate template NDES Server.
- For the Compatibility tab, ensure the following configuration is made:
- On the Request Handling tab, ensure that the Allow private key to be exported setting is not selected.
- For Cryptography ensure the minimum key size is set to 2048.
- Ensure that the Subject Name is supplied within the request.
- Add the Client Authentication application policy as shown below. This additional application policy is required for the certificate that’ll be used when setting up the Intune Certificate Connector later in this blog series.
- On the Security tab, remove Enroll permissions for Domain Admins and Enterprise Admins. Also remove any other unnecessary identity that should not be able to enroll a certificate from this template. Add the group created earlier in this post containing the NDES member server and give it Read and Enroll permissions.
You should now have the first required certificate template configured properly. Continue with the other certificate template as outlined below.
NDES Intune certificate template
Apart from the previously created certificate template, this one will be used when the NDES service account is requesting certificates on behalf of mobile devices. This certificate template is basically the blueprint of how a certificate deployed to a mobile device will end up.
- In the Certificate Authority management console, right-click on Certificate Templates and select Manage.
- Right-click and duplicate the User certificate template in the Certificate Templates console that just opened.
- Name the certificate template e.g. NDES Intune. Make a note of the Template name (not the template display name), as we’ll be using this in the next part of this series.
- As for the Compatibility tab, ensure the following configuration.
- Ensure the following configuration is made on the Request Handling tab.
- Ensure the following configuration is made on the Cryptography tab.
- As for Extensions, ensure the following three application policies are present.
- Still on the Extensions tab, ensure that the following configuration is made. Click Edit and make sure that Signature is proof of origin (nonrepudiation) is not selected. This is required for iOS devices.
- Select Supply in the request as the option on the Subject Name tab.
- On the Security tab, remove Enroll permissions for Domain Admins and Enterprise Admins. Also remove any other unnecessary identity that should not be able to enroll a certificate from this template. Add the NDES service account created earlier in this post.
That covers the final certificate template configuration required. Double check that you’ve configured them accordingly, I can’t stress how important this is as it may lead to issues deploying certificates to your mobile devices.
Issue certificate templates
As the final section of this part in the series, we need to publish the two newly created certificate templates so they’re available and can be used to issue certificates.
- In the Certificate Authority management console, right-click on Certificate Templates, select New and then Certificate Template to Issue.
- Publish both the NDES Intune and NDES Server certificate templates.
In the next part of this series, we will issue two different certificates based of NDES Server certificate templates, setup Azure AD Application Proxy and install NDES.
Hi Nickolaj!
Thanks for writing this series of posts! I’m trying to use a gMSA to run the NDES service, but it looks like the SCEP requests never make it to the CA. I’m getting this error on Windows 10:
SCEP Certificate enrollment for CONTOSO\dan via https://ndes.contoso.com/certsrv/mscep/mscep.dll/pkiclient.exe failed:
PkiStatus(2): SCEPDispositionFailure
FailInfo(1): SCEPFailBadMessageCheck
EnrollStatus(256): EnrollDenied
The client certificate credentials were not recognized. 0x2f9a (WinHttp: 12186 ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY)
ProcessResponseMessage
Submit(Request): OK
HTTP/1.1 200 OK
Date: Thu, 30 May 2019 07:10:14 GMT
Content-Length: 731
Content-Type: application/x-pki-message
Server: Microsoft-IIS/10.0 Microsoft-HTTPAPI/2.0
Do you have any troubleshooting recommendations of where to start? Should I remove the gMSA and see if the configuration works with a normal user account or do you have any other thoughts of where to start?
Thanks,
Dan
Hi Nickolaj
Thanks for a great blog post!
One thought, in the section on creating the NDES Intune Certificate template you write:
“On the Security tab, remove Enroll permissions for Domain Admins and Enterprise Admins. Also remove any other unnecessary identity that should not be able to enroll a certificate from this template. Add the NDES service account created earlier in this post.”
Shouldn’t that also be the NDES server group as in the NDES server certificate template?
Hi Jonas,
If I understand your question right, no. The NDES Intune certificate template only requires the NDES Service account to have enrollment permissions as this template is used for the enrolling certificates to the mobile devices via NDES and essentially by the service account.
Regards,
Nickolaj