In the previous part of this series we created the required certificate templates and some prerequisite configuration in terms of the NDES service account and a group for the NDES server to be a member of. In this part it’s time to get our hands dirty and install NDES on a domain member server.
Blog series overview
- Certificate deployment for mobile devices using Microsoft Intune – Part 1 – Overview
- Certificate deployment for mobile devices using Microsoft Intune – Part 2 – Certificate templates
- Certificate deployment for mobile devices using Microsoft Intune – Part 3 – Install NDES
- Certificate deployment for mobile devices using Microsoft Intune – Part 4 – Install Intune Certificate Connector
- Certificate deployment for mobile devices using Microsoft Intune – Part 5 – Deploy SCEP Certificate profile
External and internal name resolution
Like described in the overview post of this series, we’re going to leverage Azure AD Application Proxy as a reverse proxy for publishing the NDES URL externally. Generally I recommend to create a CNAME for internal name resolution for services like this for the simple reason that it’d make management easier over time whenever there’d be any kind of need to re-point the internal name used for the Azure AD Application Proxy app. So I strongly suggest that you create a CNAME record e.g. ndes.domain.local in your internal DNS infrastructure pointing to the FQDN of the soon to be NDES server, e.g. NDES01.domain.local.
What Azure AD Application Proxy will do for us is to proxy any request coming to an external URL, e.g. ndes-tenantname.msappproxy.net to an internal URL, e.g. ndes.domain.local. When mobile devices retrieve a SCEP Certificate profile that contains the external URL for the NDES and this needs to be reversed into the internal URL.
At this point you may be thinking, why are we publishing the NDES URL now? The answer is pretty simple. We require to know about the exact external URL when we install NDES later on in this part of the series using the provided PowerShell script. The script will perform a validation check against one of the enrolled certificates available locally in the computer account certificate store (don’t worry, we’ll cover how to enroll these certificates a bit down).
Azure AD Application proxy configuration
Azure AD Application Proxy is a Azure AD Premium licensing feature and provides an alternative to having to maintain a virtual private network or demilitarized zone on-premises to enable remote end-user access to web applications. In this part of the series, we’re not going to cover the installation of the Azure AD Application Proxy agent. You simply just download it from the Azure portal and run the setup wizard and it will automatically connect to your tenant after you’ve successfully signed in during the wizard.
- Sign in to the Azure portal (portal.azure.com).
- Locate the Azure Active Directory blade and click on Application proxy.
- On the top menu, click Configure an app.
- Name the app something like Intune NDES for instance. Notice that the name of the app is automatically populated as a suggestion for part of the external URL. Enter the internal CNAME of the NDES server that you created earlier. You could also enter the FQDN of the NDES server instead. Some of the information in the picture below has been redacted to protect my tenant name, you should instead se your own tenant name in those places.
- Change the Pre Authentication to Passthrough and remember to specify a Connector Group. If you’ve not created any custom connector groups, select Default. Finally click on the Add button in the top menu.
- Verify that you see the following popup in the top right corner, that validates that the app has been successfully created.
You now have Azure AD Application Proxy configured and once NDES is installed later, you should be able to verify the externally published NDES URL by visiting for instance:
- https://intunendes-tenantname.msappproxy.net/certsrv/mscep/mscep.dll
NOTE – Replace intunendes with the name that you chose and tenantname with your own tenant name in the above URL when verifying access to the NDES URL
Certificate details for NDES server
Before we go ahead and install the NDES server role on the domain member server, let’s talk more about the two certificates mentioned earlier in this part of the series. As you have probably noticed, we configure the Azure AD Application Proxy app with an internal HTTPS URL. In order for that to work, we need to enroll a certificate used for HTTPS binding in IIS. Below are the two different certificates that needs to be enrolled on the NDES server.
NDES SSL Certificate
- Friendly Name: NDES SSL Certificate
- Extended Key Usage: Server Authentication
- Subject Name:
- Common name – External FQDN of NDES server (e.g. intunendes-tenantname.msappproxy.net)
- Subject Alternative Name:
- DNS – External FQDN of NDES server (e.g. intunendes-tenantname.msappproxy.net)
- DNS – Internal FQDN of NDES server (e.g. ndes01.domain.local)
NDES Client Certificate
- Friendly Name: NDES Client Certificate
- Extended Key Usage: Client Authentication
- Subject Name:
- Common name – Internal FQDN of NDES server (e.g. ndes01.domain.local)
- Subject Alternative Name:
- DNS – External FQDN of NDES server (e.g. intunendes-tenantname.msappproxy.net)
- This is only required when deploying certificates for Android mobile devices
- DNS – Internal FQDN of NDES server (e.g. ndes01.domain.local)
- DNS – External FQDN of NDES server (e.g. intunendes-tenantname.msappproxy.net)
Issue certificates for NDES server
Enough talking about the certificate details, let’s get them enrolled on the NDES server.
Issue NDES SSL Certificate
- Open a mmc.exe console and add the Certificates add-in for the local computer.
- Expand the Certificates node and the Personal certificate store.
- Rigtht-click on Certificates and select All Tasks > Request New Certificate.
- Click Next and Next again in the wizard that appears.
- Select the NDES Server certificate template and click the More information is required link.
- Skip ahead to the General tab and give the certificate a friendly name, e.g. NDES SSL Certificate.
- Go back to the Subject tab and select Common name in the Subject name drop down menu. In the Value field, type in the external FQDN of the NDES server. This would be the intunendes-tenantname.msappproxy.net example used in this post. Click Add. In the Alternative name section, select DNS as the type and add the external FQDN of the NDES server including the internal FQDN of the NDES server.
- Click OK.
- Click Enroll.
- Click Finish once the certificate has been enrolled.
Issue NDES Client Certificate
- Open a mmc.exe console and add the Certificates add-in for the local computer.
- Expand the Certificates node and the Personal certificate store.
- Rigtht-click on Certificates and select All Tasks > Request New Certificate.
- Click Next and Next again in the wizard that appears.
- Select the NDES Server certificate template and click the More information is required link.
- Skip ahead to the General tab and give the certificate a friendly name, e.g. NDES Client Certificate.
- Go back to the Subject tab and select Common name in the Subject name drop down menu. In the Value field, type in the internal FQDN of the NDES server. This would be the NDES01.domain.local example used in this post. Click Add. In the Alternative name section, select DNS as the type and add the external FQDN of the NDES server including the internal FQDN of the NDES server.
- Click OK.
- Click Enroll.
- Click Finish.
Install and configure NDES server role
At this stage the NDES domain member server has been prepared and is ready to have the NDES server role installed. In my previous post regarding this topic I showed how to manually make all the required changes prior to installing the NDES server role and the required post installation tasks. Instead of doing that all over, and in order to speed things up and have it all documented at the same time, I’ve created a PowerShell script that takes care of it all. You can download the script from our GitHub repo at the following URL:
https://github.com/MSEndpointMgr/Intune/blob/master/Certificates/Install-MSIntuneNDESServer.ps1
Prior to running this script, you need to be able to provide an Enterprise Admin credential and you also need to be a local administrator on the NDES server. Additionally, you also need to be able to input the NDES service account credentials.
Running the script is fairly simple, you only have to provide the following input parameters:
- CertificateAuthorityName
- This needs to be a combination of the <Certificate Authority FQDN>\<Certificate Authority name>
- Example input: CA01.domain.local\DOMAIN-CA01-CA
- NDESTemplateName
- This would be the template name (not display name) created earlier in part two of this series
- Example input: NDESIntune
- NDESExternalFQDN
- This would be the URL published externally using Azure AD Application Proxy
- Example input: intunendes-tenantname.msappproxy.net
- RegistrationAuthorityName
- This would be the name of the Registration Authority
- Example input: Name
- RegistrationAuthorityCompany
- This would be the company name of the Registration Authority
- Example input: CompanyName
- RegistrationAuthorityDepartment
- This would be the department of the Registration Authority
- Example input: Department
- RegistrationAuthorityCity
- This would be the city of the Registration Authority
- Example input: City
I’d also suggest that you pass the Verbose parameter to get the output shown in the picture below. Here’s an example of how to use the script:
.\Install-MSIntuneNDESServer.ps1 -CertificateAuthorityConfig "CA01.domain.local\DOMAIN-CA01-CA" -NDESTemplateName "NDESIntune" -NDESExternalFQDN "intunendes-tenantname.msappproxy.net" -RegistrationAuthorityName "Name" -RegistrationAuthorityCompany "CompanyName" -RegistrationAuthorityDepartment "Department" -RegistrationAuthorityCity "City" -Verbose
Right after the script has executed it will prompt for the Enterprise Admin credential followed with a prompt for the NDES service account credentials.
Once the installation has completed, it’s important that you restart the server. Once the server has restarted, verify that you can access the following URLs:
- https://NDES01.domain.local/certsrv/mscep/mscep.dll
- https://intunendes-tenantname.msappproxy.net/certsrv/mscep/mscep.dll
At this point it’s expected that you’re able to browse the mentioned URL’s above. Later when the Intune Certificate Connector will be installed it will take care of securing the URL’s rendering them giving you an expected 403 error message.
With NDES now operating, be sure to bookmark the following post, as you’ll most likely need it in the future. NDES requires two service certificates that needs to be renewed. Read more about that in the following post and how to renew them:
In the next part of this blog series we’ll go over the steps of installing the Intune Certificate Connector and make sure it connects with Microsoft Intune.
Hello,
We followed your guide to the letter on a 2016 and 2019 server but we keep running into the problem that the SCEP application pool keeps crashing for no real reason. We already ruled out a mistake in the templates or wrong CA certs in the intermediate.
We can see the Cert requests arrive but IIS dies everytime we see this in the NDES log:
NDES COnnector:
Sending request to certificate registration point. NDESPlugin 18-4-2019 17:04:05 3036 (0x0BDC)
Event viewer just shows us that w3wp.exe has crashed and that the faulty module is ntdll.dll.
We’ve been banging our heads against this problem for a week now so we hope you have any idea where to look.
Regards,
Herman
Nick, your stuff is amazing as always! .NET 3.5 appears to be required, so may be worth mentioning somewhere since some installations will need to specify an alternate path for that.
Using your script, I was failing on “Attempting to install Windows feature: Web-Asp-Net” and it wasn’t until I manually added 3.5–specifying the alternate path to the Server installation media–that I could continue.
Appreciate you sharing your findings Matt.
Regards,
Nickolaj
Internalurl in the app proxy config should be https and not http.
Yes, you’re correct.
Regards,
Nickolaj
Does this work for Android for Work or Android Enterprise devices? I can’t find the certificate issued to the end mobile devices even – iOS?
Yes it works for all platforms you mention.
Regards,
Nickolaj
Hey Nickolay,
there are two mistakes in your two pictures showing the configuration of the AAP. In the internal URL field you have to write https instead of http, because of the later binding / requiring of SSL. Your other older posts showing this also with https configured.
Best regards and nice work!,
Philipp
I’ve wasted way too much time troubleshooting this before I checked the IIS log files and they showed port 80. After changing AAD Proxy to HTTPS everything works.
Great guide though!
It appears that the script is expecting to find only 1 client authentication certificate with the specified subject. Could you modify it to handle cases where there are multiple certificates with the same subject?
Hello – Is there a mistake with the steps regarding the client and server certificates? At first you emphasized the points of each type which in turn have different Extended Key Usages. Are you stating to use the same template that contains both types?
Hi Carlos,
Could you please reference the pieces that you’re talking about?
Regards,
Nickolaj
Awesome step by step guide, many thanks. As per usual the MS TechNet lacks a lot of steps and inside information. Regarding the two certs, can they also be 3rd party and trusted certs (wildcard) ?