MSEndpointMgr
Home » Microsoft Endpoint Manager » SSO to domain resources from Azure AD Joined Devices – The MEGA Series – Part 5 – Configure the Network Device Enrollment Service (NDES)

SSO to domain resources from Azure AD Joined Devices – The MEGA Series – Part 5 – Configure the Network Device Enrollment Service (NDES)

  1. SSO to domain resources from Azure AD Joined Devices Overview
  2. Configure Active Directory and Certificates
  3. Configure the VPN Server (RRAS)
  4. Configure the Network Policy Server (NPS)
  5. Configure the Network Device Enrollment Service (NDES)
  6. Install Azure AD Application Proxy to publish the Network Device Enrollment Service (NDES)
  7. Configure Certificate Templates in Intune
  8. Create a Simple Certificate Enrollment Protocol (SCEP) Profile in Intune
  9. Creating the Always On VPN Profile in Intune

A great resource for anything VPN related is Richard Hicks blog which can be found at https://directaccess.richardhicks.com/

Introduction

Welcome to Part 5 of this 9 Part blog series. In Part 4 we looked at the requirements for the Network Policy Server (NPS) for RADIUS Client authorisation, accounting and authentication. In Part 5 we will step through how to configure Network Device Enrollment Service (NDES) in preparation to enrol certificates on behalf of users on Azure AD Joined Devices

Solution Overview

A reminder of the fundamental components we will use to setup a simple, Microsoft VPN solution

Solution Overview

1 . Domain Controller – Microsoft Active Directory Domain Services (AD DS)
The Domain Controller is required to authenticate users and services

2 . Certificate Authority – Microsoft Active Directory Certificate Services (AD CS)
The Certificate Authority is required to issue certificates to users/devices and other VPN components like NDES/NPS and the VPN Server

3 . Microsoft Network Policy Server (NPS)
The Network Policy Server is required to authenticate requests from Radius clients

4 . VPN Gateway – Microsoft Routing and Remote Access Server (RRAS)
The VPN Gateway will terminate VPN connections for client devices

5 . Microsoft Network Device Enrollment Service (NDES)
The Network Device Enrollment Server is required to request certificates on behalf of users

6 . Microsoft Azure AD Application Proxy Connector
The Azure AD Application Proxy is required to publish the NDES Server URL to the internet – securely

Network Device Enrolment Service (NDES)

The NDES server is primarily used to obtain certificates, based on the Simple Certificate Enrollment Protocol (SCEP), from an internal PKI, for users/devices that do not always have domain credentials or line of sight to an issuing CA

More information on configuring NDES can be found here:-

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831498(v=ws.11)

Choosing NDES/SCEP or PKCS

Is there an alternative to using NDES/SCEP?

NDES/SCEP is not the only way we can issue certificates to devices and users. When we use the Intune Certificate Connector later, you will see that we have the choice of either using NDES to publish certificates using SCEP or PKCS

PKCS is much simpler to setup. You simply publish certificates using the Intune Certificate Connector – there is no additional infrastructure. Issuing certificates with SCEP requires the additional overhead of an NDES server – so why are we using this method?

I heard that PKCS is not as secure as using SCEP?

When using PKCS, the certificate private key is generated on the server where the Intune Certificate Connector is installed. In order for the Intune Certificate Connector to be able to export the PFX certificate to the user/device the private key, on the certificate template, must be marked as exportable

Both the Certificate and Private key is then sent to Intune where the client will eventually check-in and pick it up. Some people consider this “insecure” because both the certificate and private key are sent across the internet (even though its over https and that communication is encrypted)

Even though the private key is marked as exportable on the template and sent to Intune along with the issued certificate, it is not marked as exportable once it is installed on the device

Is SCEP more secure then?

That is loaded question. If you think exporting private keys across the internet is a bad idea then the answer is yes…maybe, depends how paranoid you are about that kind of thing but don’t forget the private key is encrypted in transit

When using a SCEP profile, and the device reaches out to the NDES public URL, the Intune Certificate Connector verifies that the request has come from an Intune managed device. It does this by checking a challenge blob (Intune will generate a custom challenge blob that it encrypts and signs the request with) and the CSR. Once the request has been verified, the certificate is issued – there is no private key transfer across the internet

Only the certificate requests from an Intune enrolled device that passes the challenge blob validation are issued a certificate

https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#support-for-ndes-on-the-internet

More information on configuring SCEP can be found here:-

https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#support-for-ndes-on-the-internet

There are strong opinions on using PKCS vs SCEP. PKCS is simpler to implememnt – no question. If you also intened to deploy certificates to devices that have no user affinity, such as kiosk devices or iOS devices during ADE (DEP) enrollment then SCEP needs to be used

Build the Server

I am using Hyper-V in my lab and have built my NDES Server to the following specification:-

  • Windows Server 2019 Datacentre Edition
  • 2 vCPUs
  • 8192MB Memory
  • 60GB Disk1
  • 1 Network Card
  • Domain Joined

Administrators of Virtual Machines often have access to all VM disks (and data in memory). Consideration should be given if this is appropriate for a Tier-0 system as they could potentially get access to some Private Keys stored on the NDES server

Network Adapter Configuration

At a high level, the ethernet adapter configuration should observe the following

  • Static IP Address
  • Subnet Mask
  • Default Gateway
  • DNS Servers configured

1 . Open Server Manager > Local Server and click on the network adapter to open the Network Connections control panel applet

Server Manager

2 . Right click the ethernet adapter and select Properties

Properties

3 . Select Internet Protocol Version 4 (TCP/IPv4) and click Properties

Properties

4 . Enter values for IP address, Subnet mask and DNS Servers and Press OK

IP Configuration

Domain Join

We need to join the NDES Server to the domain

1 . Server Manager > Local Server and click on workgroup name

Server Manager

2 . In System Properties click Change

System Properties

3 . Enter the domain to join and click OK

Enter Domain to Join

4 . Validate the Domain Join request and Accept subsequent prompts

Authenticate Domain Join

5 . Reboot when prompted

Restart the NPS Server

AD Group Membership

Add the NDES server to the AD Group we created in Part 2 called NDES-Servers

Group Membership

Reboot the NDES Server

Install and Configure the NDES Server Role

Create the SPN

Create the SPN for the NDES server using the service account we created in Part 2

setspn -s http/bb-ndes1.byteben.com byteben\ndes_svc_acc
Setspn

Install .Net Framework 3.5

I normally choose to install .Net Framework Core from the command line – it is much more relaible in my experience.

1 . Mount the OS installation Media

2 . Open a Command Line / PowerShell Prompt as Administrator and run:-

Install-WindowsFeature -Name Net-FrameWork-Core -Source "d:\sources\sxs"
Install .Net Framework 3.5

Install NDES and IIS Roles

There are some observations to make before we install the NDES role

  • The NDES server must be Domain Joined and in the same Forest as your Enterprise CA
  • Never install the NDES role on the Enterprise CA
  • Internet Explorer Enhanced Security Configuration should be disabled (requirement for the Microsoft Intune Certificate Connector)
Turn off IE Enhanced Security

Once you have met the prerequisites and built the server, it is time to install the required Roles and Features

1 . Open Server Manager and select Manage > Add Roles and Features

Server Manager

2 . Click Next 3 times and in the Roles selection menu, tick Active Directory Certificate Services

Add Role

3 . On the same selection page, also tick Web Server (IIS) and click Add Features when prompted

4 . Click Next (Ensuring both Active Directory Certificate Services and Web Server (IIS) are ticked)

Add Roles

5 . On the Select Features page, tick .NET Framework 3.5 Features > HTTP Activation and click Add Features when prompted

Add .NET Features

6 . Click Next

Click Next

7 . Click Next

8 . On the Active Directory Certificate Services page, un-tick Certificate Authority

Un-tick Certificate Authority

9 . Still on the Active Directory Certificate Services page, tick Network Device Enrollment Service and click Add Features when prompted

tick Network Device Enrollment Service

10 . Click Next twice

11 . On the Web Server Role (IIS) page, tick the following (if they are not already ticked)

  • Web Server > Security > Request Filtering
  • Web Server > Application Development > ASP.NET 3.5 (Click Add Features when prompted)
  • Web Server > Application Development > ASP.NET 4.7.2 (Click Add Features when prompted)
  • Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility
  • Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility

12 . Click Install

Click Install

13 . Click Close once installation has completed

14 . Re-open Server Manager and select Manage > Add Roles and Features

Server Manager

15 . Click Next 4 times and in the Roles selection menu and expand .NET Framework 4.7 Features

Expand .NET Framework 4.7 Features

16 . Tick the following:-

  • WCF Services > HTTP Activation
Tick HTTP Activation

17 . Click Next and Install

Click Install

18 . Click Close and Restart the NDES Server

The full list of ROles and Features required for NDES are listed below for your convenience

  • Server Roles:
    • Active Directory Certificate Services
      • Network Device Enrollment Service
    • Web Server (IIS)
      • Security
        • Request Filtering
      • Application Development
        • .NET Extensibility 4.7
        • ASP.NET 4.7
      • Management Tools
        • IIS Management Console
        • IIS 6 Management Compatibility
          • IIS 6 Metabase Compatibility
          • IIS 6 WMI Compatibility
  • Features:
    • .NET Framework 3.5 Features
      • .NET Framework 3.5
      • HTTP Activation
    • .NET Framework 4.7 Features
      • .NET Framework 4.7
      • ASP.NET 4.7
      • WCF Services
        • HTTP Activation

More information on role prerequisites for NDES can be found here:-

https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-prerequisites#scep

Configure NDES

Now that the required Roles and Features are installed, it is time to configure NDES.

As you follow this guide, you should remember that the NDES server is considered a Tier-0 system. You should treat it with the same security and access controls as you would your Enterprise Identity and PKI servers

Advanced PKI Considerations

If you read the Microsoft documentation here you may be tempted to change a policy flag on your CA to support validity periods in Configuration Profiles from Intune

Microsoft Docs

Changing this flag will allow the validity period, for ALL certificates issued by your CA, to be adjusted, to any value, by the requester. This means if your certificate template has a validity period of 1 year, the requester can change that to 3 years (for example). Validity periods for certificates issued by your CA will not be enforced

Policy Flag Changes

More information and insight into hardening NDES can be found in the tech community article here:-

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ndes-security-best-practices/ba-p/2832619

Came looking for iOS SCEP advice in a Windows blog?

If, by chance, you happened upon this post and are looking to configure NDES/SCEP to issue certificates for iOS devices, you should note that Apple have stricter requirements for iOS13+

  • Key size must be greater than or equal to 2048 bits
  • SHA-1 signed certificates are no longer trusted for TLS. Use SHA-2 instead
  • The validity period must be less than 825 days (about 2 years)
  • The DNS name must be specified in the certificate SAN – CommonName is no longer supported

Read more here:-

https://support.apple.com/en-gb/HT210176

Add NDES Service account to IIS_USRS Group

1 . Open a PowerShell window (As Administrator)

2 . Type compmgmt.msc and press Enter

3 . Expand System Tools > Local Users and Groups > Groups

Group Management

4 . Right click IIS_IUSRS and click Add to Group

Add to Group

5 . Enter the NDES service account and click OK

Add Group Member
Configure the NDES Role

To configure the NDES role, you will need the credentials of an account that is a member of the Enterprise Admins group in Active Directory

1 . Open Server Manager, click on the Notifications icon ⚠️ and select Configure Active Directory Services on the destination server

Server Manager

2 . Enter the Enterprise Admin credentials and click Next

Enterprise Admin Credentials

3 . Select the Network Device Enrollment Service role and click Next

Select Role to Configure

4 . In the Specify the service account step, specify the NDES service account

NDES Service Account

and click Next

5 . Click Select, select your Enterprise CA and click OK

Select Enterprise CA

6 . Verify the target CA is correct and click Next

Verify Target CA selection

7 . Verify the RA Name and (optionally) configure additional information. This information will be used to create the signing certificate. Click Next

Verify Signing Certificate information

8 . Verify the CSPs and key lengths that will be used for the signature and encryption keys. Click Next

CSP configuration

9 . Verify the configuration summary and click Configure

Configure NDES

10 . Click Close once configuration has completed

Configure Long URL support

When a HTTP request is made to the NDES server with a URL longer than the maximum allowed by IIS, problems can occur. To avoid this, the maximum URL length should be increased

  1. From Server Manager, click Tools and select Internet Information Services (IIS) Manager
Open IIS Manager

2 . Expand {{NDES Server}} > Sites > Default Web Site and double click Request Filtering

Request Filtering

3 . Click Edit Feature Settings…

Edit Feature Settings

4 . Set Maximum URL Length and Maximum Query String to 65534

Max URL Length Settings

5 . Tick Allow double-escaping and click OK

Allow double-escaping

Sometimes, clients are encounter issues looking up CRL’s. If a plus sign (+) is present in the URI of delta CRLs they must be allowed by IIS. Read more here:-

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379478(v=ws.10)?redirectedfrom=MSDN

The maximum URL length also needs to be configured in the registry

1 . Open the Registry Editor as an Administrator

Open Regedit

2 . Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters and edit/add the REG_DWORD values for MaxRequestBytes and MaxFieldLength to 65534 (Decimal)

Long URL support
Enroll and Assign the NDES Server Certificate

If you previously configure the auto enroll GPO the Web Server certificate we created in Part 2 of this series we set the NDES certificate to autoenroll for any computer in the NDES-Servers AD group

Autoenroll enabled

Remember, for auto update of the NDES Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the NDES Server(s). An example of how to configure auto enrollment can be found below:-

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment

1 . Open the Certificate snap-in on the NDES Server by running certlm.msc

certlm.msc

2 . Navigate to Certificates – Local Computer > Personal > Certificates and verify the NDES certificate is enrolled as expected

Certificate Issued

3 . From Server Manager, click Tools and select Internet Information Services (IIS) Manager

Open IIS Manager

4 . Expand {{NDES Server}} > Sites > Default Web Site and click on Bindings

Bindings

5 . Select the https binding and click Edit


Select https binding

6 . Select the NDES Server certificate and click BOK

Select Certificate

7 . Select the http binding and clickRemove

Remove http binding

8 . Click Close to close the binding configuration page

IIS Default Document

Disabling the Default Document is not a hard requirement for NDES but it is considered good practice

1 . From Server Manager, click Tools and select Internet Information Services (IIS) Manager

Open IIS Manager

2 . Expand {{NDES Server}} > Sites > Default Web Site and double click on Default Document

Default Document

3 . In the Actions pane, click Disable

Disable Default Document
User Rights Assignment

The service account requires the following privileges on the NDES server:-

  • Allow log on locally
  • Log on as a batch job
  • Log on as a service

You can do this via a Domain GPO or edit the security policy locally. As we only have a single NDES server we will config the policies locally

1 . Open gpedit.msc as an Administrator

gpedit.msc

2 . Navigate to Local Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment

gpedit.msc

3. In the policy list, double click Allow log on locally

Log on locally

4 . Click Add User or Group and enter the ndes_svc_acc account. Click Check Name to verify the account and click OK

Add Account

5 . Verify the account is listed and click OK

Verify account

6 . Repeat steps 1 through 5 and add the service account to the policies Log on as a batch job and Log on as a service *

User Rights
MSCEP Certificate Selection

We need to specify which template is selected when a certificate request is made. When we configured the VPN User certificate in Part 2 we specified the purpose of the certificate as Signature and Encryption

Part 2 Certificate template configuration

There are 3 different template values we can modify in the registry on the NDES server to determine which template will be chosen for a specific purpose

EncryptionTemplate = Used for Certificates with a purpose of Encryption only
SignatureTemplate = Used for Certificates with a purpose of Signature only
GeneralPurposeTemplate = Used for Certificates with a purpose of both Signature and Encryption

These values can be found in the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

MSCEP Template Options

As our certificate purpose is for both Signature and Encryption purposes, we need to enter the template name value for GeneralPurposeTemplate

The template name for the VPN User Certificate that we created in Part 2 is VPNUserAuthentication

1 . Open the Registry Editor as an Administrator

Open Regedit

2 . Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

Regedit

3 . Modify GeneralPurposeTemplate and enter VPNUserAuthentication

MSCEP template selection

4 . Reboot the NDES Server

Verify NDES Configuration

Open a browser on the NDES server and browse to the following address:-

https://{{NDES Server FQDN}}/certsrv/mscep/mscep.dll

Verify the NDES Service

Microsoft Intune Certificate Connector

Now that NDES is configured, we can install the Microsoft Intune Connector on the NDES server to secure communication with the MSCEP endpoint

Prerequisites

Some of the prerequisites have already been installed on the NDES server as part of the NDES role configuration. A summary of the requirements are below:-

  • Port 443 Outbound to the Endpoint autoupdate.msappproxy.net
  • Access to the following Network Endpoints
    https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints
  • .NET Framework 4.7.2
  • IE Enhanced Security mode must be disabled
  • An account with Global or Intune Administrator privileges (only required to setup the initial connection not permanently)
  • An account with an Intune Licence

Installation

1 . From the NDES Server, open a modern browser and navigate to https://endpoint.microsoft.com

2 . When prompted, sign in with either Global Administrator or Intune Administrator credentials

Sign in

3 . Navigate to Tenant administration > Connectors and tokens

Connectors and Tokens

4 . Select Certificate connectors and click Add

Add Certificate Connector

5 . Click the link to download the certificate connector to the NDES server

Click link
Connector downloaded

6 . Open the downloaded file. Tick I agree to the license terms and conditions and click Install

Click install

7 . Click Close

Click close

Configuration

1 . Open Windows Explorer and navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI and right click PFXCertificateConnectorUI.exe and select Run As Administrator

PFXConnectorUI.exe
Run As Administrator

2 . Click Next at the Welcome screen

Click Next

3 . Tick both SCEP and Certificate revocation and click Next


Select Features

4 . Select Domain account, enter the credentials for the NDES Service account that we created in Part 2 of the blog series and click Next

NDES Service Account created in Part 2

NDES Service Account credentials

IMPORTANT Credentials are not validated at this stage. If you enter incorrect credentials or password combination you may see an error like this later during the wizard

Incorrect Password Entered?

This service account is used for certificate issuance and revocation

5 . If outbound connections from the NDES server require the use of a Proxy Server, enter that information here and click Next. Otherwise just click Next

Proxy information

6 . Assuming you have followed this whole guide, the prerequisites should all have been configured. Click Next

Prerequisite check

7 . Select the appropriate Azure environment for your organisation and click Sign In

Azure Environment selection
Sign In

If you see the message below. Turn IE Enhanced Security Configuration On and then back Off again in Server Manager

IE Enhanced Security Configuration not disabled

8 . Enter your Global Administrator or Intune Administrator credentials and click Next. Remember, this account also needs to be assigned an Intune License

Sign In
Sign In Successful

9 . Once configuration has completed, click Exit

Exit

10 . Open services.msc and verify the Certificate Connector service is running with the correct NDES Service account

services.msc

11 . Verify you can see the Certificate Connector has registered correct in the Microsoft Endpoint Manager admin center. Navigate to Tenant Administration > Connectors and Tokens > Certificate connectors

https://endpoint.microsoft.com

Certificate Revocation Permissions and Restrictions

At the time of writing this blog, the Microsoft Intune Certificate Connector does not support gMSA’s still which is why we had to use a Domain Account to run the connector service. The same domain account requires the necessary permissions to revoke certificates issued by NDES. We need to configure those permissions on the Enterprise CA

It is wise to restrict the NDES Service Account from issuing and revoking ALL certificates from ALL templates on the CA. We will add these restrictions in the following steps

1 . On the server hosting ADCS, open the Certificate Authority console certsrv

certsrv.msc

2 . Right click the CA and click Properties

CA Properties

3 . Click the Security tab

Security

4 . Click Add

Add

5 . Search for the NDES Service Account, click Check Names and click OK

Add NDES Service Account

6 . Untick Request Certificates, tick Issue and Manage Certificates and click Apply

Issue and Manage Certificates

7 . Select the Certificate Managers tab and then select Restrict certificate managers

Restrict Certificate Managers

8 . Select the NDES Service Account and in the Certificate Templates pane, click Add

Select NDES Service Account

9 . Select the VPN User Authentication Certificate we created in Part 2 and click OK

Select VPN User certificate

10 . In the Certificate Templates pane, select All, click Remove and click OK

Remove the “All” permission

Verify MSCEP Hardening

Open a browser on the NDES server and browse to the following address:-

https://{{NDES Server FQDN}}/certsrv/mscep/mscep.dll

Before we installed the Microsoft Intune Connector, we saw the page below

MSCEP not Secured

After installing the Microsoft Intune Certificate Connector, we should see a 403 page when we try to browse to the same URL. This means configuration was succesful!

MSCEP Secured

Summary

This was by far the longest part in the MEGA series so far. We looked at how to install, configure and verify an NDES installation. After NDES had been configured we installed the Microsoft Intune Certificate Connector to harden MSCEP to accept requests from Intune clients only

In Part 6 we will look at how to install and configure the Azure AD Application Proxy to publish our MSCEP Server URL to the internet

(6155)

Ben Whitmore

Microsoft MVP - Enterprise Mobility, Microsoft Certified Trainer and Microsoft 365 Certified: Enterprise Administrator Expert. Community driven and passionate Senior Cloud Consultant at CloudWay with 20 years experience in driving adoption and technology change within the Enterprise.

Add comment

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.