Це відео не доступне.
Перепрошуємо.
S03E14 - Configuring NDES for SCEP Certificate Deployment (I.T)
Вставка
- Опубліковано 7 сер 2024
- Certificates! Nobody likes them, but they are more important than you'll ever want to admit. In this series of videos, the gang will dive deep into ways to deploy certificates via Intune.
In this episode, we look at the wonderful world of NDES and SCEP certificate deployment.
00:00 - Intro
02:57 - Environment setup
05:57 - Certificate templates
07:06 - User certificate template
docs.microsoft.com/mem/intune...
15:19 - Web server certificate template
18:12 - Publish certificate templates
19:00 - Certificate revocation permissions
docs.microsoft.com/mem/intune...
22:26 - Add NDES service account as a member of the local IIS_IUSR group
23:36 - Viewing published certificate templates
26:26 - Setting up NDES
33:10 - Service principal name
39:25 - Request server certificate and bind to IIS
docs.microsoft.com/mem/intune...
50:27 - Install Azure AD App Proxy
59:12 - Install Intune Certificate Connector
1:11:04 - Wrap up
Visit our websites and social media for more or to get in touch with us
Steve Hosking - Microsoft MMD Team
/ onpremcloudguy
steven.hosking.com.au/
mvp.microsoft.com/en-us/Publi...
github.com/onpremcloudguy
Adam Gross - Microsoft MVP - Enterprise Mobility
/ adamgrosstx
www.asquaredozen.com
github.com/AdamGrossTX
mvp.microsoft.com/en-us/Publi...
Ben Reader - Microsoft MVP - Enterprise Mobility
/ powers_hell
www.powers-hell.com/
github.com/tabs-not-spaces
mvp.microsoft.com/en-us/Publi...
Jake Shackelford - Desktop Engineer
/ shackelfjaco
sysmansquad.com/author/jshack...
/ jacob-shackelford-a5bb...
Hahaha did I hear Ben say at the end "This is so difficult process because there are so many SCEPS (not steps) involved"? probably not it was just my brain that translated it bad :) great video again!
I didn't but now that you say it, I kind of wish I had :)
- Ben
Certificates for MCSE were a minor topic giving maybe two questions on your exam, none if you were lucky.
Biting the bullet and diving in there is really the only option to getting it right. And yes, no Intune without a decent PKI.
Thanks for this breakdown. Seeing that the 403 was by design saved my sanity :-)
Cheers
Great video and awesome energy as always, guys.
Thanks for making these videos!
Thank you very much! It would be great a video about HA\Multiples NDES Servers and of course multiples Intune and App Proxies.
Really brilliant. Thank you,
Wow! Where you guys were 3 years ago! Anyway thanks a lot!
Doing this in production 😁
- Ben
Thank you so much for this!!!
Great content guys, thanks, I will have to review it a couple of times more, at least ;)
Regarding 'Service account' selection in the Certificate Connector wizard. The caption states 'The connector also uses this account to communicate with a MS Certification Authority'. (I presume mostly for revocation)
For me that would typically imply using a Service account (with appropriate CA permissions) instead of SYSTEM? Else use SYSTEM and add the NDES computer account to the CA to 'Issue and Manage Certificates'. (Security risk?)
Happy to stand corrected. Many thanks for the excellent video.
It’s been a minute since I looked at the docs, but I do believe they recommend using System and granting appropriate access to the CA for the server machine account as you describe.
great stuff, Thanks
53:00 exactly what I'm dealing with. I'm stumbling upon our Netscaler when doing certain Intune stuff, but because I have no idea how our Netscaler works (nor in general), I'm totally depending one of my colleagues who's managing the Netscaler. It's a pain in the ass because we both have our own jobs to do, but are struggling to get things done because we heavily rely on each other for this.
First - great video. Thanks for this. A have some most likely noob questions as I am still a bit confused by what this does. I built this all out with the help of this video and so far everything looks good. A couple questions:
1. You guys used a User template as the SCEP Certificate template. Is this the certificate that you will eventually be deploying out through Intune?
2. If yes to #1 - should I be setting up the SCEP certificate template with the cert I need to push out?
3. If I am on the right track, can we set up multiple certs to be deployed through SCEP?
Thanks for the channel. Always life saving....
With allowing "Supply Subject Name" in the request and having a domain user be able to read the certificate, an attacker with line of sight of the CA/Intermediate can domain admin escalate with any standard account. Do you guys know of any security best practices regarding protecting internally against the certificate template being exploited?
Great video guys! Can you clarify a comment made at 1:01:05 that PKCS should now be used instead of SCEP? Microsoft defines SCEP as more secure as the because the private key never leaves the device and is marked as not exportable? Granted it's easier using PKCS to deliver certificates but from a security perspective is it like for like?
Do what sparks joy to you and doesn't get you fired.
- Ben
Great video
can you please advice if we must change the NDES service user password
what is the steps we need to take?
do we need to run NDESConnector UI again ?
Thanks
Taz
Hi! I cannot find a seperate video of the mentioned certificate discussion over the different options, scep vs pkcs. Was it scrapped, or is it out there? (would rather avoid the SCEP/NDES hassle if PKCS is a more simple approach, and still secure..goal is cert for office wifi). As always, thanks for your efforts!
Hello great video thank you
I have question if i need to change the CA on ndes how can i do it?
Great video guys! After configuring NDES, AppProxy and installing the Certificate Connector, I do not have these reg keys under HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector: EncryptingCertificate, KeyRecoveryAgentCertificate, PfxSigningCertificate and SigningCertificate. Did I miss a step or is part of the installation process not completing properly? Any ideas?
Hi guys, thank u for this helpfull video! have you maybe prepared even an installation tutorial using on-prem reverse proxy?
thanks alot. i just want to know, if i can block with the Conditional Access the deivces, which didnot have SCEP Cetrificate
Awating your reply
thanks
Jan
I followed your entire steps and it was very helpful.
Can you confirm once the connector is deployed does that NDES iis website open correctly or not. I am getting error 403 forbidden and MS article says it is normal. Also my SCEP certificate is not deployed on android. Can you make a separate video on how to deploy it on android devices 12.0 ? and how to configure a wifi ldap based authentication on wifi.
Any help is appreciated ☺️
Now that is has been 2 years I think we need a how to renew your NDES cert video.
Hi guys. Can anyone confirm whether this binds the user certificates to the user in AD? I am in the process of setting up an EAP-TLS RADIUS using Aruba ClearPass, but I keep getting AD: User not found. EAP-TLS: Authentication failure, unknown user
Should you use the Microsoft CA and NDES to deploy SCEP certificates in Intune when you're fully cloud based or is this set up for hybrid configuration? Does it matter?
is there a process to renew ndes service certificates as well?
Do we need to install "Online Responder" feature on man CA?
I keept getting promptet to sign in, at 47:00, when trying to access the mscep_admin site.
My solution was to disable the "IE Enhanced Security Configration" for administrators, and then restart the server.
Hi,
User template was not mentioned in the Microsoft docs. Why do you create the user template first??
Hello, one question, with the new update of the Intune certificate connector, the client certificate template would no longer be necessary, right?
You may still need it depending on your needs. PKCS and SCEP profiles have different requirements. The only thing that changed is the connector now works for both types of certs instead of needing a separate connector for each profile type.
Guys, on the process I get error 403 forbidden. Denied access. How can I fix the issue? 😢
Thanks so much for this video! I was struggling with wrapping my head around how it worked, but this certainly helped!!
NOW.... I am down to the very last step and getting an error on the Certificate Connector. It runs through the config and ends with "Enrollment Failed. Error: System.ArgumentException: An item with the same key has already been added.".
I am afraid that with all my testing, trial and errors and "redoing" of steps, I might have missed removing something? Anyone have any ideas, or where I could go to check logs for the Certificate connector? Thanks guys!!
Did you manage to find a solution for this? I’m seeing the same error. Thanks!
@@niklaskarlsson2692 No, and I have a ticket in with Microsoft Support, but have not heard back from them yet. ;-(
@@Tony.Ling-CSD509J did you hear back from Microsoft support? I’ve a ticket open, but have had no response so far…
@@Tony.Ling-CSD509J This is an issue with the connector futher the PG might have some updates
@@kunalchatterjee5310 Yes, I did find that recently also. I went back to an older Certificate Connector version and it worked great. ;-)
How to publish? Is there a part 2 coming?
keeeeeep watchinggggggggggggggggggggg
NDES/SCEP needs EA (Enterprise Admin )account to configure them? is it mandatory?
Hi, In this video at 25:15 you have added as Computer account ( ITNDES), But when i try to add the computer account, its adding as user but not as a machine. Could you please advise how to get the computer account added or any documents on how to do that step?
Make sure you check the box in account selection dialog box to search for Computers. If your server is named the same as the user account you’re adding, that may be causing issues.
Stuck in 29:33 of the video. when i specify the service account it shows an error "The Implementation is not capable of performing the request" need help :(
thanks, but can this be done with machine certs.
You can deploy machine and user certs from SCEP/NDES.
Hello, I have a question please. if I open the service page with the FQDN of the server (/mscep_admin) a pop-up requests me to authenticate, and the service account fails here to bypass this step, so, as I've seen on your vidue that you've also got that login pop-up, is this really okay or not? and, when I authenticate with the service account, should the admin page open normally, or it's also normal that the credentials are not accepted? I haven't linked NDES yet to our MDM solution and I have doubts. I hope my question was clear. Thank you in advance,
If after authenticating with an admin account the website fails (without the Intune connector installed) then there is an issue with the NDES installation
@@IntuneTraining not sure, if I open the URL with using "localhost" word in the URL, the adm8n page works fine and doesnt ask for credentials, but if the FQDN is usef instead, I get the logins popup and auth fails. Nothing is clearing in doos about that part. I'm not using intine, I usecJAMF Pro
Yeah sounds like there something is wrong with DNS, but not with the iis install, in saying that with jamf pro in the mix it's not something that we have worked with so can't really comment on how it should/shouldn't be working
Can we re-configured NDES server on Azure VM as currently all configurations like CA, NDES , DC are on-prem. Can we move all to Azure VM. Any challenges or end user may face?
So long as the NDES server can communicate with the CA and DC via a network then it can be anywhere
When I get to configuring the Intune connector and it wants me to log in to Azure AD, all 3 of our global admin accounts say they're personal accounts (which isn't true because they have our domain attached to them) and when I try to use my intune admin account it says Microsoft cannot find my account. Do you have any ideas on why this is happening? It should be so simple!!
Wow. That certainly doesn’t make any sense. Haven’t see that behavior before. Try browsing to portal.azure.com and logging in with a GA account then try the connector install.
Tbh, I have built 4 NDES and SCEP environments in the last year, and I still find the documents are kinda lacking at times, or at least vague.
I think it's less that they are vague but more that perhaps, they aren't the easiest to follow. VERY easy to miss steps that have you scratching your head.
This is why we decided to film these guides!
- Ben
Do we need app proxy? The MS Learn document only mentions it.
For scep, you need a reverse proxy, which is what the AAD App Proxy does for you
hanks for the guide, everything worked fine for me, but after some time in the ndes server I get the message "The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request." The device is not getting a certificate.
What could be causing this?
in my case, the solution to the problem was:
- revocation of all certificates issued by NDES
or
- TLs blockade lifted
SCHANNEL \ Protocols \ TLS 1.2 \ Server
"DisabledByDefault": 00000000
"Enabled": 00000001
Check to make sure you have the latest version of the Intune Certificate connector as it shouldn't need TLS1.2
@@IntuneTraining Certyficate Connector for Microsoft Intune 6.00012.7.0
Where is the "links down below" as mentioned several times in the video.
They are down below now. Sorry we generally have a few day delay between the video upload and the description/links being updated. We have a volunteer who handles it and we often upload and release on the same day before he has a chance to add the info.
Hi, I followed you until the last logon screen in the 'certificate connector'. I am trying to log in, but it wont continue (it just prompts me with the login screen again, no errors.) Do you have any clue to where the fault is? What tools can I use to debug this issue?
Check you have a license assigned to the account setting it up
@@IntuneTraining hmm, I use the
'earlier
@@IntuneTraining gave permissions to the user I tried to log in with in. P2, E5 and Intune Licenses. No change. Reinstalled the whole NDES-server and configured it again. Same outcome.
Microsoft can make a grown man cry
Hi, guys!
I've a situation in my deploy...Everything work well, but the Intune are requesting 2 certificates per user and I don't know why.
If the certificate still valid, I think the Intune need to get the same certificate for the user.
How are you configuring your cert profile?
@@IntuneTraining I've a profile to deploy a SCEP cert request and another one to deploy 802.1x setup. I'm thinking I just need one profile to 802.1x and the same profile will request a certificate
So this is confusing, do you actually request a certificate for the NDES server or not? You kinda just skipped over that part?