Beruflich Dokumente
Kultur Dokumente
NDES configuration settings are stored in the registry. I cover some of the more commonly modified registry keys; for a complete listing of configuration settings please read the NDES Whitepaper. The base registry key location NDES reads is: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP All the registry values referenced below are set in this registry key.
Template Settings
Use these settings to customize the certificate templates used by NDES. SignatureTemplate (REG_SZ) EncryptionTemplate (REG_SZ) GeneralPurposeTemplate (REG_SZ) These three registry keys hold the LDAP name of the template that should be issued for each type of key that the SCEP client could possibly request. There are three types of keys that can be specificed. SignatureTemplate: The private key can only be used for creating a digital signature. In the certificate template configuration, this is denoted by the Purpose, Signature, on the Request Handling tab. EncryptionTemplate: The private key can be used for encryption. In the certificate template configuration, this is denoted by the Purpose, Encryption, on the Request Handling tab. GeneralPurposeTemplate: The private key can be used for both encryption and for creating a digital signature. In the certificate template configuration, this is denoted by the Purpose, Signature and encryption, on the Request Handlingtab. Here is a screen shot of a certificate template to show where the template name is that needs to be populated in the registry values. In the below figure it is IPSecIntermediateOffline (the default template used by NDES).
NOTE: If you decide to use a custom certificate template there are more requirements: The NDES application pool identity needs enroll permissions on the template; this is set on the Security tab when looking at the properties of the template. The template must be valid for computer and not user accounts. You can find out the template type by looking at the properties of the template and clicking on the Extensions tab. Then select the extension Certificate Template Information and you will see Subject type: Computer.
Template Subject Name should be set to Supply in the request. This can be seen by click on the Subject Name tab.
Password Settings
Use these settings to configure some of the password behavior in NDES. Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP Value: PasswordValidity Type: REG_DWORD Data: Default 60 (decimal) PasswordValidity sets the amount of time (in minutes) for which the NDES admin-supplied password is valid. The default value is 60 minutes, but most admins change this value to something that accommodates the time it takes to communicate the password to the device owner. The device owner enters this password on the device in order to enroll for a certificate.
A good value might be 0x78h (120 decimal). This will give the owner of the device 2 hours to get through the iPhone configuration utility and set the challenge password. If the validity period expires, and the device owner has failed to obtain a certificate, then the SCEP Admin will need to generate a new challenge for the user. Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\PasswordMax Value: PasswordMax Type: REG_DWORD Data: Default 5 PasswordMax sets the number of passwords that the service will track once the NDES admin starts generating passwords. This means that the NDES Admin can get X unique passwords generated at one time. Once the number has been reached the NDES admin will not be able to generate any further passwords until the old ones have been utilized by a device or the password validity has expired. You can change the behavior of NDES to force the service to use only one password for all client certificate enrollments. This is used with the UseSinglePassword registry value added in the following hotfix: 959193 Two improvements are available that shorten the time that is required to manage SCEP certificates by using the Network Device Enrollment Service in Windows Server 2008 http://support.microsoft.com/kb/959193
System clocks verification Make sure that the system clocks of SCEP server, Communication Server and the Management Server are set to the correct time. 4. Modifying Policy Module properties for Certificate Authority a. On the computer where Certificate Authority is installed, open the Certification Authority management console. b. Click Policy Module tab, and then click Properties.Preparing Server Computer for Installation 2-5 c. Select Follow the settings in the certificate template, if applicable.
1. 2. 3. 4. 5.
Open the Registry Editor using the "regedit" command. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword and set the UseSinglePassword value to "1". Restart IIS. Access the SCEP Server admin via http://<scep_server>/certsrv/mscep_admin/ to view the password.
4. 5.
6.
7.
8. 9.