Making statements based on opinion; back them up with references or personal experience. This however does not matter in 2012 R2. Reference existing Bug# 429063. The paper also addresses the new Windows Server 2012 R2 NDES policy module feature and its configuration for Microsoft Intune and System Center Configuration Manager deployments. Microsoft Network Device Enrollment Service (NDES) is a security feature in Windows Server 2008 R2 and later Windows Server operating versions. One area that has seen many improvements is the Active Directory Certificate Services (AD CS). If you require over-the-air enrollment for mobile devices, see Using a Policy Module with the Network Device Enrollment Service. The option you choose will determine the type of dialog box that is presented next. Click OK. However, the recommended configuration is to specify a user account, which requires additional configuration. In a later section of this article, we guide you through installing NDES. If you make configuration changes for NDES or to the certificate templates that are used by NDES, you must stop and restart NDES, IIS and the CA service. Here is the example how to achive that on Windows Server 2012 R2. These cookies are used to collect information about how you interact with our website and allow us to remember you. Many rows essentially say the same thing, that a feature is available across all versions. Click CA name or Computer name, and then click Select. I thought I'd tell you all about it so in case you run into this issue, you won't have to beat your head against the wall quite as long as we did before coming up with a solution. Every single table I have found thus far comparing Windows Server 2012 versions and their features have a ton of extraneous rows. Please be sure to answer the question. after install ndes role, start configuration. Starting with Windows Server 2012 R2, NDES supports policy module integration which can provide additional security for the SCEP. Ensure that the Allow check box that corresponds to Request Certificates is selected. If you run into this problem and the above reinstall method does not resolve the issue, try this resolution: Privacy Policy ©2020 Keyfactor. It’s OK to uninstall ASP.NET 4.5, but it’s not required in order to fix the issue. The message received by the end user was: You do not have sufficient permission to enroll with SCEP. Add the newly created account into the local group IIS_IUSRS : NDES Server. The exact message in the event log for each failure was: The Network Device Enrollment Service cannot provide its password because the user does not have Enroll permissions on the configured certificate template, or the certification authority is not enabled to issue certificates based on the configured certificate template. Select Allow private key to be exported. The domain administrative user "Administrator" (the built-in account) could obtain a SCEP challenge locally, but no other domain or enterprise administrator account could obtain a SCEP challenge locally. On the CA that is to be used by NDES, open the Certification Authority console with an account that has Manage CA permissions. For Windows Server 2012, the Standard Edition supports NDES. End-to-end secure and unique identity platform for connected devices. This bug is specific to Windows Server 2012 R2 and NDES and appears to be related to the installation of the ASP.NET 4.5 role in addition to the NDES and web enrollment roles on the NDES server, although we are still awaiting word from Microsoft as to the exact cause of this issue. A practical guide to understand where you are today and how to automate and scale up to meet the growing demands of your business. Here's what it turned out to be. During the installation of NDES in a domain with windows 2012 r2 domain controllers, the NDES installation fails during the configuration stage. You must select a CA for the NDES service to use when issuing certificates to clients. August 23, 2017 - Updated 2008 R2 and 2012 R2 hotfix description for OCSP Bug (2950080) with long CA names. Windows Server 2012 NDES - Problem Cisco IOS I've got a client with a new PKI environment, they have an Offline root > Intermediate > Issuing CA running NDES I followed this procedure to configure NDES on the issuing (Sub CA). Know the Difference of a Digital Signature vs. Digital Certificate, [Webinar Recap] Modernizing Your PKI Infrastructure and Security with Keyfactor and Thales. Click Check Names, click OK twice, and then close Computer Management. But, try as hard as we could, we could not get the NDES service to issue SCEP challenges. Open Active Directory Users and Computers by using an account that has permissions to add users to the domain. But, each time we requested a SCEP challenge, we got a message indicating that we did not have sufficient permissions to request a SCEP challenge. In order to extend NDES certificate enrollment to untrusted networks in Windows Server 2012 R2, NDES defines two new HTTP operations, Note that this behavior appeared only in environments where NDES was configured to do Kerberos authentication. To do so: In the Select Users, Computers, Service Accounts, or Groups text box, type the name of the NDES service account, and click Check Names, and then click OK. When the RA certificate expires, it is not renewed automatically on the CA side (Windows Server 2012 in this example). Learn about code signing, PKI, IoT device security.