(0) exportieren Drucken
Alle erweitern

AD CS: Network Device Enrollment Service in Windows Server 2008 R2

The Network Device Enrollment Service (NDES) is an Active Directory Certificate Service (AD CS) role service which implements the Simple Certificate Enrollment Protocol (SCEP).

SCEP is designed to provide simple and scalable certificate enrollment and certificate query services using HTTP.

NDES is a SCEP registration authority which provides certificate enrollment for network devices that require digital certificates but cannot perform certificate enrollment directly with a CA because they are not domain members.

This document provides an overview of NDES in Windows Server 2008 and Windows Server 2008 R2 and describes procedures for deploying, managing and troubleshooting NDES.

In this guide

What’s new for NDES in Windows Server 2008 and Windows Server 2008 R2

MSCEP for Windows Server 2003 is an earlier version of the service that is named NDES in Windows Server 2008.

The following features have been added to NDES in Windows Server 2008 and Windows Server 2008 R2.

  • Included as an AD CS role service in Windows Server 2008 and Windows Server 2008 R2, Enterprise and Datacenter editions only

  • Support for device certificate renewal. (Windows Server 2008 R2, Windows Server 2008 Service Pack 2, or Windows Server 2008 with the KB959193 hotfix installed)

  • Support for custom certificate templates.

  • Support for enterprise NDES deployments installed on remote web server.

  • Separate virtual directories for password requests and certificate enrollment.

  • Improved security in NDES default configuration.

    • Configurable hash algorithm, defaults to SHA-1; previously supported only MD5.

    • Password required; previously optional.

    • Reduced maximum number of passwords to five; previously 100.

    • NDES runs as Network Service; previously used LocalSystem.

NDES enrollment process overview

This section describes the process of device enrollment using NDES.

  1. Generate a key pair and install it on your device by using procedures provided by your device vendor.

  2. Request a password by using the NDES admin site. The default URL is http://<computer_name>/certsrv/mscep_admin.

  3. Establish trust between the device and the CA by downloading the CA certificate using the GetCACert operation and procedures provided by your device vendor. The default NDES URL for calling GetCACert is http://<computer_name>/certsrv/mscep?operation=getcacert&message=<CA Name>.

  4. Submit the password and certificate request from the device to NDES by using procedures provided by your vendor.

  5. NDES uses the request from the device to generate a certificate request and submit it to the configured CA.

  6. If NDES certificate requests do not require certificate manager approval, the certificate is immediately returned to the device as part of the NDES response message.

  7. If NDES certificate requests require certificate manager approval, the certificate request is held on the CA until it is reviewed by a certificate manager. Check the request status from the device using procedures provided by your vendor until NDES responds with the certificate.

Vorgang der NDES-Geräteregistrierung

Additional references

Active Directory Certificate Services

For SCEP RFCs and Internet drafts, see the Internet Engineering Task Force web site (http://go.microsoft.com/fwlink/?LinkId=121).

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.

Community-Beiträge

HINZUFÜGEN
Anzeigen:
© 2014 Microsoft