.png)
AD CS: Network Device Enrollment Service
Updated: July 10, 2012
Applies To: Windows Server 2008
The Network Device Enrollment Service (NDES) is the Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network, to enroll for X.509 certificates from a certification authority (CA).
NDES operates as an Internet Server Application Programming Interface (ISAPI) filter on Internet Information Services (IIS) that performs the following functions:
-
Generates and provides one-time enrollment passwords to administrators.
-
Receives and processes SCEP enrollment requests on behalf of software running on network devices.
-
Retrieves pending requests from the CA.
This feature applies to organizations that have public key infrastructures (PKIs) with one or more Windows Server® 2008–based CAs and that want to enhance the security of communications by using Internet Protocol security (IPsec) with network devices such as routers and switches.
Adding support for NDES can significantly enhance the flexibility and scalability of an organization's PKI; therefore, this feature should interest PKI architects, planners, and administrators.
Organizations and professionals interested in NDES may want to know more about the SCEP specifications on which it is based.
SCEP was developed by Cisco Systems, Inc. as an extension to existing HTTP, PKCS #10, PKCS #7, RFC 2459, and other standards to enable network device and application certificate enrollment with CAs.
In Windows Server 2003, Microsoft® SCEP (MSCEP) was a Windows Server 2003 Resource Kit add-on that had to be installed on the same computer as the CA. In Windows Server 2008, MSCEP support has been renamed NDES and is part of the operating system; NDES can be installed on a different computer from the CA.
The NDES extension to IIS uses the registry to store configuration settings. All settings are stored under one registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
The following table defines the registry keys that are used to configure MSCEP:
 Tip |
|---|
| Many of the registry values documented in the following table require that you first create a new subkey below the HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP. For example, to designate a password validity period of 120 minutes, you must first create a new subkey named PasswordValidity, and then in the PasswordValidity key, create a DWORD named PasswordValidity with a decimal value of 120. |
| Setting name | Optional Yes/No | Default value | Possible values | ||
|---|---|---|---|---|---|
|
Refresh |
No |
7 |
Number of days that pending requests are kept in the NDES database. |
||
|
EnforcePassword |
No |
1 |
Defines whether passwords are required for enrollment requests. The value 1 means NDES requires a password for enrollment requests. The value 0 (zero) means passwords are not required. |
||
|
PasswordMax |
No |
5 |
Maximum number of available passwords that can be cached.
|
||
|
PasswordValidity |
No |
60 |
Number of minutes a password is valid. |
||
|
PasswordVDir |
Yes |
|
The name of the virtual directory that can be used for password requests. If set, NDES accepts password requests only from the defined virtual directory. If the value is empty or not configured, NDES accepts password requests from any virtual directory. |
||
|
CacheRequest |
No |
20 |
Number of minutes that issued certificates are kept in the SCEP database. |
||
|
CAType |
No |
Based on setup |
Identifies the type of CA that NDES is linked to. The value 1 means it is an enterprise CA; the value 0 means it is a stand-alone CA. |
||
|
SigningTemplate |
Yes |
Not set |
If this key is set, NDES uses this value as the certificate template name when clients enroll for a signing certificate. |
||
|
EncryptionTemplate |
Yes |
Not set |
If this key is set, NDES uses this value as the certificate template name when clients enroll for an encryption certificate. |
||
|
SigningAndEncryptionTemplate |
Yes |
Not set |
If this key is set, NDES uses the value as the certificate template name when clients enroll for a signing and encryption certificate, or when the request does not include any enhanced key usage. |
 Note |
|---|
|
Before installing NDES, you need to decide:
-
Whether to set up a dedicated user account for the service or to use the Network Service account.
-
The name of the NDES registration authority and what country/region to use. This information is included in any MSCEP certificates that are issued.
-
The cryptographic service provider (CSP) to use for the signature key used to encrypt communication between the CA and the registration authority.
-
The CSP to use for the encryption key used to encrypt communication between the registration authority and the network device.
-
The key length for each of these keys.
In addition, you need to create and configure the certificate templates for the certificates used in conjunction with NDES.
Installing NDES on a computer creates a new registration authority and deletes any pre-existing registration authority certificates on the computer. Therefore, if you plan to install NDES on a computer where another registration authority has been configured, any pending certificate requests should be processed and any unclaimed certificates should be claimed before NDES is installed.
For more information about using the Network Device Enrollment Service, see Use the Network Device Enrollment Service and Online Responder Installation, Configuration, and Troubleshooting Guide.
For information about other features in Active Directory Certificate Services, see Active Directory Certificate Services Role.
