pdf icon
Category Filter

Integrating Microsoft AD CS server with MDM

Microsoft  Active Directory Certificate Services (AD CS) provides digital certificates that can be used to encrypt, digitally sign and authenticate users and devices on a network. By integrating Microsoft AD CS with Mobile Device Manager Plus, IT admins can leverage AD and Groups Policy for certificate registration and assignments. It allows organizations to dynamically create user-specific certificates, distribute certificates at large scale and automatically renew the certificates on devices, thereby ensuring data security and compliance to organizational standards.

Pre-requisites

NDES must be installed in a Windows Server machine

Configure Certificate Template
  1. Click on Start Menu, select Run, type mmc and click OK.
  2. Click File and select Add/Remove Snap-in....Select Certificate Templates, click Add and then click OK.
  3. Configure SCEP for iOS Step 1    Configure SCEP for iOS Step 2

  4. Right click Certificate Template and select Manage.
  5. Click on User and select Duplicate Template.
  6. Configure SCEP for iOS Step 3

  7. Specify a Template display name and save it by clicking OK.
  8. Configure SCEP for iOS Step 4

  9. Click on Extensions,select Application Policies. Click Edit and select Client Authentication, to add it to Application Policies.
  10. Configure SCEP for iOS Step 5

    Configure SCEP for iOS Step 6

    Configure SCEP for iOS Step 7

    Configure SCEP for iOS Step 8

  11. Click on Cryptography and specify the Minimum key size. The recommended key size is 2048, as it enhances the security. This key size is to be specified while configuring SCEP in MDM.
  12. Configure SCEP for iOS Step 9

  13. Click on Security and select the Group(s), to which the policy is to be applied. Ensure Enroll is an allowed permission for the selected domain(s).
  14. Configure SCEP for iOS Step 10

  15. Click on Subject Name and select Supply in the request, for subject names to be specified in the certificate request.
  16. Configure SCEP for iOS Step 11

Map Certificate Template to SCEP
  1. Add Certificate Authority as a snap-in in the Microsoft Management Console(MMC).
  2. Configure SCEP for iOS Step 12    Configure SCEP for iOS Step 13

  3. Expand Certification Authority and right-click on Certificate Templates. Click New and select Certificate Template to Issue.
  4. Configure SCEP for iOS Step 14

  5. Select the Certificate Template created before and click OK.
  6. Configure SCEP for iOS Step 15    Configure SCEP for iOS Step 16

    To change the default certificate template used by Microsoft NDES, windows registry values are to be changed.

  7. Click on Start Menu, select Run, type regedit and click OK.
  8. Expand HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP.
  9. Right-click on Encryption Template and click Modify.
  10. Configure SCEP for iOS Step 17

  11. Specify the name of the created Certificate Template for Value date. Repeat the same for GeneralPurposeTemplate and SignatureTemplate. Restart the server machine once for the changes to take place
  12. Configure SCEP for iOS Step 18

Prevent challenge password expiry
  1. Open regedit and expand HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP -> UseSinglePassword.
  2. Right-click UseSinglePassword and change the value of data as 1.
  3. Configure SCEP for iOS Step 19

If you're using Challenge password(recommended), then registry values must be modified to prevent expiry of Challenge password.

After configuration is complete, restart the NDES Server.

Steps to increase the password cache limit

  1. Open the Registry Editor in NDES machine and navigate to HKEY_LOCAL_MACHINE - > SOFTWARE -> Microsoft -> Cryptography -> MSCEP -> UseSinglePassword
  2. Set the value for UseSinglePassword to 0. By configuring this, every time we hit the NDES admin URL, it will generate a unique challenge password Admin URL: https:///certsrv/mscep_admin/mscep.dll
  3. Restart the IIS server.
  4. As shown in the above screenshot, when we navigate to the Admin URL, we will get a challenge password, and upon refreshing the page, we will get another challenge password.
  5. A problem with this configuration is that NDES will only generate 5 passwords each hour.
  6. We can resolve this, by increasing the Password cache limit of the NDES. To do this, in the registry editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
  7. Create a new key and provide the name as PasswordMax
  8. Right click on the PasswordMax key, and select New -> DWORD (32-bit) Value, provide the name as PasswordMax and provide a value according to your organization needs.
  9. Restart the IIS.

Configuring SCEP in MDM

  1. The value for Subject should be in LDAP DN format as explained here.

Follow the steps given below to configure SCEP in MDM

  • On the console, navigate to Device Mgmt -> Certificates
  • Click on the CA Servers tab and click on Add CA server
  • Provide the following details:
Profile Specification Description
Server Type Specify server type as Microsoft AD CS.
Certificate Authority Name Specify the name of the Certificate Authority issuing certificates.
Server URL The URL to be specified in the device to obtain certificate. Provide HTTP Server URL, if the SCEP server is within the organization network and not exposed to external networks. The certificate is requested through this URL.
Add CA Certificate Upload the Certificate Authority's certificate

Creating templates for the CA servers

For creating user-specific certificates, a template needs to be configured based on which all the certificates will be issued by the CA.

Follow the steps given below to configure the template on MDM:

  • On the console, navigate to Device Mgmt -> Certificates.
  • Click on Templates tab and click on Add Templates
  • Select the server to which the template belongs
  • Provide the following details:
Profile Specification Description
Certificate Template Name Specify the certificate template name.
Subject Specify the Subject DN that needs to be present in the certificate. You can use dynamic keys such as %username%, %email%, %firstname% to fetch the the corresponding details mapped to the device. For instance, you can specify C=US,O=Zylker,OU=Zylker,CN=%firstname%.
Subject Alternative Name Type Specify one of the following values None, RFC 822 Name, DNS Name or Uniform Resource Identifier for the subject alternative name type
Subject Alternative Name Value (Can be configured only if Subject Alternative Name Type is configured) Specify a value for subject alternative name value. The values to be entered can include DNS name, URI or email. For instance, you can use the dynamic key %email% for the subject alternative name value, email.
NT Principal Name Specify the NT Principal Name used in the organization.
Maximum Number of Failed Attempts Maximum number of failed validation attempts allowed to obtain the certificate from the CA. Once the maximum limit is exceeded, users will be temporarily restrcted from attempting to vaildate the user account.
Time interval between attempts Time to wait before subsequent attempts to obtain the certificate
Challenge Type A pre-shared secret key provided by the CA, which adds additional layer of security. If Static is chosen, the challenge password will be submitted to the SCEP server for authentication and all the devices will use the same password for authentication. If Dynamic is chosen, each device will use a unique challenge password for authentication. If None is chosen, no authentication is requested by the SCEP server and any device can receive the certificate by accessing the SCEP URL.
Enrollment Challenge Password (Can be configured only if Static challenge type is selected) Provide the challenge password to be used for authentication. 
Challenge URL (Configurable only if challenge type is set as Dynamic) Specify the AD CS MSCEP admin endpoint URL.
Challenge Username (Configurable only if challenge type is set as Dynamic) Specify the AD CS MSCEP admin username to be used.
Challenge Password (Configurable only if challenge type is set as Dynamic) Specify the AD CS MSCEP admin password to be used.
Key Size Specify whether the key is 1024 or 2048 bits
Use as Digital Signature Enabling this option ensures the certificate can be used for Digital Signature
Use for Key Encipherment Enabling this option ensures the certificate can be used for Key Encipherment
Certificate Auto Renewal Enabling this option ensures the certificates are renewed automatically before it expires.
Certificate Automatic Renewal Before Specify the number of days before which the the certificate must be auto-renewed.

Creating a SCEP profile

To distribute certificates to managed devices, a SCEP profile need to associated with these devices. Follow the steps given below to create and associate the SCEP profile to devices

  1. Navigate to Device Mgmt -> Profiles and create either an Apple, Android or Windows profile.
  2. Select SCEP from the left pane.
  3. Select the created Certificate template.
  4. Click on Save and publish the profile.

It is recommended to distribute the profile to a device for testing before distributing it to your production environment. Once testing is complete, you can distribute the profile to your production environment using Groups.

Jump To