Installing Microsoft NDES on a Windows server

Information about installing NDES on a Windows server that is available on your network.

You can use the same server for certificate integration with Cloud Extender®, but install NDES and the Cloud Extender certificate integration on a different server than your CA. You can install NDES from the Microsoft Server Manager. Cloud Extender only needs to communicate with NDES to receive device certificates. If you have not installed NDES on your Windows Server, see the Microsoft article at https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx for instructions on how to enable NDES on the Microsoft server.

Required permissions to set up Microsoft NDES

The following permissions are required to set up NDES:
Permission Description
SCEP Admin The user who logs into the server and installs NDES. This user must meet the following requirements:
  • Member of the Local Administrators group
  • Enroll permissions on the following templates:
    • Exchange Enrollment Agent (offline request)
    • CEP Encryption
  • Permissions to add templates to the selected CA
  • Member of the Enterprise Administrator group
SCEP Service Account The credentials that are used to run the NDES service. This account must have the following credentials:
  • Member of the local IIS_IUSRS group
  • Request permission on the configured CA
  • Domain user account with Read and Enroll permissions on the configured templates (for more information, see the topic Configuring the certificate template on the SCEP server)
  • SPN set in Active Directory
Device Administrator The user who manages the devices and requests a one-time password from the service to enable security enrollment.

This user must have Enroll permissions on the certificate template that is used by NDES to request certificates against the CA.

Confirming that SCEP is working on the Cloud Extender server

Follow these steps to determine whether SCEP is working on the Cloud Extender server:
  1. From Internet Explorer on the Cloud Extender server, go to the SCEP Admin URL at http://<ServerName>/certsrv/mscep_admin/.
  2. Provide the credentials for the Device Administrator. As an example, the following type of window might be displayed:
    NDES status window
What to do next: Configuring the certificate template on the SCEP server