NDES is the Microsoft Implementation of SCEP:

The “holy bible” about NDES installation and operations:

http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx

(NDES) Frequently Asked Questions (FAQ): http://social.technet.microsoft.com/wiki/contents/articles/12610.network-device-enrollment-services-ndes-frequently-asked-questions-faq.aspx

Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates: http://blogs.technet.com/b/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx

NDES enrollment process:

1) Generate a key pair and install it on your device by using procedures provided by your device vendor.

2) Request a password by using the NDES admin site. The default URL is http://<computer_name>/certsrv/mscep_admin.

3) Establish trust between the device and the CA by downloading the CA certificate using the GetCACert operation and procedures provided by your device vendor. The default NDES URL for calling GetCACert is http://<computer_name>/certsrv/mscep?operation=getcacert&message=.

4) Submit the password and certificate request from the device to NDES by using procedures provided by your vendor.

5) NDES uses the request from the device to generate a certificate request and submit it to the configured CA.

6) If NDES certificate requests do not require certificate manager approval, the certificate is immediately returned to the device as part of the NDES response message.

7) If NDES certificate requests require certificate manager approval, the certificate request is held on the CA until it is reviewed by a certificate manager. Check the request status from the device using procedures provided by your vendor until NDES responds with the certificate.

Apple iPads and NDES:http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

1) The device connects to a deployment wireless network (isolated) while connected via USB to the Mobile Device Management Software (MDM). In this example, the IPad is connected to the Iphone Configuration Utility.

2) The device Administrator connects to the Network Device Enrollment Service (NDES) to obtain a temporary password which is entered in the Mobile Device Management (MDM) as the device’s profile.

3) The Mobile Device Management (MDM) software pushes the profile configuration to the device.

4) The device creates the private/public pair key and sends a request to the Network Device Enrollment Service (NDES)to request a certificate

5) The Network Device Enrollment Service (NDES) sends an RA request to the Certification Authority (CA)

6) The Certification Authority (CA) sends the certificate to the Network Device Enrollment Service (NDES)

7) The Network Device Enrollment Service (NDES) sends the certificate to Device which in turn installs it

8) The Device connects to the corporate network using 802.1X

NDES Operations 101:

– On the Ndes server verify if IIS is running and if NDES application pool is started

– backup IIS and export the HKLM\software\microsoft\cryptography\NDES registry key

– on the Ndes server, on Certificate Computer Store, check if the RA certificates has not been expired (else renew NDES Service Certificates): http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Renewing_Service_Certificates

 

– verify if the issuing CA is responding