Certificate Enrollment Across Boundaries

Rashmi JhaProgram ManagerMicrosoft Corporation

SIM329

Session Agenda

Introduce the Certificate Enrollment Web Services CEP (Certificate Enrollment Policy Web Service)CES (Certificate Enrollment Web Service)

CES/CEP Deployment ScenariosDesigning a Certificate Enrollment Web Services InfrastructureCES/CEP Installation RequirementsUnderstand Network Device Enrollment Service (NDES)

Pre-requisites

General understanding of PKIGeneral understanding of Windows Server 2008 Active Directory Certificate Services (ADCS)

PKI Challenges in Enterprises

Extranet RequirementsMobile and remote workers are not always on the corporate network

Managing non-domain joined machinesEmployee home machinesNon-domain workstations and servers

PKI Complexity As more complex the AD deployment, the more complex the PKI becomes (Multiple forests/Multiple CAs)

Certificate Enrollment Without CEP/CES

Certificate Authority

Active Directory

Client Workstations

3

4

1

2

LDAP

LDAP

RPC/DCOM

RPC/DCOM

PKI Challenges in EnterprisesHow do we solve?

Two web enrollment role services in Windows 2008 R2 enable certificate policy retrieval and certificate enrollment over HTTPS

Certificate Enrollment Policy Web Service (CEP)Certificate Enrollment Web Service (CES)

Certificate Enrollment With CEP/CES

Certificate Authority

Active Directory

Client Workstations Configured with Certificate

Enrollment Policy(Windows 7 & 2008R2 Only)

5

4

6

7

8

Certificate Enrollment Policy Web Service (CEP)

Certificate Enrollment Web Service (CES)

HTTPS Only

2

1

3

LDAP

LDAP

Retrieve

Policies

Policies

Certificate

Certificate Request

RPC/DCOM

RPC/DCOM

Deployment Scenarios

Single ForestForest Consolidation

Allows organizations with multiple forests to consolidate their PKI by eliminating the requirement for per-forest CA deployments

ExtranetAllows users and computers outside the corporate network (internet) to enroll for certificates

Renewal-Only ModeAllow certificates to be renewed only (no enrollment) over Internet

Designing a Certificate Enrollment Web Services Infrastructure

Firewall ConfigurationDelegation (Certificate Enrollment Web Service Account)Selecting Service AccountsSelecting Authentication Methods

Firewall Configuration

ca.corp.contoso.com

corp.contoso.comdmz.contoso.com

cep.contoso.com

ces.contoso.com

end entities send all requests using SOAP (WS-*) over a TLS

(HTTPS) secured transport (TCP 443)

front end firewall only needs to allow HTTPS traffic to pass

through to CEP/CES

CEP to Active Directory traffic is

LDAP (TCP 389 / 636)

CES to CA is DCOM; random

ephemeral by default, but

configurable

Delegation

Delegation (Certificate Enrollment Web Service Account)

Delegation is required if …CA is not on the same computer as the CESCES required to process full enrollment requests, not just renewal requestsThe authentication type is Kerberos or Certificate Authentication

Delegation is not required if …CA and CES are on the same computerThe authentication type is Username and PasswordCES is configured as Renewal-only mode

Selecting Service Account

Both CEP & CES must run as either a domain user or application pool IDLocal users are not supportedManaged Service Accounts may be used

CES service account must be a member of the local IIS_IUSRS group

CES service account must have Request Certificates permission on the CA

Selecting Authentication Methods

Windows Integrated AuthenticationClient Certificate AuthenticationUsername and Password

Anonymous authentication to the web services is not supported

Installation Requirements

Windows Server 2008 R2

Domain joined machine

Does not work with a Stand-alone CA

AD Forest must have Windows Server 2008 R2 Schema

Co-exist with the CA, Web Enrollment, OCSP and NDES Roles

Clients must be Windows 7 or Windows Server 2008 R2

A valid SSL certificate in the local computer store

Enterprise Admin privileges required for the installation

demo

CEP/CES Configuration &Enrollment using CEP/CESSunil KondapallySenior Software Development EngineerActive Directory Certificate Services

Network Device Enrollment Service (NDES)

Overview

NDES Enrollment ProcessUnderstanding NDES ComponentsNew FeaturesEntities Involved

NDES Enrollment Process

KeyDevice

Device

1

Create Key

Administrator

2A

Request Password

2BCheck

PermissionsActive DirectoryNDES

NDES

NDES

CA

CA

Administrator

Device

7

Return Certificate To Device6

CA Issues Certificate

5

Send RA Request to CA

3

Set Password

4

Send Request

Device

Understanding NDES Components

Virtual Directorieshttp://localhost/certsrv/mscephttp://localhost/certsrv/mscep_admin

Password Service Certificates

New Features

UseSinglePassword ModeRenewal without administrator interactionDownload updates

Windows 2008 Server http://support.microsoft.com/kb/959193

Windows 2008 Server R2http://support.microsoft.com/kb/2483564

Entities involved

NDES Administrator Account used to install the NDES Role on member server

NDES Service AccountAccount used by NDES Application Pool

Device AdministratorAccount used to manage the devices

demo

NDES Enrollment

Sunil KondapallySenior Software Development EngineerActive Directory Certificate Services

Related Content

Certificate Enrollment Web Serviceshttp://www.microsoft.com/downloads/en/details.aspx?FamilyID=28B910F8-6374-48DD-A897-11FFF62AB795

NDEShttp://www.microsoft.com/downloads/en/confirmation.aspx?familyId=e11780de-819f-40d7-8b8e-10845bc8d446&displayLang=enhttp://tools.ietf.org/html/draft-nourse-scep-22

How to configure RPC dynamic port allocation to work with firewallshttp://support.microsoft.com/kb/154596

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.