none
How to define challenge password (SCEP) manually in windows 2008 Enterprise CA

    Question

  • reference doc (I can't past link, so I just list doc name):
    Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)

    ==

    The doc said this one-time password is random.

    We can modify Registry to change password length and valid time.

    But I can't find how to define this password manually.

    e.g.  I want to set 3 password in password list/cache : aaaaa, bbbb, cccc.

    Someone know how to does this ?   

    Thanks.


    • Edited by dognull Friday, December 07, 2012 1:26 AM change some word
    Friday, December 07, 2012 1:24 AM

Answers

  • The password generated by NDES/SCEP is part of the authentication/authorization process implemented in SCEP. A Device admin accesses the SCEP- admin page and receives a temporary/one-time password. The password is used on the device to authorize the certificate request.

    By using a static password, you are going to mix different sessions and break the whole authorizations/security model!

    /Hasain

    Monday, December 10, 2012 10:20 PM

All replies

  • The password generated by NDES/SCEP is part of the authentication/authorization process implemented in SCEP. A Device admin accesses the SCEP- admin page and receives a temporary/one-time password. The password is used on the device to authorize the certificate request.

    By using a static password, you are going to mix different sessions and break the whole authorizations/security model!

    /Hasain

    Monday, December 10, 2012 10:20 PM
  • Hi,
     
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
      
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
      
    Best Regards
      
    Kevin
    Thursday, December 13, 2012 1:48 AM
  • I am a bit late to this post, but I wanted to point out that a single, static SCEP password is common in the SMB market. In order configure it:

    1. Configure service to function in a single-password mode by creating a REG_DWORD value UseSinglePassword and setting it to 0x1.
    2. Give Full Control permission to the account used to run NDES for the HKEY_LOCAL_MACHINE\Microsoft\Cryptography\MSCEP registry key. This step only required if you have installed KB959193 hotfix.
    3. In the IIS Manager snap-in, navigate to the SCEP application pool and in Advanced Settings set Load User Profile to true.
    4. If you’ve configured NDES to run under some user account, logon interactively with that user account onto the machine where NDES is installed to force creation of a user profile for that account. This is a one-time operation, the user doesn’t need to stay interactively logged on while NDES is running.

    After above steps are complete, the NDES will use only one password for all certificate requests. This password can be obtained in the same way as a one-time password by going to the admin page of the NDES. Administrators can deploy that password to their devices in an automated way.


    • Proposed as answer by Elke Stangl Thursday, June 05, 2014 11:06 AM
    Thursday, June 05, 2014 12:05 AM