NDES - Reusing a password for multiple devices


  • Hi there,

    I have a requirement to use NDES to issue certificates to a new Blackberry 10 fleet via SCEP. It appears that the Blackberry server assumes the Challenge returned from NDES will never change. Consequently I have followed the steps outlined in the following article to reuse the same challenge password for multiple devices.... but it doesn't work:

    1. Configure service to function in a single-password mode by creating a REG_DWORD value UseSinglePassword and setting it to 0x1.
    2. Give Full Control permission to the account used to run NDES for the HKEY_LOCAL_MACHINE\Microsoft\Cryptography\MSCEP registry key. This step only required if you have installed KB959193 hotfix.
    3. In the IIS Manager snap-in, navigate to the SCEP application pool and in Advanced Settings set Load User Profile to true.
    4. If you’ve configured NDES to run under some user account, logon interactively with that user account onto the machine where NDES is installed to force creation of a user profile for that account. This is a one-time operation, the user doesn’t need to stay interactively logged on while NDES is running. To prepare the NDES service account profile:
    • On the NDES server, open Internet Information Services (IIS) Manager. 
    • In the Connections pane, expand the Web server running the NDES service. 
    • In the Connections pane, click Application Pools. 
    • In the Application Pools pane, click SCEP. 
    • In the Actions pane, click Advanced Settings. 
    • In the Advanced Settings dialog box, under Process Model, configure Load User Profile to True. Click OK. 
    • In Application Pools, right-click SCEP and then click Stop. 
    • Sign off the NDES server. 
    • Sign on using the NDES user account. The NDES service account user profile is created. 
    • Sign off the NDES server. 
    • Sign on the NDES server using an account that is a member of local Administrators. 
    • Open Internet Information Services (IIS) Manager, expand the Web server object, and then select Application Pools
    • In the Application Pools pane, right-click SCEP and then click Start

    But every time I hit the the Admin web page, it provides me a unique enrollment challenge password which is valid for 60 minutes.... it refuses to stay the same.

    My NDES server is Windows 2008 R2. Has anyone got any ideas what could be causing this capability to malfunction?

    Regards, James.

    James Frost

    Montag, 22. Juli 2013 02:26

Alle Antworten