What is NDES?

The Network Device Enrollment Service allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). You can read an overview and details about the service by reviewing Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS).

What is MDM?

NDES can also be used in conjunction with some Mobile Device Management (MDM) software to deploy certificates to mobile devices. For detailed steps about configuring the service, refer to Configure the Network Device Enrollment Service
NDES does not perform any identity verification. The MDM solution extends NDES to additional functionalities that it was not made for. It is highly recommended to have additional identity verification methods.

Warning: SCEP was designed to be used in a closed network where all end-points are trusted. The warnings from CERT in the article "Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests" should be considered when implementing the NDES service. If an application utilizes SCEP, it should provide its own strong authentication.

return to top

Can I cluster NDES?

This is not simple task, and there is not an option out of the box to support clustering or load balancing of the NDES. NDES creates a unique one-time passphrase used for enrollment, which doesn’t guarantee that a requesting device will always contact the same enrollment NDES server that created the password.

In addition, NDES does not have a database; hence clustering using Microsoft Clustering Services is not an option. Furthermore, clustering and load balancing NDES are not currently supported by Microsoft

return to top

The network load balancing hardware/software allows our network to pick a higher affinity active node, and then failover to a passive node during an outage. Will this solution suffice as a workaround for NDES load balancing?

This solution can work so long as the active node is always on. However, if the active node generates the one time passphrase, and then failed, then devices will fail enrollment because the second node does not have the passphrase.

return to top

Can I use a single password or passphrase for device enrollment?

Yes, however this is a non-secure solution and will make it easy for anyone to use the same passphrase to enroll any device for certificates. Doing so defeats using certificates to allow only approved devices on your network.

NDES allows the generation of 5 unique passwords every 60 minutes by default.  Using the single password option also requires adding the SinglePassword registry key. Refer to Configuring NDES for more information about the various NDES configuration options.

return to top

Can I use a Static Passphrase across multiple NDES servers and then load balance them?

Yes, but this solution makes your NDES deployment less secure because of the same reasons mentioned as the answer for Can I use a single password or passphrase for device enrollment?
In addition, this method is not supported by Microsoft

return to top

Can I use a Clustered Certification Authority behind a server running NDES?

Yes. You can also install multiple NDES servers pointing to the same Clustered Certification Authority.

return to top

Can I install the NDES role on a Clustered Certification Authority?

You can install it on any of the Certification Authority cluster nodes, and then point the NDES configuration to the Clustered Certification Authority to request certificates. This will not provide service high availability or load balancing. It is recommended to install the Network Device Enrollment Service on a separate member server if you already have a clustered CA.

return to top

How many passwords can NDES generate?

NDES generates 5 passwords that are cached for 60 minutes by default. This means that the device has to complete its enrollment process within 60 minutes of the password generation before the password expires.

NDES can’t generate more passwords after the fifth until at least one device completed the enrollment process. Consider the following scenario:

An administrator requests 5 passwords for 5 different devices. The 5 password are valid for 60 minutes, within the 60 minutes he was asked to generate a new password for a new device – 6th device – The NDES service will fail to generate a password because none of the devices completed the enrollment process.

Consider the same scenario, where the administrator completed at least one device enrollment, then the NDES service can generate a new password for the 6th device.

The defaults can be changed using the PasswordValidity and PasswordMax registry which are documented in Configuring NDES

return to top

If a device fails the enrollment process, can I retry the enrollment process using the same passphrase?

No, you need to repeat the entire enrollment process.

What kind of certificate templates can I use with NDES?

You can use templates intended for computers only – user templates cannot be enrolled using NDES.

return to top

Which certificate template versions should I use with this NDES?

You can use Version 1 through Version 3 certificate templates. The template version used depends on the device supporting a Cryptographic Service Provider (CSP) or a Key Storage Provider (KSP). If the device supports a CSP, then you can use Version 1 and 2 templates. If the device supports a KSP, then you can use version 3 templates. Consult your device’s vendor to know which provider is supported.

return to top