Articles > Windows Server
Printer Friendly Version
Views: 502

Windows Server, NDES, SCEP, Mosyle, and Azure VPN - issues and solutions

Last Updated: 3/5/24

 

 

Goal:

Install NDES on Windows Server 2022 so I can use SCEP with Mosyle MDM to Deploy Azure VPN (IKEv2) to my MacOS devices.

 

Problems I ran into:

  1. Installation and configuration errors when trying to install NDES.
  2. Error messages and no challenge key displayed when accessing NDES pages (i.e. MSCEP and MSCEP_Admin).
  3. Could not get MultiCert SCEP and VPN profile from Mosyle to deploy.
  4. Finally got profile to deploy, but VPN would not authenticate.

 

 

 

Solutions, Comments, Thoughts:

 

1) NDES install issues.

I was really frustrated with how many times the NDES configuration would fail after performing the NDES install. If the configuration failed, I would uninstall NDES, reboot, reinstall NDES. I could not figoure out a way to rerun the config from server manager. This made troubleshooting very time consuming. I eventually found in the event logs the PowerShell command that is being ran, so I did not have to uninstall NDES each time to reconfigure it. this was great! I could run a PowerShell command to remove and then install again.

PowerShell Command (You will have to adapt this to your environment):



Install-AdcsNetworkDeviceEnrollmentService -Force -ServiceAccountName "domain\svc-Account" -ServiceAccountPassword $pw -RAName "Company-Server-MSCEP-RA" -RACompany "CompanyName" -RADepartment "IT" -RAState "AA" -RACountry "US" -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength "2048" -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength "2048" -CAConfig "CA-Server.domainname.com\company-Root-CA" -Verbose

You can run Remove-AdcsNetworkDeviceEnrollmentService and then the install command again if it fails without having to reboot or run server manager.

For me the command kept failing. I gave the service account higher access (Manage CA) on the security tab of the properties screen on the CA server (not the NDES server). You can take this access away later.

 

2) MSCEP page errors.

Next the MSCEP pages would never work correctly for me. Until I followed the helpful idea on this site.

website: https://www.gradenegger.eu/en/the-network-device-enrollment-service-ndes-administration-website-certsrv-mscep_admin-reports-you-do-not-have-sufficient-permission-to-enroll-with-scep-please-contact-your-system-administrator/

Options 4 (handler mappings) and 5 (app pool settings) were the ones that worked for me.




 

Also, Mosyle only works with a static challenge password, so you have to set that in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword
DWord: UseSinglePassword = 1

 

3) Could not get Mosyle VPN profile to install.

Make sure your VPN SA key lifetimes are in MINUTES not seconds!

Also, save your SCEP profile, then save the multi-cert profile. then go back and edit the VPN profile inside the multi cert profile and choose the SCEP profile from the drop down list next to certificate based machine authentication.  Doing this in a different order will sometimes now show the SCEP profile in the drop down box.

 

4) VPN deploys but Won't authenticate

In the VPN profile (multi cert) After the cert type box (RSA) there are two server cert boxes, leave these blank unless you are verifying the server cert. This is NOT related to the subject of the cert being issues to the clients. I misunderstood that. The MacOS console is the only place I could find the VPN error message failed authentication. You get this message if the client or the server fails to authenticate.

 

 

 





Keywords: none