Require SSL on NDES admin site via PowerShell

Best Practices from Microsoft when deploying Network Device Enrollment Service (available here) states:

“Always set up the administrator site with SSL-only configuration. (Disable http access to this site.)”

This is to protect the sensitive One Time Passwords that are transmitted between the server and the client’s browser.

The path that you want to enable SSL requirement for is:
https://<FQDN of NDES Server>/certsrv/mscep_admin

Note that the path for NDES certificate requests should not be SSL enabled:
https://<FQDN of NDES Server>/certsrv/mscep/mscep.dll

If you have installed both the Network Device Enrollment Service and the Certificate Authority Web Enrollment role services, the virtual directory certsrv/mscep_admin is available in IIS Manager:

image

You can easily enable SSL via the GUI, here is one of many guides explaining how.

However, if you only install the Network Device Enrollment Service role service (and do not want to add Certificate Authority Web Enrollment), the virtual directory certsrv is not created in IIS:

image

This means that you cannot enable SSL requirement via the IIS Manager GUI.

The web server still answers requests to this path, and you can see the virtual paths in the Applications view:

image

But unfortunately you cannot configure SSL requirement in the Applications view.

The solution? Use PowerShell and the sslFlags setting.

To see the current SSL configuration on the CertSrv/mscep_admin site:

Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location ‘Default Web Site/CertSrv/mscep_admin’ -filter “system.webServer/security/access” -name “sslFlags”

 

To require SSL for the CertSrv/mscep_admin site:

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location ‘Default Web Site/CertSrv/mscep_admin’ -filter “system.webServer/security/access” -name “sslFlags” -value “Ssl”

 

Note that the commands above do not include the name of the server, so they do not have to be modified to work in your NDES implementation (unless you manually chose another website than Default Web Site for NDES). Also note that you need a valid certificate installed on the server before requiring SSL to avoid error messages in the browser.

Here is the output when the commands are executed:

clip_image001

Here is the result when accessing the NDES admin page over http, after enabling SSL requirement:

 

image

Accessing it via https works:

image

The path for NDES certificate requests still works over http:

image

To revert back to the default configuration:

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location ‘Default Web Site/CertSrv/mscep_admin’ -filter “system.webServer/security/access” -name “sslFlags” -value “None”

Advertisements
This entry was posted in CA, Certificates, NDES, PKI, SCEP and tagged , , , . Bookmark the permalink.

6 Responses to Require SSL on NDES admin site via PowerShell

  1. Milan Banjac says:

    Hi Tom!
    Thank you for this post, I tried to follow the steps (execute the powershell command for enabling SSL for MSCEP site) but with no success. The appropriate certificate is placed on the server.
    After executing the command and rebooting the server it does not listen on port 443 at all (local Windows firewall has a permit rule for World Wide Web Services HTTPS Traffic-In).
    Can you please advise how can we treoubleshoot this issue?
    Thank you!

  2. Linda Smith says:

    Hi, what are the certificate requirements for this? I have NDES setup, and all is working fine via http and I can see the virtual paths under Applications on my default site, but when I enable SSL, the page will not load?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s