NDES and SCEP for Intune: Part 2

Before we move on to Part 2, there are two tasks I should have included in Part 1.

First, we need to give the NDES service account permissions to request and issue certificates.  Log into the CA and launch the Certification Authority console.  Right click on the CA and click Properties.

Picture12.png

On the “Security” tab, add the NDES account and check the boxes for Issue and Manage Certificates and Request Certificates permissions.

Picture13.png

Head back to the NDES server.  Launch “Computer Management” and add the NDES account to the IIS_IUSRS group.

Picture14.png

All good?  Terrific.  On to Part 2…

Part 2: IIS Filters, Azure App Proxy, and the Certificate with the external DNS

Configure Request Filtering (NDES)

Log into the NDES server and launch the IIS Manager.  Navigate to the “Default Web Site” and select Request Filtering.

Picture15.png

Click Edit Feature Settings…

Whatever it is, the way you tell your story online can make all the difference.

Change the value for Maximum URL length (Bytes) and Maximum query string (Bytes) to 65534.

Picture17.png

The requests for certs coming through the Intune connector can get quite lengthy, and we don’t want them getting stuck at the door with the bouncer.

To further solidify those values, open the Registry Editor on the NDES and navigate to COMPUTER\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters and add the following DWORD values:

  • Name: MaxFieldLength

    • Base: Decimal

    • Value data: 65534

  • Name: MaxRequestBytes

    • Base: Decimal

    • Value data: 65534

Picture18.png

Download the Azure App Proxy connector (Azure AD)

Login to Azure AD with global administrator rights at https://aad.portal.azure.com and navigate to Azure Active Directory -> Application Proxy -> Download connector service. 

Accept the terms and download.

Picture19.png

Install the Azure App Proxy connector (NDES)

On the NDES server, launch the AADApplicationProxyConnectorInstaller.msi.  Agree to the terms and click “Install”.

Picture20.png

When prompted, login with Azure AD global administrator rights.

Picture21.png

Assuming you know the password, you should be all set.

Picture22.png

Go ahead and close the installer.

Add the on-premise application (Azure AD)

Log back into https://aad.portal.azure.com and make your way back to the app proxy.  You should now see the healthy connection as active and pointing to your NDES server.

Picture23.png

Select + Configure an app.

Give the application a friendly name (I chose “SCEP) and then specify the <http://FQDN> of your NDES. 

Picture24.png

Azure will automatically concatenate the external URL.  Copy that into a notepad or sticky cause we’re going to need it a few times later. 

Set “Pre-Authentication” to Passthrough.  Leave the other values as defaults.  Click +Add when you’re done to save the application.

*Troubleshooting tip

Be sure the internal URL name does not have any wrong characters or spelling errors, as that will ruin the whole thing.  Like the brilliant mind that I am, I initially entered my internal URL as http://z0tndes.zerotouch.local and in reality, it is http://z0t-ndes.zerotouch.local

That lack of a hyphen sank the whole ship later until I went back and corrected it.

Request the NDES certificate (NDES)

We’re going to use the same client/server authentication template we made originally, based off the web server template, to authenticate both the NDES to the CA and for the Intune SCEP connector in Part 3.

On your NDES server, launch MMC and add the local computer certificate snap in.  Right click on “Personal” and select All tasks -> Request New Certificate

Picture25.png

Select “Active Directory Enrollment Policy” and click Next.

Picture26.png

Find the NDES template you made and click the “More information is required…” link

Picture27.png

For the “Subject name”, select Common name from the drop down.  Add the FQDN of your NDES server as the value and click Add>

For “Alternative name”, select DNS from the drop down.  Again, add the FQDN as the value, and then add the external URL of the app proxy from the previous step as the second value.  It should look like this:

Picture28.png

Select OK, and then check the box next to the template and hit Enroll.

Picture29.png

The NDES server will now have the client/server authentication certificate in the “Personal” certificate store.

Alright, I think we’ve all earned a little rest before Part 3.  See you soon.

Steve Weiner