NDES and SCEP for Intune: Part 3

Let’s start with some follow up before moving on.  We need to set the SPN (Service Principal Name) for the NDES account.

Log into your NDES server and open an elevated CMD prompt.  Type the following:

setspn -s http/<NDES-FQDN> domainName\NDESaccountName

Mine looks like this:

Picture2.png

Close the CMD prompt when it completes.  Moving on…

Part 3:  IIS Binding, templates in the registry, and finally installing the connector

The Binding (NDES)

Now that we have the NDES client/server authentication cert issued to our NDES, we need to bind it to the IIS default site.  Log into the NDES server and launch the IIS Manager.  Navigate to the “Default Web Site” and on the far right, click Edit Site -> Bindings.

Whatever it is, the way you tell your story online can make all the difference.

Click Add on the “Site Bindings” menu.

Make the following changes:

Type: https

Port: 443

IP address: All Unassigned

Host name: leave blank

SSL certificate: choose the certificate we just issued to the NDES at the end of Part 2

Click OK, and close the IIS manager.

Whatever it is, the way you tell your story online can make all the difference.

Templates in the registry (NDES)

We must configure the registry so that NDES knows which cert template to use when a request comes in from the connector.  This can be defined specially by the purpose of the cert, but to be safe, we’re going to configure all three available options.

On the NDES server, open the Registry Editor and navigate to the following path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

There are three values:

  • EncryptionTemplate

  • GeneralPurposeTemplate

  • SignatureTemplate

Edit each one to be the name of your NDES client cert template.

Whatever it is, the way you tell your story online can make all the difference.

Download the SCEP connector (Intune)

Log into https://endpoint.microsoft.com and navigate to Tenant administration -> Connectors and tokens -> Certificate connectors.  Click +Add and proceed to download the SCEP connector software.

Whatever it is, the way you tell your story online can make all the difference.

Install the connector (NDES)

Copy the NDESConnectorSetup.exe over to your NDES server and launch the installer.  Click Next when the setup starts.

Whatever it is, the way you tell your story online can make all the difference.

Accept the terms and click Next.

Whatever it is, the way you tell your story online can make all the difference.

On the Installation options menu, select SCEP and PFX Profile Distribution.  Click Next.

If prompted to select a certificate, choose the Web Server template we made originally used for client/server authentication.  The same one we issued to the NDES.

When the install is complete, check the box for Launch Intune Connector and click Finish.

Whatever it is, the way you tell your story online can make all the difference.

Click Sign In to authenticate to Azure.

Whatever it is, the way you tell your story online can make all the difference.

Sign into Azure with global administrator credentials.

Whatever it is, the way you tell your story online can make all the difference.

Once enrolled, click the “Advanced” tab and select Specify different account username and password.  Enter the NDES service account credentials.

Whatever it is, the way you tell your story online can make all the difference.

Congratulations.  You’ve installed the Intune Certificate connector.  To validate, navigate back to the “Certificate Connectors” section of Intune.  You should see the healthy connector with an “Active” status.

As a great, New Jersey man once said, “Ooh, we’re half way there…” (well technically, ¾ there).

Steve Weiner