Rubix

View Original

NDES and SCEP for Intune: Part 3

Steve Weiner

Let’s start with some follow up before moving on.  We need to set the SPN (Service Principal Name) for the NDES account.

Log into your NDES server and open an elevated CMD prompt.  Type the following:

setspn -s http/<NDES-FQDN> domainName\NDESaccountName

Mine looks like this:

Close the CMD prompt when it completes.  Moving on…

Part 3:  IIS Binding, templates in the registry, and finally installing the connector

The Binding (NDES)

Now that we have the NDES client/server authentication cert issued to our NDES, we need to bind it to the IIS default site.  Log into the NDES server and launch the IIS Manager.  Navigate to the “Default Web Site” and on the far right, click Edit Site -> Bindings.

Click Add on the “Site Bindings” menu.

Make the following changes:

Type: https

Port: 443

IP address: All Unassigned

Host name: leave blank

SSL certificate: choose the certificate we just issued to the NDES at the end of Part 2

Click OK, and close the IIS manager.

Templates in the registry (NDES)

We must configure the registry so that NDES knows which cert template to use when a request comes in from the connector.  This can be defined specially by the purpose of the cert, but to be safe, we’re going to configure all three available options.

On the NDES server, open the Registry Editor and navigate to the following path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

There are three values:

  • EncryptionTemplate

  • GeneralPurposeTemplate

  • SignatureTemplate

Edit each one to be the name of your NDES client cert template.

Download the SCEP connector (Intune)

Log into https://endpoint.microsoft.com and navigate to Tenant administration -> Connectors and tokens -> Certificate connectors.  Click +Add and proceed to download the SCEP connector software.

Install the connector (NDES)

Copy the NDESConnectorSetup.exe over to your NDES server and launch the installer.  Click Next when the setup starts.

Accept the terms and click Next.

On the Installation options menu, select SCEP and PFX Profile Distribution.  Click Next.

If prompted to select a certificate, choose the Web Server template we made originally used for client/server authentication.  The same one we issued to the NDES.

When the install is complete, check the box for Launch Intune Connector and click Finish.

Click Sign In to authenticate to Azure.

Sign into Azure with global administrator credentials.

Once enrolled, click the “Advanced” tab and select Specify different account username and password.  Enter the NDES service account credentials.

Congratulations.  You’ve installed the Intune Certificate connector.  To validate, navigate back to the “Certificate Connectors” section of Intune.  You should see the healthy connector with an “Active” status.

As a great, New Jersey man once said, “Ooh, we’re half way there…” (well technically, ¾ there).