Require SSL on NDES admin site via PowerShell
Best Practices from Microsoft when deploying Network Device Enrollment Service (available here) states:
“Always set up the administrator site with SSL-only configuration. (Disable http access to this site.)”
This is to protect the sensitive One Time Passwords that are transmitted between the server and the client’s browser.
The path that you want to enable SSL requirement for is:https://<FQDN of NDES Server>/certsrv/mscep_admin
Note that the path for NDES certificate requests should not be SSL enabled:https://<FQDN of NDES Server>/certsrv/mscep/mscep.dll
If you have installed both the Network Device Enrollment Service and the Certificate Authority Web Enrollment role services, the virtual directory certsrv/mscep_admin is available in IIS Manager:
You can easily enable SSL via the GUI, here is one of many guides explaining how.
However, if you only install the Network Device Enrollment Service role service (and do not want to add Certificate Authority Web Enrollment), the virtual directory certsrv is not created in IIS:
This means that you cannot enable SSL requirement via the IIS Manager GUI.
The web server still answers requests to this path, and you can see the virtual paths in the Applications view:
But unfortunately you cannot configure SSL requirement in the Applications view.
The solution? Use PowerShell and the sslFlags setting.
To see the current SSL configuration on the CertSrv/mscep_admin site:
Get-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin’ -filter system.webServer/security/access -name sslFlags
To require SSL for the CertSrv/mscep_admin site:
Set-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin -filter system.webServer/security/access -name sslFlags -value Ssl
Note that the commands above do not include the name of the server, so they do not have to be modified to work in your NDES implementation (unless you manually chose another website than Default Web Site for NDES). Also note that you need a valid certificate installed on the server before requiring SSL to avoid error messages in the browser.
Here is the output when the commands are executed:
Here is the result when accessing the NDES admin page over http, after enabling SSL requirement:
Accessing it via https works:
The path for NDES certificate requests still works over http:
To revert back to the default configuration:
Set-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin -filter system.webServer/security/access -name sslFlags -value NoneLäs hela artikeln