Skip to main content

Require SSL on NDES admin site via PowerShell

Best Practices from Microsoft when deploying Network Device Enrollment Service (available here) states:

“Always set up the administrator site with SSL-only configuration. (Disable http access to this site.)”

This is to protect the sensitive One Time Passwords that are transmitted between the server and the client’s browser.

The path that you want to enable SSL requirement for is:https://<FQDN of NDES Server>/certsrv/mscep_admin

Note that the path for NDES certificate requests should not be SSL enabled:https://<FQDN of NDES Server>/certsrv/mscep/mscep.dll

If you have installed both the Network Device Enrollment Service and the Certificate Authority Web Enrollment role services, the virtual directory certsrv/mscep_admin is available in IIS Manager:

image

You can easily enable SSL via the GUI, here is one of many guides explaining how.

However, if you only install the Network Device Enrollment Service role service (and do not want to add Certificate Authority Web Enrollment), the virtual directory certsrv is not created in IIS:

image

This means that you cannot enable SSL requirement via the IIS Manager GUI.

The web server still answers requests to this path, and you can see the virtual paths in the Applications view:

image

But unfortunately you cannot configure SSL requirement in the Applications view.

The solution? Use PowerShell and the sslFlags setting.

To see the current SSL configuration on the CertSrv/mscep_admin site:

Get-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin’ -filter system.webServer/security/access -name sslFlags

 

To require SSL for the CertSrv/mscep_admin site:

 

Set-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin -filter system.webServer/security/access -name sslFlags -value Ssl

 

Note that the commands above do not include the name of the server, so they do not have to be modified to work in your NDES implementation (unless you manually chose another website than Default Web Site for NDES). Also note that you need a valid certificate installed on the server before requiring SSL to avoid error messages in the browser.

Here is the output when the commands are executed:

clip_image001

Here is the result when accessing the NDES admin page over http, after enabling SSL requirement:

 

image

Accessing it via https works:

image

The path for NDES certificate requests still works over http:

image

To revert back to the default configuration:

 

Set-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin -filter system.webServer/security/access -name sslFlags -value None

Läs hela artikeln