Upload
dayna-stanley
View
228
Download
0
Embed Size (px)
Citation preview
Session Agenda
Introduce the Certificate Enrollment Web Services CEP (Certificate Enrollment Policy Web Service)CES (Certificate Enrollment Web Service)
CES/CEP Deployment ScenariosDesigning a Certificate Enrollment Web Services InfrastructureCES/CEP Installation RequirementsUnderstand Network Device Enrollment Service (NDES)
Pre-requisites
General understanding of PKIGeneral understanding of Windows Server 2008 Active Directory Certificate Services (ADCS)
PKI Challenges in Enterprises
Extranet RequirementsMobile and remote workers are not always on the corporate network
Managing non-domain joined machinesEmployee home machinesNon-domain workstations and servers
PKI Complexity As more complex the AD deployment, the more complex the PKI becomes (Multiple forests/Multiple CAs)
Certificate Enrollment Without CEP/CES
Certificate Authority
Active Directory
Client Workstations
3
4
1
2
LDAP
LDAP
RPC/DCOM
RPC/DCOM
PKI Challenges in EnterprisesHow do we solve?
Two web enrollment role services in Windows 2008 R2 enable certificate policy retrieval and certificate enrollment over HTTPS
Certificate Enrollment Policy Web Service (CEP)Certificate Enrollment Web Service (CES)
Certificate Enrollment With CEP/CES
Certificate Authority
Active Directory
Client Workstations Configured with Certificate
Enrollment Policy(Windows 7 & 2008R2 Only)
5
4
6
7
8
Certificate Enrollment Policy Web Service (CEP)
Certificate Enrollment Web Service (CES)
HTTPS Only
2
1
3
LDAP
LDAP
Retrieve
Policies
Policies
Certificate
Certificate Request
RPC/DCOM
RPC/DCOM
Deployment Scenarios
Single ForestForest Consolidation
Allows organizations with multiple forests to consolidate their PKI by eliminating the requirement for per-forest CA deployments
ExtranetAllows users and computers outside the corporate network (internet) to enroll for certificates
Renewal-Only ModeAllow certificates to be renewed only (no enrollment) over Internet
Designing a Certificate Enrollment Web Services Infrastructure
Firewall ConfigurationDelegation (Certificate Enrollment Web Service Account)Selecting Service AccountsSelecting Authentication Methods
Firewall Configuration
ca.corp.contoso.com
corp.contoso.comdmz.contoso.com
cep.contoso.com
ces.contoso.com
end entities send all requests using SOAP (WS-*) over a TLS
(HTTPS) secured transport (TCP 443)
front end firewall only needs to allow HTTPS traffic to pass
through to CEP/CES
CEP to Active Directory traffic is
LDAP (TCP 389 / 636)
CES to CA is DCOM; random
ephemeral by default, but
configurable
Delegation
Delegation (Certificate Enrollment Web Service Account)
Delegation is required if …CA is not on the same computer as the CESCES required to process full enrollment requests, not just renewal requestsThe authentication type is Kerberos or Certificate Authentication
Delegation is not required if …CA and CES are on the same computerThe authentication type is Username and PasswordCES is configured as Renewal-only mode
Selecting Service Account
Both CEP & CES must run as either a domain user or application pool IDLocal users are not supportedManaged Service Accounts may be used
CES service account must be a member of the local IIS_IUSRS group
CES service account must have Request Certificates permission on the CA
Selecting Authentication Methods
Windows Integrated AuthenticationClient Certificate AuthenticationUsername and Password
Anonymous authentication to the web services is not supported
Installation Requirements
Windows Server 2008 R2
Domain joined machine
Does not work with a Stand-alone CA
AD Forest must have Windows Server 2008 R2 Schema
Co-exist with the CA, Web Enrollment, OCSP and NDES Roles
Clients must be Windows 7 or Windows Server 2008 R2
A valid SSL certificate in the local computer store
Enterprise Admin privileges required for the installation
demo
CEP/CES Configuration &Enrollment using CEP/CESSunil KondapallySenior Software Development EngineerActive Directory Certificate Services
NDES Enrollment Process
KeyDevice
Device
1
Create Key
Administrator
2A
Request Password
2BCheck
PermissionsActive DirectoryNDES
NDES
NDES
CA
CA
Administrator
Device
7
Return Certificate To Device6
CA Issues Certificate
5
Send RA Request to CA
3
Set Password
4
Send Request
Device
Understanding NDES Components
Virtual Directorieshttp://localhost/certsrv/mscephttp://localhost/certsrv/mscep_admin
Password Service Certificates
New Features
UseSinglePassword ModeRenewal without administrator interactionDownload updates
Windows 2008 Server http://support.microsoft.com/kb/959193
Windows 2008 Server R2http://support.microsoft.com/kb/2483564
Entities involved
NDES Administrator Account used to install the NDES Role on member server
NDES Service AccountAccount used by NDES Application Pool
Device AdministratorAccount used to manage the devices
demo
NDES Enrollment
Sunil KondapallySenior Software Development EngineerActive Directory Certificate Services
Related Content
Certificate Enrollment Web Serviceshttp://www.microsoft.com/downloads/en/details.aspx?FamilyID=28B910F8-6374-48DD-A897-11FFF62AB795
NDEShttp://www.microsoft.com/downloads/en/confirmation.aspx?familyId=e11780de-819f-40d7-8b8e-10845bc8d446&displayLang=enhttp://tools.ietf.org/html/draft-nourse-scep-22
How to configure RPC dynamic port allocation to work with firewallshttp://support.microsoft.com/kb/154596
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.