Creating SCEP and AD CS Server
ฝัง
- เผยแพร่เมื่อ 5 ก.ย. 2024
- Disclaimer as this has been commented on more than once:
This video is to act as a guide and not to be replicated directly in a production environment. The ndes service account has been given Domain Admin rights due to the server being Domain Controller, Root CA and NDES service. This is not something that should be done in production. The minimum required permissions for a ndes service account is that it needs to be a memebr of the local IIS_USRS group on the ndes server.
Video to show how to turn on an Windows 2012r2 NDES server and use it with MDM server Jamf Pro
as a bonus NoMAD to access User AD cert
You are really amazing Bro!! .. Even JAMF could not explain the integration of SCEP. You have explained very clearly. Thanks a lot for posting the video.
Thank you.
Thanks for this Bro... Deeply appreciated!
Thank you..
JAMF AND WINDOWS SERVERS are upgraded can we have new version updated video ? from end to end ? its help full to configure the scep in windows and also in jamf
thanks Daniel. At 12:56 you mention that the JAMF server needs to be able to communicate to the CA. Obvs in your lab setup the NDES server and CA are the same server, which wouldn't be the case typically in a production environment. Does the JAMF server really just need to be able to reach the NDES server in order to obtain the challenge password?
Mike Elliott Hi mike, yes I meant the jamf pro server needs to contact the NDES component rather than the CA directly, and yes that is the case for any MDM using the dynamic Microsoft CA challenge method, your other options are to look at the ADCS Connector, or configure the NDES to have a multi use static password
thanks Daniel. One other thing, the documentation mentions the requirement for a signing certificate for the JAMF server itself. Any idea what type of cert that needs to be and what EKU attributes it needs to include. I'm assuming an SSL cert with 'server authentication' will be enough.
Mike Elliott I assume the document you are referring to is for the SCEP proxy which I made a different video for, this video is without any proxy, the scep proxy video I made shows how to create a singing cert
@@DanielMacLaughlin thanks will take a look at that
@@DanielMacLaughlin thanks, the SCEP proxy video covered exactly what I needed. Could you tell me why the NDES service account mentioned here needs to be a member of the Domain Admins group?
You seem like a man I could be a best friend with... you also sound a little like Elon Musk
Close your eyes, you’ll hear Elon Musk.
FAIL! You NEVER add a service account to the Domain Admin group!
You are correct, this was an example where SCEP, ROOT CA and DC were all on the one box, something else you would never do in production
NO Domain Admin!!!! That isn't acceptable. What access is actually needed?? If you don't know, please remove video. Harsh, but you should NEVER give that advice.
Please see other comments, Domain admin is required if you were doing SCEP, ROOT CA and DC all on the one server, something you should NEVER do in production, when the servers are separated out the NDES service account only needs to be a member of the local IIS_USRS group on the server running the NDES/SCEP service
@@DanielMacLaughlin that is fair. Thanks