This is part 2 of a 3-part series.
- Cisco Management Tunnel.
- Cisco Management Tunnel - NDES Setup
- Cisco Management Tunnel - ASA Setup.
Since an AnyConnect Management Tunnel seems like it will help resolve my organization’s work-from-home challenges, let’s setup a pilot.
The first thing we need to do is configure the certificates that are needed for user authentication.
Install and Configure NDES
We already have a dedicated server running AD Certificate Services (AD CS), acting as our Certificate Authority (CA). Network Device Enrollment Service (NDES) acts as a registration authority for a CA using Simple Certificate Enrollment Protocol (SCEP). The CA has to fully trust the NDES to verify inbound certificate requests. The result is that NDES owns an extremely powerful type of certificate (Exchange Enrollment Agent (Offline request)), which allows NDES to request certificates with almost any subject from the CA. All of that to say, it’s important to secure NDES as much as warranted.
The most important advice I can give is to pay attention to the warning that NDES cannot run on a CA Server! Don’t ask me how I know.
I decided to piggyback NDES on an existing Windows 2016 server we have, so I was able to use Powershell for most of the heavy lifting. I usually roll with Powershell 7, but there are steps that require Powershell 5.1. I’ll try to be clear about when Powershell 5.1 is needed.
Create gMSA
Let’s start by creating (and testing the creation of) the gMSA:
New-ADServiceAccount -Name NDES-gMSA -DNSHostName NDES-gMSA.corp.company.com -PrincipalsAllowedToRetrieveManagedPassword SERVER$
Enter-PSSession corpca
Add-WindowsFeature RSAT-AD-PowerShell
Install-ADServiceAccount NDES-gMSA
Test-ADServiceAccount NDES-gMSA
exit
Install NDES
You can’t install NDES as a gMSA, but we’ll convert it later. I’m going to use my admin account for the initial installation, and convert it to a gMSA later. You cannot initially install it as a gMSA. Let’s install the NDES role first:
#Install-AdcsNetworkDeviceEnrollmentService -Force -ServiceAccountName "CORP\admin" -ServiceAccountPassword "System.Security.SecureString" -RAName "SERVER-MSCEP-RA" -RAEmail "helpdesk@company.com" -RACompany "Company" -RADepartment "IT-CNS" -RACity "Guelph" -RAState "Ontario" -RACountry "CA" -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength "2048" -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength "2048" -CAConfig "corpca.corp.company.com\Company Corporate Issuing CA"
Configure IIS
Now, add the installation account to the IIS_IUSRS group:
Add-LocalGroupMember -Group IIS_IUSRS -Member corp\admin, corp\NDES-gMSA
Since NDES was installed on a server with the Web Enrollment server role, the IIS virtual directories won’t show. However, the site is still working and vsible under the IIS Applications, and IIS Application Pools pages. We need to use Powershell 5.1 to check that SSL is properly set on the MSCEP_ADMIN site by first querying the current values, then setting them:
Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location ‘Default Web Site/CertSrv/mscep_admin’ -filter “system.webServer/security/access” -name “sslFlags”
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location ‘Default Web Site/CertSrv/mscep_admin’ -filter “system.webServer/security/access” -name “sslFlags” -value “Ssl”
To return to the stock IIS settings, run this command from Powershell 5.1:
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location ‘Default Web Site/CertSrv/mscep_admin’ -filter “system.webServer/security/access” -name “sslFlags” -value “None” `
The SCEP site (MSCEP) must remain accessible via. HTTP, as that’s the only mechanism that the ASA supports.
Run NDES under a gMSA
Next, I used the IIS GUI to change the SCEP application pool identity (which is actually the NDES Application Pool) to the gMSA (under Advanced Settings), and restarted IIS.
Since we’re using a gMSA, I need to grant that account permissions to manage the private key for the certs we have, but it needs to be done via. powershell since remote GUI access doesn’t support it. I modified a script from Assigning Read Access to Windows Private Key:
foreach ($certobj in (gci cert:\localmachine\my\ | where {$_.subject -like "E=helpdesk*"})){
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertObj)
$fileName = $rsaCert.key.UniqueName
$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\rsa\machinekeys\$filename"
$permissions = Get-Acl -Path $path
$rule = new-object security.accesscontrol.filesystemaccessrule "corp\ndes-gmsa$", "read", allow
$permissions.AddAccessRule($rule)
Set-Acl -Path $path -AclObject $permissions
(get-acl -path $path).access #*validate that the settings worked
}
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : Read, Synchronize
AccessControlType : Allow
IdentityReference : CORP\ndes-gmsa$
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
Now, configure NDES to use the certificate template we’ll create in the next step. I’m going to create a certificate template named ‘AnyConnect’ for NDES to issue to my ASA via. SCEP. Change the default GeneralTemplateProperty registry value from “IPSECIntermediateOffline” to “AnyConnect”, and set NDES to not require a password:
Set-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP\ -Name GeneralPurposeTemplate -Value "AnyConnect"
Set-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword -Name EnforcePassword -Value 0
Create Certificate Template
Let’s create a new template to use for issuing to AnyConnect. I prefer to create new template because we can modify it in many ways not available when we just use the default ‘User’ template.
- Open the Certificate Templates MMC.
- Make a copy of the ‘User’ template, and configure these settings:
- rename to ‘AnyConnect’ (General tab)
- set OS compatibility (Compatibility tab)
- edit Extensions/Applition Policies and remove all entries EXCEPT Client Authentication
- edit Security and add the CORP\NDES-gMSA$ account. (If using the GUI to browse for this account, you may need to change the account filtering options to list gMSAs). Allow the account Enroll permission only.
- set Subject Name to ‘supply in the request’. Accept the popup notification.
- Clikc OK and close the Templates MMC.
In the CA MMC, right-click Certificate Templates, select New, Certificate Template to Issue, then select AnyConnect. Your new template is now ready to issue! Reboot the NDES server for the registry settings made earlier to take effect.
Now, let’s tackle the ASA configuration in Cisco Management Tunnel - ASA Setup.
References
Some articles I referenced when figuring this out were:
NDES Deployment and troubleshooting
Setting up NDES using a Group Managed Service Account (gMSA)