Back

Cisco Management Tunnel - NDES Setup

Part II - Configure NDES and Certificate Templates

This is part 2 of a 3-part series.

  1. Cisco Management Tunnel.
  2. Cisco Management Tunnel - NDES Setup
  3. Cisco Management Tunnel - ASA Setup.

Since an AnyConnect Management Tunnel seems like it will help resolve my organization’s work-from-home challenges, let’s setup a pilot.

The first thing we need to do is configure the certificates that are needed for user authentication.

Install and Configure NDES

We already have a dedicated server running AD Certificate Services (AD CS), acting as our Certificate Authority (CA). Network Device Enrollment Service (NDES) acts as a registration authority for a CA using Simple Certificate Enrollment Protocol (SCEP). The CA has to fully trust the NDES to verify inbound certificate requests. The result is that NDES owns an extremely powerful type of certificate (Exchange Enrollment Agent (Offline request)), which allows NDES to request certificates with almost any subject from the CA. All of that to say, it’s important to secure NDES as much as warranted.

The most important advice I can give is to pay attention to the warning that NDES cannot run on a CA Server! Don’t ask me how I know.

I decided to piggyback NDES on an existing Windows 2016 server we have, so I was able to use Powershell for most of the heavy lifting. I usually roll with Powershell 7, but there are steps that require Powershell 5.1. I’ll try to be clear about when Powershell 5.1 is needed.

Create gMSA

Let’s start by creating (and testing the creation of) the gMSA:

New-ADServiceAccount -Name NDES-gMSA -DNSHostName NDES-gMSA.corp.company.com -PrincipalsAllowedToRetrieveManagedPassword SERVER$

Enter-PSSession corpca
Add-WindowsFeature RSAT-AD-PowerShell
Install-ADServiceAccount NDES-gMSA
Test-ADServiceAccount NDES-gMSA
exit

Install NDES

You can’t install NDES as a gMSA, but we’ll convert it later. I’m going to use my admin account for the initial installation, and convert it to a gMSA later. You cannot initially install it as a gMSA. Let’s install the NDES role first:

#Install-AdcsNetworkDeviceEnrollmentService -Force -ServiceAccountName "CORP\admin" -ServiceAccountPassword "System.Security.SecureString" -RAName "SERVER-MSCEP-RA" -RAEmail "helpdesk@company.com" -RACompany "Company" -RADepartment "IT-CNS" -RACity "Guelph" -RAState "Ontario" -RACountry "CA" -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength "2048" -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength "2048" -CAConfig "corpca.corp.company.com\Company Corporate Issuing CA"

Configure IIS

Now, add the installation account to the IIS_IUSRS group:

Add-LocalGroupMember -Group IIS_IUSRS -Member corp\admin, corp\NDES-gMSA

Since NDES was installed on a server with the Web Enrollment server role, the IIS virtual directories won’t show. However, the site is still working and vsible under the IIS Applications, and IIS Application Pools pages. We need to use Powershell 5.1 to check that SSL is properly set on the MSCEP_ADMIN site by first querying the current values, then setting them:

Get-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin -filter system.webServer/security/access -name sslFlags
Set-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin -filter system.webServer/security/access -name sslFlags -value Ssl

To return to the stock IIS settings, run this command from Powershell 5.1:

Set-WebConfigurationProperty -pspath MACHINE/WEBROOT/APPHOST -location Default Web Site/CertSrv/mscep_admin -filter system.webServer/security/access -name sslFlags -value None `

The SCEP site (MSCEP) must remain accessible via. HTTP, as that’s the only mechanism that the ASA supports.

Run NDES under a gMSA

Next, I used the IIS GUI to change the SCEP application pool identity (which is actually the NDES Application Pool) to the gMSA (under Advanced Settings), and restarted IIS.

Since we’re using a gMSA, I need to grant that account permissions to manage the private key for the certs we have, but it needs to be done via. powershell since remote GUI access doesn’t support it. I modified a script from Assigning Read Access to Windows Private Key:

foreach ($certobj in (gci cert:\localmachine\my\ | where {$_.subject -like "E=helpdesk*"})){
  $rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertObj)
  $fileName = $rsaCert.key.UniqueName
  $path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\rsa\machinekeys\$filename"
  $permissions = Get-Acl -Path $path
  $rule = new-object security.accesscontrol.filesystemaccessrule "corp\ndes-gmsa$", "read", allow
  $permissions.AddAccessRule($rule)
  Set-Acl -Path $path -AclObject $permissions
  (get-acl -path $path).access #*validate that the settings worked
}

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : Read, Synchronize
AccessControlType : Allow
IdentityReference : CORP\ndes-gmsa$
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

Now, configure NDES to use the certificate template we’ll create in the next step. I’m going to create a certificate template named ‘AnyConnect’ for NDES to issue to my ASA via. SCEP. Change the default GeneralTemplateProperty registry value from “IPSECIntermediateOffline” to “AnyConnect”, and set NDES to not require a password:

Set-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP\ -Name GeneralPurposeTemplate -Value "AnyConnect"
Set-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword -Name EnforcePassword -Value 0

Create Certificate Template

Let’s create a new template to use for issuing to AnyConnect. I prefer to create new template because we can modify it in many ways not available when we just use the default ‘User’ template.

  • Open the Certificate Templates MMC.
  • Make a copy of the ‘User’ template, and configure these settings:
    • rename to ‘AnyConnect’ (General tab)
    • set OS compatibility (Compatibility tab)
    • edit Extensions/Applition Policies and remove all entries EXCEPT Client Authentication
    • edit Security and add the CORP\NDES-gMSA$ account. (If using the GUI to browse for this account, you may need to change the account filtering options to list gMSAs). Allow the account Enroll permission only.
    • set Subject Name to ‘supply in the request’. Accept the popup notification.
  • Clikc OK and close the Templates MMC.

In the CA MMC, right-click Certificate Templates, select New, Certificate Template to Issue, then select AnyConnect. Your new template is now ready to issue! Reboot the NDES server for the registry settings made earlier to take effect.

Now, let’s tackle the ASA configuration in Cisco Management Tunnel - ASA Setup.

References

Some articles I referenced when figuring this out were:

NDES Deployment and troubleshooting

Setting up NDES using a Group Managed Service Account (gMSA)

© 2020 - 2023 Greg Beifuss
Built with Hugo
Theme Stack designed by Jimmy