SCEP on Windows 2008R2 for iPhones / iPads
A project never really finishes, if you’re lucky you complete the initial requirements and get those signed off, and if you’re good at managing your project you’ll refuse to allow the scope creep in and mark any additional feature requests as “phase 2″ and evaluate them at a later date. One of the nice-to-haves with the deployment of iPhones was a VPN system so that you could access the internal systems when out of the office, and to date this has been in a very “test and dev” environment with access only for IT staff in a completely non-supported way.
However, I’ve found myself with a bit of time and so I started delving into the SCEP world for issuing certificates to iPhones which I would then later use to authenticate an SSL VPN connection, and here’s what I found.
Firstly, Apple’s documentation on the process is shocking, luckily Microsoft have been the better man in this instance and posted an entirely useful blog post on the subject which is available here: http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx.
In the section “NDES Configuration settings” on that blog post they make mention of Microsoft Patch 959193, as I have 2008R2 SP1 installed I already had the fixes available, but you should definitely consider using the HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword setting as it will mean that you can put your challenge password into an iPhone/iPad profile and not need to change it every time.
More importantly (for me) is that there’s an additional hotfix required from Microsoft if you’re trying to do what I was trying to do, and it’s here:http://support.microsoft.com/kb/2483564. Specifically I found this because even though everything was set up correctly I kept getting an error in the NDES server’s even viewer that said: “The Network Device Enrollment Service received an http message without the “Operation” tag, or with an invalid “Operation” tag”
Do create an extra user account for your NDES service / application pools when the opportunity is given. If your NDES server isn’t your CA (and I imagine in many cases it won’t be) you’ll have to follow the post-installation instructions on 2008R2 that tell you how to use setspn.exe to delegate authority for your user account to access the CA, this is often achieved by simply bringing up a command prompt and writing:
setspn -s http/NDESSERVER domain\useraccount
If you get an error saying there’s multiple instances (which happened to me after I failed this installation the first time) then you will need to delete the old delegation before re-creating the new ones, this blog post on MSDN has a useful list of setspn commands which you can use for this purpose.
I had one additional error which was much harder to catch, after following all these guides perfectly I logged onto my server and got this in the event viewer: “The Network Device Enrollment Service cannot be started (0×80070002). The system cannot find the file specified.” as well as a nasty server fail message when I browsed to the website. If this happens to you then hopefully it’s the same issue as me and to fix it you need to log onto the machine using the account you created for NDES (i.e. not just the Administrator account).
Anyway, assuming you’ve followed the guide properly you’ll be able to navigate to http://
And from here you can go ahead and fill in the profile on something like the iPhone Configuration Utility:
I had one remaining niggle after all of this, the thing kept failing and the event viewer KEPT showing me that “The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.” – obviously nonsense, we know I’m using single passwords…. Turns out that when I was copying and pasting the key from the webpage it was bringing an extra white space character with it. I should have known better…