Microsoft Network Device Enrollment Service (NDES)
Microsoft Network Device Enrollment Service (NDES) is a security feature in Windows Server 2008 R2 and later Windows Server operating versions. NDES provides and manages certificates used to authenticate traffic and implement secure network communication with devices that might not otherwise possess valid domain credentials.
NDES is a function of Active Directory Certificate Services (AD CS) and is based on the Simple Certificate Enrollment Protocol (SCEP), which can enroll devices without other AD domain credentials to use version 3 of X.509 certificates from a certification authority (CA), usually a dedicated CA server. Administrators use NDES to support public key distribution, certificate enrollment, queries and revocations. NDES provides one-time enrollment passwords for devices, forwards device enrollment requests to the CA, receives enrolled certificates from the CA and forwards them to the device.
A common use of NDES is to issue certificates to dedicated network devices -- such as routers, firewalls and switches -- which typically run internal software to handle network traffic. However, some of these devices do not have traditional credentials for an Active Directory domain, and administrators must use a service like NDES for authentication.
When configuring NDES, an administrator can also specify the preferred CA server, set information for the registration authority (RA) used to construct the certificate and configure cryptographic settings to use different Cryptographic Service Providers to store keys or change the key length.
A typical enrollment process begins when a public-private key pair is created for the desired device. NDES then delivers a password to the administrator. The administrator can set the device with the password and allows the device to trust the organization's public key infrastructure (PKI). The administrator then allows the device to send an enrollment request to NDES, which acknowledges the request and forwards the request to the CA. The CA issues a certificate and returns it to NDES, and the device will finally retrieve the issued certificate from NDES to complete the enrollment.
A properly enrolled device will receive a private key and corresponding certificate issued by the CA to become a trusted entity in the secure network session. Software running on the device can then use those credentials to exchange traffic securely with other devices in the network.
NDES employs several different elements. The device or client is the physical target device, such as a router or intelligent switch, which lacks domain credentials and requires a certificate. The service is the NDES server - -and might be called the registration authority. The CA server runs certificate services and issues certificates to the clients. A domain controller handles Active Directory Domain Services (AD DS), which is a server role that stores certificate templates and enforces certificate policies across the enterprise domain.