The following requirements must be met prior to proceeding with the protocol configuration.

  • Compatibility with the MS server running the protocol:
    • NDES is only available in the Enterprise version of Microsoft Server 2008, 2008 R2, and 2012, Standard or Enterprise.
    • SCEP or MSCEP is available in versions older than Microsoft Server 2008.
  • A Certificate Authority (CA) installed, configured, and made available to the NDES/SCEP/MSCEP server.
    • The CA and NDES/SCEP/MSCEP can be installed on the same server or on different servers. If NDES/SCEP/MSCEP is to be installed on the same server as the CA, the installation of the CA must be completed first and the server rebooted prior to installing NDES/SCEP/MSCEP.
  • The following certificate templates are needed during NDES/SCEP/MSCEP setup and service certificate renewal:
    • Exchange Enrollment Agent (Offline request)
    • CEP Encryption

      Note:

      Note: It is possible for all of the following accounts to be the same account. However, there are security concerns if a single account is used.

Connection Requirements

  • SCEP endpoint must be accessible from the device in order for certificate enrollment to complete.
    • The exception to this requirement is when you utilize the Enable Proxy option in the Certificate Authority - Add/Edit page for non-generic SCEP protocol usage.
  • An Admin Account must exist in the domain. This account is used to install the NDES/SCEP/MSCEP role service and must meet the following requirements.
    • Member of the Local Administrators group (Standalone Installation)
    • Member of the Domain Admins group (Enterprise)
  • A Service Account must exist. It is used by the NDES/SCEP/MSCEP application pool and must meet the following requirements.
  • <ComputerName> is the name of the computer where NDES/SCEP/MSCEP is installed.
  • <AccountName> is the computer account name when NetworkService is used, or the domain user account when a custom application pool identity is configured.
  • The Device Administrator account used to request password challenges from NDES/SCEP/MSCEP must meet the following requirements.