UPDATE: ISSUE RESOLVEDOk, I was able to resolve the issue when I disabled UAC being applied to the Certsrv folder(s) in Windows by disabling the UAC through the registry.I'm able to get to the page and and see the generation of the password required to setup the network devices to leverage NDES.I have one final question for anyone who might know:I tried disabling UAC (lowest setting) in User Accounts in Control panel but that did not give me access. Only disabling UAC did.Is there any documentation regarding UAC and NDES that might help me configure it for the customer, or point him in the right direction? Can you confirm that all permissions have been set as described in?
Has the SPN set been configured properly?I suppose that the account you call NDES user is the service account (member of IISIUSRS.). Are the permissions for the device admins using the browser set correctly?Does the device website work correctly - so do you see any errors in the browser or in the log files when you access the /mscep directory?Have the RA certificates been issued during setup and are CRLs valid and accessible? (SCEP does revocation checking).Elke. Hi Elke,Thanks for your help and in response to your questions, I do have permissions set correctly in accordance with the NDES whitepaper and I went over them again this morning to be sure. I am using the same domain user account for both the service accountand device administrator (NDESUser) because we have multiple devices we want to enroll so rather than creating multiple device administrator accounts, I'd prefer to use one if I can.
![]()
Since the permissions are similar, the device admin account usingthe browser should be set correctly as well.The SPN has been set correctly and when trying to set it a second time, I get an error that it already exists and the process cancels out.Are the permissions for the device admins using the browser set correctly? UPDATE: ISSUE RESOLVEDOk, I was able to resolve the issue when I disabled UAC being applied to the Certsrv folder(s) in Windows by disabling the UAC through the registry.I'm able to get to the page and and see the generation of the password required to setup the network devices to leverage NDES.I have one final question for anyone who might know:I tried disabling UAC (lowest setting) in User Accounts in Control panel but that did not give me access. Only disabling UAC did.Is there any documentation regarding UAC and NDES that might help me configure it for the customer, or point him in the right direction?
Hi,Glad to hear that you have solved the issue, thank you for sharing!Is there any documentation regarding UAC and NDES that might help me configure it for the customer, or point him in the right direction?Regarding above, here is a related article below:Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)According to the article, when an administrator tries to retrieve a password while logging on to the same computer that hosts the Network Device Enrollment Service, the retrieval will fail. This is due to the UserAccess Control (UAC) feature in Windows Vista and Windows Server 2008.The resolution is: ensure that the logged on user is not a member of the local administrator group, or retrieve the password from a remote computer (anyother computer on the network).You can try to test if the resolution works.Best Regards,AmyPlease remember to mark the replies as answers if they help and un-mark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
ImportantThis article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer. ProblemA federated user is repeatedly prompted for credentials when the user tries to authenticate to the Active Directory Federation Services (AD FS) service endpoint during sign-in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune. When the user cancels, the user receives the Access Denied error message.
CauseThe symptom indicates an issue with Windows Integrated authentication with AD FS. This issue can occur if one or more of the following conditions are true:.An incorrect user name or password was used.Internet Information Services (IIS) authentication settings are set up incorrectly in AD FS.The service principal name (SPN) that's associated with the service account that's used to run the AD FS federation server farm is lost or corrupted. NoteThis occurs only when AD FS is implemented as a federation server farm and not implemented in a stand-alone configuration.One or more of the following are identified by Extended Protection for Authentication as a source of a man-in-the-middle attack:. Some third-party Internet browsers. The corporate network firewall, network load balancer, or other networking device is publishing the AD FS Federation Service to the Internet in such a way that IP payload data may potentially be rewritten. NoteTry this resolution only when AD FS is implemented as a federation server farm.
Nov 07, 2018 An unauthorized user is a network issue. A) Security B) Reliability C) Performance D) All the above. May 07, 2019 Most of the situations, the users are keeping the factory default admin username and password on WiFi routers. There are multiple reasons for which you want to restrict access to unauthorized WiFi users. One of the reason is to avoidthe slow speed of your network by unauthorized access.
Do not try this resolution in an AD FS stand-alone configuration.To resolve the issue if the SPN for the AD FS service is lost or corrupted on the AD FS service account, follow these steps on one server in the AD FS federation server farm:.Open the Services management snap-in. To do this, click Start, click All Programs, click Administrative Tools, and then click Services.Double-click AD FS (2.0) Windows Service.On the Log On tab, note the service account that's displayed in This Account.Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.Type the following command, and then press Enter. SetSPN –f –q host/. NoteIn this command, represents the fully qualified domain name (FQDN) service name of the AD FS service endpoint. It does not represent the Windows host name of the AD FS server.If more than one entry is returned for the command, and the result is associated with a user account other than the one that was noted in step 3, remove that association. To do this, run the following command: SetSPN –d host/.If more than one entry is returned for the command, and the SPN uses the same name as the computer name of the AD FS server in Windows, the federation endpoint name for AD FS is incorrect. AD FS has to be implemented again.
The FQDN of the AD FS federation server farm must not be identical to the Windows host name of an existing server.If the SPN does not already exist, run the following command: SetSPN –a host/. NoteWhen this workaround is applied for third-party application functionality, you should also uninstall hotfixes on the client operating system for Extended Protection for Authentication. For passive clientsTo disable Extended Protection for Authentication for passive clients, perform the following procedure for the following IIS virtual applications on all servers in the AD FS federation server farm:. Default Web Site/adfs. Default Web Site/adfs/lsTo do this, follow these steps:.
Open IIS Manager and navigate to the level that you want to manage. NoteWindows client operating systems must have specific updates that are installed to effectively use Extended Protection features.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |