Creating SCEP and AD CS Server
Рет қаралды 17,743
6 жыл бұрынDisclaimer as this has been commented on more than once:
This video is to act as a guide and not to be replicated directly in a production environment. The ndes service account has been given Domain Admin rights due to the server being Domain Controller, Root CA and NDES service. This is not something that should be done in production. The minimum required permissions for a ndes service account is that it needs to be a memebr of the local IIS_USRS group on the ndes server.
Video to show how to turn on an Windows 2012r2 NDES server and use it with MDM server Jamf Pro
as a bonus NoMAD to access User AD cert
@dt5173 6 жыл бұрын
You are really amazing Bro!! .. Even JAMF could not explain the integration of SCEP. You have explained very clearly. Thanks a lot for posting the video.
@satheeshkumarbabu7737 Ай бұрын
Thank you.
@abidemiagboola 5 жыл бұрын
Thanks for this Bro... Deeply appreciated!
@naaani123 7 ай бұрын
Thank you..
@flymoracer 5 жыл бұрын
thanks Daniel. At 12:56 you mention that the JAMF server needs to be able to communicate to the CA. Obvs in your lab setup the NDES server and CA are the same server, which wouldn't be the case typically in a production environment. Does the JAMF server really just need to be able to reach the NDES server in order to obtain the challenge password?
@DanielMacLaughlin 5 жыл бұрын
Mike Elliott Hi mike, yes I meant the jamf pro server needs to contact the NDES component rather than the CA directly, and yes that is the case for any MDM using the dynamic Microsoft CA challenge method, your other options are to look at the ADCS Connector, or configure the NDES to have a multi use static password
@flymoracer 5 жыл бұрын
thanks Daniel. One other thing, the documentation mentions the requirement for a signing certificate for the JAMF server itself. Any idea what type of cert that needs to be and what EKU attributes it needs to include. I'm assuming an SSL cert with 'server authentication' will be enough.
@DanielMacLaughlin 5 жыл бұрын
Mike Elliott I assume the document you are referring to is for the SCEP proxy which I made a different video for, this video is without any proxy, the scep proxy video I made shows how to create a singing cert
@flymoracer 5 жыл бұрын
@@DanielMacLaughlin thanks will take a look at that
@flymoracer 5 жыл бұрын
@@DanielMacLaughlin thanks, the SCEP proxy video covered exactly what I needed. Could you tell me why the NDES service account mentioned here needs to be a member of the Domain Admins group?
@mani2care Жыл бұрын
JAMF AND WINDOWS SERVERS are upgraded can we have new version updated video ? from end to end ? its help full to configure the scep in windows and also in jamf
@spacewolfjr 3 ай бұрын
You seem like a man I could be a best friend with... you also sound a little like Elon Musk
@jamauai 2 жыл бұрын
Close your eyes, you’ll hear Elon Musk.
@gotfunk5 3 жыл бұрын
FAIL! You NEVER add a service account to the Domain Admin group!
@DanielMacLaughlin 3 жыл бұрын
You are correct, this was an example where SCEP, ROOT CA and DC were all on the one box, something else you would never do in production
@sphbecker 2 жыл бұрын
NO Domain Admin!!!! That isn't acceptable. What access is actually needed?? If you don't know, please remove video. Harsh, but you should NEVER give that advice.
@DanielMacLaughlin 2 жыл бұрын
Please see other comments, Domain admin is required if you were doing SCEP, ROOT CA and DC all on the one server, something you should NEVER do in production, when the servers are separated out the NDES service account only needs to be a member of the local IIS_USRS group on the server running the NDES/SCEP service
@sphbecker 2 жыл бұрын
@@DanielMacLaughlin that is fair. Thanks
The BN Family
Рет қаралды 18 МЛН
Khabar SPORT
Рет қаралды 368 М.
AnythingAlexia
Рет қаралды 28 МЛН
Creative Hacker
Рет қаралды 2,1 МЛН
The BN Family
Рет қаралды 18 МЛН