Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Two improvements are available that shorten the time that is required to manage SCEP certificates by using the Network Device Enrollment Service in Windows Server 2008


View products that this article applies to.

Symptoms

In Windows Server 2008, you are trying to manage Simple Certificate Enrollment Protocol (SCEP) certificates by using the Network Device Enrollment Service (NDES). The NDES is installed as a part of Certificate services in Windows Server 2008. In this scenario, you experience the following issues:

Issue 1

Passwords cannot be reused among devices.

Based on the SCEP protocol, a device is required to send a password when it requests a certificate from an SCEP server for the first time. The SCEP server issues a certificate after validating the password.

The process by which the SCEP server issues a certificate after validating the password is as follows:
  1. The administrator logs on to a SCEP administration Web site and requests a password.
  2. The SCEP server generates a random password, stores it in the cache, and then displays the password to the administrator.
  3. The administrator configures the password on the device.
  4. The device sends this password in its initial request for a certificate.

    Note This password expires in 60 minutes.
  5. The server issues the certificate and then removes the password from the cache. The password can no longer be used by any other devices.
Issue 2

SCEP certificates cannot be re-enrolled automatically after they expire.

Because of these two issues, it may take administrators a long time to request passwords for all devices and to apply SCEP certificates to them.

↑ Back to the top


Resolution

To resolve these two issues, install hotfix 959193. This hotfix introduces the following two improvements:

Improvement 1

After you apply this hotfix, passwords can be reused among devices. The new process to manage passwords is as follows:
  1. The SCEP server confirms the registry setting for "Single Password" mode. In this mode, a master password is created and stored in the registry by using encrypted data. The master password never expires.
  2. An administrator logs on to an SCEP administration Web site and requests a password. The master password is delivered.
  3. The administrator configures the password on the device. Because the password is the same for all devices and because it never expires, the administrator can easily write a script to deploy the password on all devices.
How to enable improvement 1

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To enable this feature, create the following registry entry:

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword
Name: UseSinglePassword
Type: REG_DWORD
Value: 1
Note If you are running NDES under the Network Service account, you must grant Full Control permission to the "Network Service" account under the following registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP.

Improvement 2

Certificates can be re-enrolled automatically after they expire. This feature is enabled automatically after the hotfix is installed.

By default, when you request a certificate renewal by using this feature, the signer certificate must have the same subject name and alternate subject name as the requested certificate. To circumvent this requirement, set the value of the DisableRenewalSubjectNameMatch registry entry under the following subkey to 1.

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatch

Note You may have to create this registry entry by using REG_DWORD type if the registry entry does not exist.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.


Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.

Prerequisites

There are no prerequisites.

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other previously released hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2008 file information notes
The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.

For all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Mscep.dll6.0.6001.22356139,77617-Jan-200904:50x86
For all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Mscep.dll6.0.6001.22356157,18417-Jan-200906:25x64

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More Information

For more information about SCEP, visit the following Internet Drafts Web site (IETF) Web site:

http://www.ietf.org/proceedings/69/slides/pkix-3.pdf

Note
This document will expire on July 25, 2009. For information after this date, search for "SCEP" on the home page of the Web site.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.


For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates


Additional file information for Windows Server 2008

For all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Package_for_kb959193_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable13,17218-Jan-200901:10Not Applicable
Package_for_kb959193_sc~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42318-Jan-200901:10Not Applicable
Package_for_kb959193_server_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable13,64718-Jan-200901:10Not Applicable
Package_for_kb959193_server~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,43118-Jan-200901:10Not Applicable
X86_microsoft-windows-c..icateservices-mscep_31bf3856ad364e35_6.0.6001.22356_none_64ef9a95a650c86b.manifestNot Applicable43,47517-Jan-200907:10Not Applicable
For all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Amd64_microsoft-windows-c..icateservices-mscep_31bf3856ad364e35_6.0.6001.22356_none_c10e36195eae39a1.manifestNot Applicable43,50517-Jan-200909:42Not Applicable
Package_for_kb959193_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable13,28418-Jan-200901:10Not Applicable
Package_for_kb959193_sc~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43118-Jan-200901:10Not Applicable
Package_for_kb959193_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable13,76318-Jan-200901:10Not Applicable
Package_for_kb959193_server~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43918-Jan-200901:10Not Applicable

↑ Back to the top


Keywords: kbautohotfix, kbexpertiseadvanced, kbfix, kbsurveynew, kbqfe, kbhotfixserver, kb

↑ Back to the top

Article Info
Article ID : 959193
Revision : 1
Created on : 1/7/2017
Published on : 10/8/2011
Exists online : False
Views : 183