EAP-TLS with Server 2008 SCEP for Apple Devices

In this lesson, you will learn how to configure Windows Server 2008 R2 so that Apple devices (iPhone/ iPad) are able to receive a certificate through the usage of SCEP and use it to authenticate themselves to the wireless network using EAP-TLS.

This means that our Apple devices require a client certificates from our windows server and they should trust the root CA so that they can authenticate the RADIUS server.

NDES (Network Device Enrollment Service) is the service on Server 2008 that lets enroll certificates to the Apple devices.

I’m going to assume that you have a running Active Directory, Certificate Authority, Network Policy Server, IIS and that you are able to authenticate wireless users running EAP-TLS.

If you don’t have this yet, please start with my PEAP and EAP-TLS on Server 2008 R2 tutorial before you continue, since it covers the installation of server 2008 for EAP-TLS authentication from scratch. Having said that, let’s authenticate some Apple devices to our wireless network!

Installing NDES Role

The first thing we have to do is install the NDES role on our server. NDES (Network Device Enrollment Service) is Microsoft’s implementation of SCEP (Simple Certificate Enrollment Protocol) and is normally used to enroll X.509 certificates to devices that are unable to use a web browser to request a certificate but which require a certificate for authentication. Think about network devices like routers, switches and firewalls. SCEP can also be used for Apple devices and to easily enroll certificates to multiple devices.

NDES requires an account that we use to enroll the certificates. It’s best to create a new user account for this so we will start with a new user called “NDES_USER”.

Click Start > All Programs > Administrative Tools > Active Directory Users and Computers

Windows Server 2008 Start Menu Active Directory

In the users folder, do a right mouse click and select New User.

Windows Server 2008 AD New User

We wil call the new user “NDES_USER“. Click Next to continue.

Windows Server 2008 New NDES User

Enter a strong password and click Next to continue.

Windows Server 2008 NDES User Password

Finally click Finish to continue.

Windows Server 2008 New User Created

Our new NDES_USER has to be member of the IIS_IUSRS group in order to work with NDES. Click (right mouse button) on our new user account and select Properties.

Windows Server 2008 User Properties

Select the Member of tab and click on Add.

Windows Server 2008 User Properties Member Of

Type in the IIS_IUSRS group and click on OK.

Windows Server User Select Group

You will now see that the NDES_USER is member of the IIS_IUSRS group.

Windows Server 2008 User Groups

You can now close Active Directory since we’ll continue with the installation of NDES.

Click Start > All Programs > Administrative Tools > Server Manager

Windows Server 2008 Start Menu Server Manager

Click on Roles > Add Role Services

Windows Server 2008 Roles Add Role

Select Network Device Enrollment Service and click Next to add the NDES role.

Windows Server 2008 Role NDES

NDES will ask you for a user account to use.  It tells you that the user accounts has to be a member of the IIS_IUSRS group. Click on the Select User button.

Windows Server 2008 Select NDES User

The wizard will prompt you to authenticate using the NDES account. Type in the NDES_USER username and the password that you configured. Click OK to continue.

Windows Server 2008 Add Role Services Authentication

When you correctly added your credentials you will see the user account. Click Next to continue.

Windows Server 2008 NDES Selected User Account

In the next screen we have to specify the Registration Authority information. By default the RA name will be “COMPUTERNAME-MSCEP-RA”. I left it at the default, entered the correct country and if you want you can enter some additional details like an e-mail address, company, etc. Click Next to continue.

Windows Server Registry Authority Information

By default the Signature and Encryption keys are 2048 bit. I have left them at the default, click Next to continue.

Windows Server 2008 Configure Cryptography

The wizard will show you a nice overview, select Install to continue.

Windows Server 2008 Confirm RA

And you will see a nice progress screen for a few minutes…

Windows Server 2008 AD Services Progress

Finally you will see the results of the installation wizard. Click Close to continue.

Windows Server NDES Installed

NDES is now up and running, we still have to configure a certificate template so the server knows what kind of certificate we have to enroll when an Apple device requests one.

Configure Certificate Authority for SCEP

NDES / SCEP by default uses the IPSEC (Offline Request) template when you enroll a certificate. Since we want a certificate for EAP-TLS wireless authentication we’ll have to create a new template and tell the certificate authority to use the new template. To do this, we’ll create a custom template and configure it for client authentication.

Go to Start > All Programs > Administrative Tools > Certificate Authority.

Windows Server 2008 Start Menu Certificate Authority

Go to the Certificate Templates, right click on it and select Manage.

Windows Server 2008 Manage Certificate Templates

The IPSEC (Offline request) template that SCEP uses by default will be fine. We’ll use it as a template and edit it.

Select IPSec (Offline request), right mouse click and select Duplicate Template.

Windows Server 2008 Certificate Templates

I only have Windows Server 2008 machines so I’m selecting Windows Server 2008 Enterprise. Click OK to continue.

Windows Server 2008 Duplicate Template

You will see the properties of the new template. I will call the new template AppleEnroll. Select the publish certificate in Active Directory.

Windows Server 2008 Certificate Template General

The next step is optional. Select the Cryptography tab and set the Minimum key size at 1024. In a production environment it’s probably better to leave it at 2048 but it helps to speed up the certificate generation on the mobile devices a little bit.

Windows Server 2008 Certificate Template Cryptography

Select the Security tab and make sure the NDES_USER has enroll permissions.

Windows Server 2008 Certificate Template Security

Select the Extensions tab, select Application Policies and take a look at the Application Policies. We copied the IPSEC (Offline request) template and it’s meant for IPSEC. We’ll change it so this template can be used for client authentication. Click on Edit.

Windows Server 2008 Certificate Template Extensions

Right now we only have the IP security IKE intermediate Application policy. Click Add and select Client Authentication.

Windows Server 2008 Certificate Template Extensions Edit

This template can now be used for IPSEC and Client authentication. We don’t need IPSEC so select IP security IKE intermediate and click on Remove. Click OK to continue.

Windows Server 2008 Certificate Template Extensions Client Authentication

Our custom “AppleEnroll” certificate is now ready but we still have to enable it in the Certificate Authority. Click (right mouse button) on Certificate Templates and select New > Certificate Template to Issue.

Windows Server 2008 Certificate Template Issue Template

Select our AppleEnroll certificate template and click OK.

Windows Server 2008 CA Enable Certificate Template

If everything went ok you should see the AppleEnroll template and its Intended Purpose being Client Authentication.

Windows Server 2008 CA Overview

We are almost done but there is one more change we have to make. Even though we created a new custom certificate template, by default SCEP will always enroll the IPSEC (Offline request) template when a device requests a certificate. The only way to change this is by editing the registry.

Click on the Start button > type “regedit” (without the quotes) and hit enter.

Windows Server 2008 Start Regedit

Select HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP. Note that the default value is IPSECIntermediateOffline. We need to change all 3 values so double-click on them.

Windows Server 2008 Regedit MSCEP

Change the Value data to AppleEnroll. Click OK to continue.

Windows Server 2008 Regedit Edit String

If everything went ok the registry entries should show “AppleEnroll”.

Windows Server 2008 Regedit MSCEP Edited

Before the changes in the registry take effect you either have to restart IIS and Certificates Services or just reboot the entire server. Once you did so it’s time to enroll a certificate to our Apple device.

Enroll Certificate to Apple Device

This is where the fun starts…we are about to enroll a certificate to an Apple device by using SCEP!  Open up a web browser on your server or a computer that can reach the server and go to the following URL:

http://your-server-ip-address/certsrv/mscep_admin

You will receive a warning about the website certificate because it’s self-signed, just click Continue to this website.

Windows Server 2008 MSCEP Admin

Use the NDES_USER account to authenticate yourself to the server.

Windows Server 2008 MSCEP Authentication

You will see the Network Device Enrollment Service and it will give you a enrollment challenge password. Copy and paste this to notepad because we will need it in a minute.

Don’t double click on the password to select it, if you do it might add a space (empty character) at the start or end of the password.

Windows Server 2008 Network Device Enrollment Service Challenge Password

Our server is ready to enroll a certificate to the Apple iPhone / iPad. To configure our iPhone or iPad we need to use the iPhone Configuration Utility. You can download it from the Apple website for free. This utility lets us configure profiles from a Windows or Mac computer and apply them to your iPhone or iPad.

Despite the name, the iPhone Configuration Utility works for both the iPhone AND iPad.

Download this on your computer and make sure to connect your iPhone or iPad to your computer with a USB cable.

iPhone Configuration Utility Download from Apple

Install the iPhone Configuration Utility on your computer and connect your Apple iPhone or iPad.

We are going to use this to enroll a certificate to our Apple device and I’m also going to use it to configure a wireless profile so that it knows to which SSID it should connect and to use WPA2-Enterprise (802.1X).

Start the utility and create a new profile, select General and enter the following details:

  • Display name: EAP-TLS (pick any name you like).
  • Identifier: EAP-TLS (pick any name you like).
  • Organization: NetworkLessons (pick any name you like).
  • Description: Give it a descriptive name like “enroll certificate for EAP-TLS and configure wireless”.
There is no “OK” or “Apply” button. When you click on another button it will save your changes.

iPhone Configuration Utility General Configuration

Select Credentials and click on Configure.

iPhone Configuration Utility CredentialsiPhone Configuration Utility Credentials

You will get a pop-up and you will have to select the root CA of our Certificate Server. If you don’t have the root CA on your computer then take a look at my PEAP / EAP-TLS tutorial on Server 2008 to see how to export the root CA from your server.

Select your root CA (NETWORKLESSONS-AD-CA in my case) and click OK.

iPhone Configuration Utility Select Root Certificate

You will now see the root CA in the credentials overview.

Iphone Configuration Utility Credentials Root CA

Select SCEP and click on Configure.

iPhone Configuration Utility SCEP

In the following screen you will have to enter the following details:

  • URL: http://your-server-ip-address/certsrv/mscep/mscep.dll
  • Name: The name of your certificate server, look at the root CA certificate to see the correct name!
  • Subject: O=your-domain-name,CN=name-of-apple-device (Give the device a useful name, like “ReneIphone”).
  • Challenge: This is where you paste the enrollment password that you received from NDES through the web browser.
  • Key Size: this is the key size of the custom certificate template that we created. I have set it at 1024.

iPhone Configuration Utility SCEP Details

Scroll down to Fingerprint and select Create from Certificate. Select the Root CA certificate again and click on OK.

iPhone Configuration Utility Select Root Certificate

Now we can configure the wireless profile to use EAP-TLS to connect. Select Wi-FI and click on Configure.

iPhone Configuration Utility

Enter the following details:

  • Service Set Identifier: this is the SSID that you want to connect that is configured for EAP-TLS authentication. Mine is called “EAP”.
  • Security Type: WPA / WPA2 Enterprise.
  • Accepted EAP Types: TLS

iPhone Configuration Utility WiFi Settings

Click on the Authentication tab and select the credentials that we configured a few steps earlier.

Iphone Configuration Wifi Authentication

Click on the Trust tab and put a mark in the checkbox next to the certificate that we selected before.

iPhone Configuration Wifi Trust

Everything is configured as it should be. It’s now finally time to enroll a certificate to our Apple iPhone or iPad. I have an old iPhone 3Gs called “Rene’s Gym Buddy” (I like to connect it to the technogym equipment at the gym and watch some movies there). Select your device > Configuration Profiles > Install.

Make sure that your iPhone or iPad is connected to your computer with a USB cable AND that it is connected wireless to an SSID that can reach our certificate server. The iPhone Configuration Utility configures the Apple device but communication between the iPhone/iPad and the server is directly…not through your computer.

iPhone Configuration Utility Configuration Profiles

Now take a look at your iPhone or iPad and press Install.

Make sure the date and time on your certificate server and the Apple device match, otherwise you might run into issues when enrolling the certificate.

iPhone Configuration Utility Enroll Profile

Your iPhone will ask if its ok to install the root CA in the list of trusted certificates. Press Install Now to continue.

iPhone Install Root Certificate

It might take some time to generate the keys but eventually the profile will be installed. Press on More Details if you want to take a look at the different certificates.

iPhone Profile Installed

Our iPhone or iPad now has the root certificate in its trusted list and a client certificate that we can use to connect to our EAP-TLS wireless network. We are almost done but there’s still something we have to do in the certificate authority…

Map Client Certificate to User Account

We just enrolled a client certificate to our iPhone but we still have to map this client certificate to a user account in Active Directory. I will create a new user called “ReneIphone” and map the client certificate to it so whenever NPS (Network Policy Server) tries to authenticate the client certificate it will use this username.

In order to do this we first have to export the client certificate to a file…

Go to Start > All Programs > Administrative Tools > Certificate Authority.

Windows Server 2008 Start Menu Certificate Authority

Select Issued Certificates and look for the client certificate. Double click on the client certificate to open it.

Windows Server 2008 CA Issues Certificates

You can see that the client certificate has been issued to ReneIphone. Click on Details.

Windows Server 2008 Certificate

Click on Copy to File.

Windows Server 2008 Certificate Details

Click Next in the Wizard to continue.

Windows Server 2008 Certificate Export Wizard

Select DER file format and click Next. Certificate Export Wizard DER

Select a File name and click Next to continue.

Certificate Export Wizard Filename

Click Finish to continue.

Certificate Export Wizard Finished

With the certificate stored in a file, it’s time to create the user account in Active Directory and map the certificate to it.

Go to Start > All Programs > Administrative Tools > Active Directory Users and Computers.

Windows Server 2008 Start Menu Active Directory

Click on View > Advanced Features.

Certificate Export Wizard Finished Windows Server 2008 AD Advanced Features

We will add the new user account. Right click on the white space and select New User.

Windows Server 2008 Active Directory New User

Configure a password and click on Next.

Windows Server 2008 AD User Password

Click Finish to continue. Active Directory User ReneIphone Created

Once you get back to Active Directory, do a right mouse click on the username and select Name Mappings.

Active Directory Name Mapping

Click on Add.

Active Directory Name Mapping Add

Select the filename that you just exported using the certificate export wizard and import it. Click OK to continue.

Active Directory Name Mapping Add Certificate

Your Security Identity Mapping will look like this. Click OK to continue.

Active Directory Security Identity Mapping

We are now done. Our client certificate has been mapped to the user account. We are ready to connect to the wireless network.

Connect to wireless network from iPhone using EAP-TLS

Head over to your iPhone and connect to the SSID that you configured using the iPhone Configuration Utility. Mine is connected to the SSID called “EAP”.

iPhone Connected to Wireless Network

And it has received an IP address from the DHCP server.

iPhone DHCP Lease

That’s all there is to it…you now now learned how to configure your Server 2008 Certificate Authority to enroll client certificates to your Apple iPhones and iPads, and how to connect them to the wireless network using EAP-TLS. As there are many different components there are a lot of things that potentially go wrong that make troubleshooting difficult. In the future I will add a “troubleshooting” section with the most common errors.

If you have any questions feel free to leave a comment, if you enjoyed this lesson please share it!

Tags: , , , ,


Forum Replies

  1. I’m getting stuck where the certificate gets installed on the iPhone. When I install the profile, I get “The SCEP server returned an invalid response”. There’s a couple of posts on Apple, etc to increase the query string for IIS, which I’ve done, but it didn’t help.

  2. Hi Cory,

    I’m glad to hear you like my material!

    First of all…the iphone and EAP-TLS is a pain, it took quite some time to get it working and to fully understand how it works. When you use SCEP like I did in this tutorial it will generate a “machine” certificate for your iphone but when the iphone authenticates itself it will ALWAYS present its certificate as a “user certificate”. As a result it will fail unless you manually map the certificate to the user account in the AD like I did in the “Map Client Certificate to User Account” section. Another issue is that

    ... Continue reading in our forum

  3. Ok, thanks for that Rene, again love your work and all your tutorials are great!

  4. You can authenticate MACs with EAP-TLS and certificates but this tutorial that uses the Iphone configuration utility is just for the mobile devices.

  5. Hi Bryce,

    Sorry for the late reply. I know that there are solutions out there that will provision your Iphones / Ipads with certificates and profiles but I’ve never worked with them before. Something like this:

    http://www.tower-one.net/en/products.html

    There’s probably a lot of products like that out there. With the number of Ipads you have you’ll need something that does the auto-enrollment or it’s way too time-consuming. Like you said, using a pre-shared key is not a good idea…there’s no way to tell who has the key or not or when it has been leaked.

    The probl

    ... Continue reading in our forum

15 more replies! Ask a question or join the discussion by visiting our Community Forum