Skip to main content
After installing ADCS and deploying an Enterprise CA, you now need to configure it for use with NDES.
You have one domain administrator account acting as a Service Account and must create an NDES user acting as the Application Pool account.

Create the user

Perform the following steps to create the NDES Application Pool user and assign it to IIS_IUSRS:
1
Go to Start > Administrative Tools > Server Manager, and select [ Tools ].
2
Select [ Active Directory Users and Computers ].
3
Expand your domain name and right-click Users.
4
Select New > User.
5
Give your NDES user a name and select [ Next ].
6
Specify a password for the NDES user and select** [ Next ].** Then, select** [ Finish ]**.
7
Right-click the user you just created and select** [ Add to a group ]**.
8
In the Enter the object names to select box, type IIS_IUSRS and select [ OK ].
9
Right-click your NDES user and select [ Properties ].
10
Go to the Member oftab and verify that the user is added to the IIS_IUSRSgroup.

Create the certificate template

Perform the following steps to create the NDES certificate template:
1
Go to Start > Administrative Tools > Server Manager, and select [ Tools ].
2
Select [ Certification Authority ].
3
On the left toolbar, expand your domain and right-click Certificate Templates. Then, select [ Manage ].
4
Locate the Web Server certificate template. Right-click and select [ Duplicate Template ].
5
In General, give the certificate template a name. (For example: NDES Encryption).
6
In Subject Name, select Supply in the request.
7
In Extensions, select Application Policies > Edit and add both Client Authentication and Server Authentication.
8
In Security, select [ Add ] and perform the following steps:
  1. In the Enter the object names to select box, enter the name of your NDES Application Pool user and select** [ OK ]**.
  2. Give your NDES Application Pool user the Read and Enroll permissions for the certificate.
  3. Give your NDES Service Account Full Control.
9
In Request Handling, set the purpose to Signature and Encryption. Select the options Include symmetric algorithms allowed by the subject and Allow private keys to be exported.
10
Select [ Apply ] to save your changes, and then select [ OK ].

Deploy the certificate

Perform the following steps to deploy the NDES certificate:
1
Go to Start > Administrative Tools > Server Manager and select [ Tools ].
2
Select [ Certification Authority ].
3
Expand your domain on the left toolbar and right-click Certificate Templates. Then, select New > Certificate Template to issue.
4
Select your NDES certificate you just created and select [ OK ].
For more information on installing and configuring Active Directory Certificate Services - NDES, refer to the Microsoftdocumentation.