Configure the Certificate Authority for NDES
After installing ADCS and deploying an Enterprise CA, you now need to configure it for use with NDES.
You have one domain administrator account acting as a Service Account and must create an NDES user acting as the Application Pool account.
Go to Start > Administrative Tools > Server Manager, and select [ Tools ].
Select [ Active Directory Users and Computers ].
Expand your domain name and right click Users .
Select New > User.
Give your NDES user a name and select [ Next ].
Specify a password for the NDES user and select [ Next ]. Then, select [ Finish ].
Right-click the user you just created and select [ Add to a group ].
In the Enter the object names to select box, type IIS_IUSRS and select [ OK ].
Right-click your NDES user and select [ Properties ].
Go to the Member of tab and verify the user is added to the IIS_IUSRS group.
Go to Start > Administrative Tools > Server Manager, and select [ Tools ].
Select [ Certification Authority ].
On the left toolbar, expand your domain and right-click Certificate Templates. Then, select [ Manage ].
Locate the Web Server certificate template. Right-click and select [ Duplicate Template ].
In General, give the certificate template a name. (For example: NDES Encryption).
In Subject Name, select Supply in the request.
In Extensions, select Application Policies > Edit and add both Client Authentication and Server Authentication.
In Security, select [ Add ].
- In the Enter the object names to select box, enter the name of your NDES Application Pool user and select [ OK ].
- Give your NDES Application Pool user Read and Enroll permissions to the certificate.
- Give your NDES Service Account Full Control.
In Request Handling, set the purpose to Signature and Encryption. Select the options Include symmetric algorithms allowed by the subject and Allow private keys to be exported.
Select [ Apply ] to save your changes, and then select [ OK ].
Go to Start > Administrative Tools > Server Manager and select [ Tools ].
Select [ Certification Authority ].
Expand your domain on the left toolbar and right-click Certificate Templates. Then, select New > Certificate Template to issue.
Select your NDES certificate you just created and select [ OK ].
For more information on installing and configuring Active Directory Certificate Services - NDES, refer to the Microsoft documentation.