Symptoms
In Windows Server 2008, you are trying to manage Simple Certificate Enrollment Protocol (SCEP) certificates by using the Network Device Enrollment Service (NDES). The NDES is installed as a part of Certificate services in Windows Server 2008. In this scenario, you experience the following issues:
Issue 1
Passwords cannot be reused among devices.
Based on the SCEP protocol, a device is required to send a password when it requests a certificate from an SCEP server for the first time. The SCEP server issues a certificate after validating the password.
The process by which the SCEP server issues a certificate after validating the password is as follows:
-
The administrator logs on to a SCEP administration Web site and requests a password.
-
The SCEP server generates a random password, stores it in the cache, and then displays the password to the administrator.
-
The administrator configures the password on the device.
-
The device sends this password in its initial request for a certificate.
Note This password expires in 60 minutes. -
The server issues the certificate and then removes the password from the cache. The password can no longer be used by any other devices.
Issue 2
SCEP certificates cannot be re-enrolled automatically after they expire.
Because of these two issues, it may take administrators a long time to request passwords for all devices and to apply SCEP certificates to them.
Resolution
To resolve these two issues, install hotfix 959193. This hotfix introduces the following two improvements:
Improvement 1
After you apply this hotfix, passwords can be reused among devices. The new process to manage passwords is as follows:
-
The SCEP server confirms the registry setting for "Single Password" mode. In this mode, a master password is created and stored in the registry by using encrypted data. The master password never expires.
-
An administrator logs on to an SCEP administration Web site and requests a password. The master password is delivered.
-
The administrator configures the password on the device. Because the password is the same for all devices and because it never expires, the administrator can easily write a script to deploy the password on all devices.
How to enable improvement 1
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To enable this feature, create the following registry entry:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword
Name: UseSinglePassword
Type: REG_DWORD
Value: 1
Note If you are running NDES under the Network Service account, you must grant Full Control permission to the "Network Service" account under the following registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP.
Improvement 2
Certificates can be re-enrolled automatically after they expire. This feature is enabled automatically after the hotfix is installed.
By default, when you request a certificate renewal by using this feature, the signer certificate must have the same subject name and alternate subject name as the requested certificate. To circumvent this requirement, set the value of the DisableRenewalSubjectNameMatch registry entry under the following subkey to 1.
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatch
Note You may have to create this registry entry by using REG_DWORD type if the registry entry does not exist.
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.
Prerequisites
There are no prerequisites.
Restart requirement
You have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other previously released hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2008 file information notes
The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.
For all supported x86-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Mscep.dll |
6.0.6001.22356 |
139,776 |
17-Jan-2009 |
04:50 |
x86 |
For all supported x64-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Mscep.dll |
6.0.6001.22356 |
157,184 |
17-Jan-2009 |
06:25 |
x64 |
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
For more information about SCEP, visit the following Internet Drafts Web site (IETF) Web site:
http://www.ietf.org/proceedings/69/slides/pkix-3.pdf
Note This document will expire on July 25, 2009. For information after this date, search for "SCEP" on the home page of the Web site.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Additional file information for Windows Server 2008
For all supported x86-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Package_for_kb959193_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum |
Not Applicable |
13,172 |
18-Jan-2009 |
01:10 |
Not Applicable |
|
Package_for_kb959193_sc~31bf3856ad364e35~x86~~6.0.1.0.mum |
Not Applicable |
1,423 |
18-Jan-2009 |
01:10 |
Not Applicable |
|
Package_for_kb959193_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum |
Not Applicable |
13,647 |
18-Jan-2009 |
01:10 |
Not Applicable |
|
Package_for_kb959193_server~31bf3856ad364e35~x86~~6.0.1.0.mum |
Not Applicable |
1,431 |
18-Jan-2009 |
01:10 |
Not Applicable |
|
X86_microsoft-windows-c..icateservices-mscep_31bf3856ad364e35_6.0.6001.22356_none_64ef9a95a650c86b.manifest |
Not Applicable |
43,475 |
17-Jan-2009 |
07:10 |
Not Applicable |
For all supported x64-based versions of Windows Server 2008
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Amd64_microsoft-windows-c..icateservices-mscep_31bf3856ad364e35_6.0.6001.22356_none_c10e36195eae39a1.manifest |
Not Applicable |
43,505 |
17-Jan-2009 |
09:42 |
Not Applicable |
|
Package_for_kb959193_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mum |
Not Applicable |
13,284 |
18-Jan-2009 |
01:10 |
Not Applicable |
|
Package_for_kb959193_sc~31bf3856ad364e35~amd64~~6.0.1.0.mum |
Not Applicable |
1,431 |
18-Jan-2009 |
01:10 |
Not Applicable |
|
Package_for_kb959193_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mum |
Not Applicable |
13,763 |
18-Jan-2009 |
01:10 |
Not Applicable |
|
Package_for_kb959193_server~31bf3856ad364e35~amd64~~6.0.1.0.mum |
Not Applicable |
1,439 |
18-Jan-2009 |
01:10 |
Not Applicable |
