Piszki Lab | EN

My case study in the clouds…

Horizon View and SCEP


Let me start by truism, running VMware without its own Certification Authority, is pointless. Self signed certificates are the same problems, in more complex configurations, even blocking further expansion of the environment. If in our environment we rely on Microsoft’s Active Directory domain, then it is best to use the CA that comes with Windows Server (in our case, 2008 R2).

Installing and configuring the environment View, sooner or later we come to the time at which it would be best to have all the hardware terminals had issued its own certificates. In this post I’ll tell you how to run a whole to the terminals of the company Teradici PCoIP processor (in our case the HP T310 ). We will do this by using the Simple Certificate Enrollment Protocol and to facilitate, the management console terminals (Teradici PCoIP Management Console).

SCEP protocol implementation by Microsoft is a Network Device Enrollment Service (NDES). It is the role of the Active Directory Certificate Service, according to the documentation, this role should be installed on a different server than the server root CA (Enterprise). The best and easiest way is to install the DHCP server role enabled terminals. Installation of NDES is described here and here , and as you can see, it is very simple.

The only place where you can cut, a record in which we give the name of the standard certificates (template). In the figure below, the first line we have the correct entry, or own name default certificate IPSec (Offline Request) and in the following, incorrect (default) entries IPSec Intermediate.


If you do not improve, it is going to address our Registration Authority (RA) https://ugdhcp1.pulab.local/certsrv/mscep_admin/ get the following message (instead correctly displayed Challenge Password):

The Network Device Enrollment Service can not Provide its password because the user does not have Enroll permissions on the certificate template configured, or the certification authority is not enabled this issue certificates based on the configured certificate template.

On this page we have descriptions of potential errors that can plague us during the installation NDES. On the Teradici, we have a small article in the knowledge base that allows us to avoid another mine, SCEP server must be installed on the same network in which they operate PCoIP terminals.

After properly configuring the whole, we get, how pleasant to our eyes, the message:


What’s next? Next grab the Management Console, it is a virtual machine that is best immediately drawn into our environment with VMware vCenter Converter (the machine is ready for operation in VMware Player). Correctly configure the environment for the terminal requires the preparation of an appropriate DNS SRV record and DHCP Vendor Class, the whole is described in the documentation . When we are operating the console, create a profile which will be part of the SCEP settings, I assume here that we are using Windows Server 2008R2 which allows you to prepare not expiring Challenge Password. Each newly plugged in to the mains terminal is assigned to a profile so he receives immediately a pair of a key and a certificate. Yes generated steam can be used with 802.1X, although this can not be set in the global profile and you have to manually set it on any device. Questions?Smile

 Was this information is helpful? Tell me, please leave a comment!


Rate this article:
[Total: 0 Average: 0]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

Leave a Reply

Required fields are marked *.