search

dsccommunity / ActiveDirectoryCSDsc

DSC resources for installing or uninstalling Active Directory Certificate Services components in Windows Server.
https://dsccommunity.org
MIT License
51 stars 31 forks source link

Implement a resource to Configure NDES #92

Open paule96 opened 5 years ago

paule96 commented 5 years ago

Description

I have currently the problem I must implement NDES in my CA to let Linux devices request certificates. But I don't find any resources on how to automate this doing.

The UI steps what are todo to configure NDES can find here

Proposed properties

That are only the properties for the installation of NDES. For the configuration see the linked article. The list with the registry keys is maybe the easy step to implement.

Name Type Description Sample
ndesServiceAccount string A domain user account that is a member of the local IIS_USERS on the NDES Service server contoso\ndesService
caNameForNdes string the CA that creates the certificates that are requested by the NDES service. -
ndesRegistrationAuthorityInformation object, hashtable An Object that has a Name, Country, E-Mail, Company, Department, City, and State property. That Object configures the Registration Authority Information on the CA -
ndesCryptography object, hashtable Configure the cryptography provider for the signature key and the encryption key. -

Special considerations or limitations

PlagueHO commented 5 years ago

Hi @paule96 - this resource would be gratefully accepted.

I'd suggest you align the parameter names to be the same as the PowerShell cmdlet parameter names as this will simplify the code somewhat and also align to what Microsoft use: https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcsnetworkdeviceenrollmentservice?view=win10-ps

I'd generally recommend keeping the properties as closely aligned to the cmdlet parameters as possible. For example, I'd recommend against using object/hashtable for the RA info. Instead using the same parameters as the cmdlets: -RAName -RAEmail -RACompany -RADepartment -RACity -RAState -RACountry

The same would go for the ndesCryptogtaphy.

I'd also recommend against including things like "NDES" in the property names because it is redundant information because it is part of the NDES resource.

Finally, you'll want to use the IsSingleInstance resource pattern here too (as only a single NDES instance can be installed per node). See the other ActiveDirectoryCSDsc resources for examples there.

Would be very keen to get this in! So thank you for contributing!

paule96 commented 5 years ago

I have started a little bit of investigating in that issue. The currently working code is this:

Script ActiveNetworkDeviceEnrollmentService{
            SetScript = {
                $secureStringPassword = ConvertTo-SecureString $Using:UserPassword -AsPlainText -Force
                Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName $Using:UserDomainName -ServiceAccountPassword $secureStringPassword -CAConfig $Using:CaConfigName -RAName $Using:RaName -RACountry "DE" -RACompany $Using:DomainName -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 4096 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 4096
            }
            GetScript={

            }
            TestScript = {
                # stolen from https://github.com/microsoftgraph/powershell-intune-samples/blob/958cb9990fa3ab5a3eafd3f44e2284ef5b7e9774/CertificationAuthority/Validate-NDESConfiguration.ps1#L908
                return Test-Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP
            }
        }

Currently, I don't know how to get a complete Test or Get method implemented because of the registry HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP only return this:

Name                           Property
----                           --------
CAInfo                         Configuration : ca01.side01.local\Side01 Root CA
CAType                         CAType : 1
CertsInMYStore                 CertsInMYStore : 1
EnforcePassword                EnforcePassword : 1
PasswordVDir                   PasswordVDir : CertSrv/mscep_admin
UseSinglePassword              UseSinglePassword : 0

But I don't know where I can find the Ra* information.

So maybe I know more tomorrow. :) So I can start with a real DSC resource in this project.

paule96 commented 5 years ago

Okay the information I was searching for are included in the ndes certificate.

PlagueHO commented 5 years ago

Cool! Good stuff @paule96

paule96 commented 5 years ago

update of my script wich I currently use:

        Script ActiveNetworkDeviceEnrollmentService{
            SetScript = {
                $secureStringPassword = ConvertTo-SecureString $Using:UserPassword -AsPlainText -Force
                Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName $Using:UserDomainName -ServiceAccountPassword $secureStringPassword -CAConfig $Using:CaConfigName -RAName $Using:RaName -RACountry "DE" -RACompany $Using:DomainName -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 4096 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 4096
            }
            GetScript={

            }
            TestScript = {
                $validNdesCertificates = 0;
                $allCerts = Get-ChildItem "Cert:\LocalMachine\My" | select Thumbprint, Subject,Extensions -ExpandProperty Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2" -or $_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"} | Sort-Object Thumbprint -Unique;

                foreach($cert in $allCerts) {
                    $extension = $cert.Extension | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2" -or $_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"} | Select -First 1;
                    $templateName = $extension.Format(0);
                    # Todo: That is also not very stable because we need both certificates types. Not 2 of one.
                    if($templateName -eq "CEPEncryption" -or $templateName -eq "EnrollmentAgentOffline"){
                        # Todo: this is maybe wrong because if I set an Email thats wrong
                        # that will be fix if we have a real DSC resource with parameters
                        # then I can check the things by it self
                        if($cert.Subject -eq ("CN=" + $Using:RaName + ", O=" + $Using:DomainName  + ", C=DE") ){
                            $validNdesCertificates += 1;
                        }
                    }
                }
                # stolen from https://github.com/microsoftgraph/powershell-intune-samples/blob/958cb9990fa3ab5a3eafd3f44e2284ef5b7e9774/CertificationAuthority/Validate-NDESConfiguration.ps1#L908
                return ($validNdesCertificates -eq 2) -and (Test-Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP);
            }
        }

I think I have now enough know how to start a real implementation of that DSC resource.

paule96 commented 5 years ago

Cool! Good stuff @paule96

Thanks @PlagueHO 👍