retrieving challenge passwords from NDES

[David Malcolm]

Hi

I'm using jscep succesfully with NDES/ADCS on 2008 Server R2 with single password mode and auto-enrollment. However I would like to change to try using generated one-time challenge passwords.

The microsoft NDES in ADCS whitepaper (http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx)  mentions obtaining the challenge password in "clear text" but I have not found any code in jscep (or elsewhere for that matter) that explains how to do this. Can anyone advise if this is really possible to do programatically and, if so, post an example? If not in clear text can the web-page that displays the challenge password be obtained instead so the password can be parsed from the html?

Note that I have enabled SSL and my truststore and keystore certificate setup is working properly for enrolling devices with my fixed challenge password. Despite this I get authorisation errors (or just get an html page containing "You do not have sufficient permission to enroll with SCEP")  if I try to connect programmatically to https://WIN2008/certsrv/mscep_admin/mscep.dll to obtain the challenge password html web page.

Any advice is much appreciated.

thanks
Dave

[BillAE]

Hi David

I am looking for the same thing.  Have you found a solution?  Thanks.

[Ryan Schipper]

Hi Bill and David,

Having worked with NDES on multiple occasions,  no such API exists to my knowledge.

- Ryan

--
 
---
You received this message because you are subscribed to the Google Groups "jscep Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jscep-suppor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[David Malcolm]

Bill, Ryan

I actually did manage to solve the authorisation issue. I was then able to obtain the webpage and parse the challenge password.

The code is on my machine at work so I'll post it on Monday.

cheers
Dave

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "jscep Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jscep-support/nXXYl3c8G_Y/unsubscribe.
To unsubscribe from this group and all of its topics, send an email to jscep-suppor...@googlegroups.com.

[Linda Le]

Hi Dave

This is great.  Thanks Dave.

[David Malcolm]

sorry Bill have been ill. I sent the code separately to Dave today (Thursday)

On 4 September 2013 06:35, BillAE <bae2...@gmail.com> wrote:

Hi Dave

This is great that you found the solution.

I don't see the code posted yet.  By any chance that you can post it please.  Thanks 

On Sat, Aug 31, 2013 at 5:49 AM, David Malcolm <djma...@gmail.com> wrote:

Bill, Ryan

I actually did manage to solve the authorisation issue. I was then able to obtain the webpage and parse the challenge password.

The code is on my machine at work so I'll post it on Monday.

cheers
Dave

On 31 August 2013 21:55, Ryan Schipper <psych...@gmail.com> wrote:

Hi Bill and David,

Having worked with NDES on multiple occasions,  no such API exists to my knowledge.

- Ryan

On 31/08/2013 5:44 AM, "BillAE" <bae2...@gmail.com> wrote:

Hi David

I am looking for the same thing.  Have you found a solution?  Thanks.

On Wednesday, May 15, 2013 5:12:31 PM UTC-7, David Malcolm wrote:

Hi

I'm using jscep succesfully with NDES/ADCS on 2008 Server R2 with single password mode and auto-enrollment. However I would like to change to try using generated one-time challenge passwords.

The microsoft NDES in ADCS whitepaper (http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx)  mentions obtaining the challenge password in "clear text" but I have not found any code in jscep (or elsewhere for that matter) that explains how to do this. Can anyone advise if this is really possible to do programatically and, if so, post an example? If not in clear text can the web-page that displays the challenge password be obtained instead so the password can be parsed from the html?

Note that I have enabled SSL and my truststore and keystore certificate setup is working properly for enrolling devices with my fixed challenge password. Despite this I get authorisation errors (or just get an html page containing "You do not have sufficient permission to enroll with SCEP")  if I try to connect programmatically to https://WIN2008/certsrv/mscep_admin/mscep.dll to obtain the challenge password html web page.

Any advice is much appreciated.

thanks
Dave

--
 
---
You received this message because you are subscribed to the Google Groups "jscep Support" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jscep-support+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "jscep Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jscep-support/nXXYl3c8G_Y/unsubscribe.

To unsubscribe from this group and all of its topics, send an email to jscep-support+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "jscep Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jscep-support/nXXYl3c8G_Y/unsubscribe.

To unsubscribe from this group and all of its topics, send an email to jscep-support+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

[BillAE]

No issue Dave.  Thank you very much and hope you are having speedy recovery.!! great day.

To unsubscribe from this group and stop receiving emails from it, send an email to jscep-suppor...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "jscep Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jscep-support/nXXYl3c8G_Y/unsubscribe.
To unsubscribe from this group and all of its topics, send an email to jscep-suppor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "jscep Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jscep-support/nXXYl3c8G_Y/unsubscribe.
To unsubscribe from this group and all of its topics, send an email to jscep-suppor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Fabián Rivera]

Hi David, I am currently trying to use scep with NDES/ADCS on 2008 Server R2 but I get this error: org.jscep.client.ClientException: org.jscep.transport.TransportException: 401 Unauthorized , I think that this is due to I am missing authentication data. Could you please give me an advice to make it work. Thanks!

On Wednesday, May 15, 2013 5:12:31 PM UTC-7, David Malcolm wrote:

[David Grant]

Are you providing a password?

Dave

--

[Fabián Rivera]

No, I have not found the right way to set the password. I saw in the documentation that I have to provide a Profile.

I don´t know exactly what to put there, and I don't know also where to put my credentials (user and password).

Could you please give me a little sample or an advice?

Here is my log:

[main] WARN org.jscep.client.Client - AbstractTransport problem when determining capabilities.  Using empty capabilities.

C=UK,ST=Wales,L=Cardiff,CN=jscep.org

[main] WARN org.jscep.client.Client - AbstractTransport problem when determining capabilities.  Using empty capabilities.

org.jscep.client.ClientException: org.jscep.transport.TransportException: 401 Unauthorized

at org.jscep.client.Client.getCaCertificate(Client.java:278)

at org.jscep.client.Client.getEncoder(Client.java:694)

at org.jscep.client.Client.enrol(Client.java:619)

at request.X509Signing.main(X509Signing.java:92)

Caused by: org.jscep.transport.TransportException: 401 Unauthorized

at org.jscep.transport.UrlConnectionGetTransport.sendRequest(UrlConnectionGetTransport.java:61)

at org.jscep.client.Client.getCaCertificate(Client.java:276)

... 3 more

Thanks for your time!

[David Grant]

Hi,

Please see here:

https://github.com/jscep/jscep#enrolling-a-certificate

Dave

[Fabián Rivera]

Thanks, I was able to comunicate with my scep server.

Now, I am receiving this message:

[main] INFO org.jscep.client.Client - SHA-512 PKCS#10 Fingerprint: [75290a1f322f7c77512fd9472726816ce682c3e0e63b7a0e731ba8eb5d5c6fff5d72ef05fca4e69aca7f60724885438d0f54541135bd2c9c33fe6456f441f972]

[main] WARN org.jscep.message.PkiMessageDecoder - Unable to verify message because the signedData contained no certificates.

Any hint?

Thanks!

[David Grant]

This happens with certain SCEP servers.  There isn't a lot you can do about it.

Dave

For more options, visit https://groups.google.com/d/optout.

[Fabián Rivera]

Could you please tell me how to display the debug messages in my exlipse enviroment?

Thanks!

[David Grant]

Adding slf4j-simple on your classpath should work, but I haven't tested it.  Alternatively, integrate with Maven using m2eclipse.

Dave

For more options, visit https://groups.google.com/d/optout.

[Fabián Rivera]

Ok, thanks for your answers!

To unsubscribe from this group and stop receiving emails from it, send an email to jscep-support+unsubscribe@googlegroups.com.

[Ankit Jain]

Hi Dave,

I am trying to use JSCEP, but when I enrol, InvalidContentException occurs saying that expected was a "x509ca and x509 ra-ca but is null". I am very new to SCEP and NDES can you help me out. Also, how can I programatically receive the enrollment challenge password so that I dont have to hard code it anywhere in my program.

Thanks!

Ankit