Afaria Setup 4: Install roles – Certificate Authority – NDE

Published by Tobias Hofmann on

2 min read

To enroll an iOS device to SAP Afaria, a certificate for this device is needed. For mobile apps, SAP Afaria client can be used to request a user certificate from the CA. All these requests are handled by SAP Afaria, making the certificate handling transparent to the user. For doing this, SAP Afaria needs a CA with NDE enabled.


  • Install a CA
  • Add a user for NDE

Install a CA

See previous blog about how to install a CA.

Add user for NDE

Create a user for NDE service using Windows tool: Active Directory Users and Computers.

Add a new user.

  • First name: ndeuser
  • Last name: n/a
  • Full name: ndeuser
  • Logon:

Inform password. As this is a test environment installation, it makes sense to not have a user whose password expires every N month.

  • Password never expires: yes

Confirm user data.

Assign user to group

Add ndeuser to IIS group using Windows tool: Active Directory Users and Computers.

Open the AD domain and go to folder Builtin. Select group IIS_IUSRS.

Go to tab Members

Click Add

Enter user: ndeuser and select Check Names.

This adds the AD user ndeuser to the local group IIS_IUSRS. This is needed for the NDE service of CA.

Add service NDE to Windows Server

Add Role Services.


  • Network Device Enrollment Service
  • Certificate Enrollment Web Service
  • Certificate Enrollment Policy Web Service
  • And all dependencies

Inform the user created earlier:

Inform registration authority (RA) information.

  • RA Name: Tobias-RA
  • Country: BR (or your country)
  • City: Rio de Janeiro (or your city)
  • State: RJ (or your state)

Inform key strength of RA

Inform the CA that will be used by NDE (use previously created CA).

Select authentication type going to be used to log on to NDE.

  • Windows Integrated Authentication: Yes

Specifiy service account:

Select a SSL certificate. Chose to select a SSL certificate later, as this certificate still does not exist and will be created later on.

Check the selected server roles.


Windows installs and configures NDE.

Installation results.


NDE installed on Windows Server, using previously installed CA for requesting certificates.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Confused · October 29, 2015 at 22:00

Which version of Afaria does this process refer to. Afaria 7 SP5 supports Microsoft Native and doesn’t need NDES. Are you saying that IOS requesting a certificate doesn’t work with Microsoft Native?

    Tobias Hofmann · October 30, 2015 at 17:18

    The blog refers to version 7. While native MSFT CA is supported as of SP5, SCEP is also still available. Both are a valid solution to connect Afaria to a CA.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.