Easiest way to test SCEP with Afaria is to make use of the delivered ServerSCEPtest application. This application comes with Afaria`s PackageServer component. It can be found in the bin directory of the package server.
The test application is a Windows executable that executes the SCEP process through Afaria. You have two options available for the test:
I am going to execute the SCEP/NDES test using the package server. This is the Afaria component used by all clients to receive a client certificate for apps.
To run the test, at least the common name value must be filled in. This is the CN= part of the certificate. Normally, this is your user id. Unfortunately, the test tool is limited to 2048 bit key (Afaria SP8) and does not select you higher or custom values. To run the test, just select perform test button. The additional CSR informations like city, org, etc are taken from the package server configuration. These values are given by the Afaria admin.
The status of the SCEP process is shown in the log area. You can see that the CSR is created and send to the package server CA. After the test ran without errors, the returned certificate is saved to: C:\ProgramData\SAP\Afaria.
The see and validate the value of the new certificate, you can use the Crypto Shell Extensions of Windows Server.
The certificate was issued by the CA: CA. Lifetime is one year. And the template is AfariaUser. This matches exactly how the NDES template was configured.
To be 100% sure, the CA can be consulted. Normally, all issued certificates are stored there and can be consulted. Taking a look into the issued certificate list, I can see that a new certificate by the NDES user was issued using as a template AfariaUser. Therefore, the new NDES configuration is validated and working.
When you work with Afaria, you`ll sooner (iOS) or later (Android, WP) come in contact with certificates. To be more specific, with device (iOS) and user (all platforms) certificates. To make it as easy as possible to get those certificates available to the devices and users, an MDM solution makes use of SCEP. SCPE in the Microsoft world is called NDES, and is available with their CA. If you install everything following the official documentation, you`ll end up having
A working environment (yeah)
Most probably a certificate issue, as your users and devices get a certificate named IPSec (Offline request).
This default certificate is what Microsoft thinks fulfills most use cases of SCEP (sorry, NDES) and basically they are right. A device or user can use this certificate without problems for most of the scenarios. Most importantly, users can use it to authenticate themselves against services. It may be that
your security area does not like the name
the lifetime does not meet the requirement: its 2 years as given by Microsoft
it is missing some functionality
wrong algorithm or key length
or something else
All of the above points are valid and can invalidate the use of the default configuration. Which leaves you to the question: how to solve this?
To make Afaria get back from the CA a valid certificate based on a custom template, it only takes two steps:
Create a template
Assign template to NDES (SCEP)
With SCEP, Afaria is only consuming a service offered by CA. How the CA is treating the request, depends 100% on the CA. Therefore, no additional configuration is needed on the consuming service: Afaria. As a result of this, three steps are necessary to make Afaria get back a custom certificate:
I came recently across a strange error while trying to access my SAP Afaria 7 self-service portal. Suddenly I got a 403 error message.
The server was down for a few days as I did not have to use it. Maybe the shutdown of my VM didn`t work or Microsoft installed some patches, or something else. In the end, I could not log in anymore at my self-service portal at https://afaria.tobias.de/EUSSP/
I took a look at the site configuration at IIS Admin and the connection string to the AD looked good.
I reinstalled the self-service component, but no luck, still 403. Then I decided to take a closer look at the web site configuration. In IIS, there are ASP app pools, maybe something was wrong. Google pointed my to take a look at the ISAPI and CGI Restrictions located at the root of the web server.
The ASP.NET for 64 bit was not allowed to be used (restriction).
I activated that one. Afterwards, all are allowed (32bit and 64 bit, for all version)
To be on the safe side, I also run aspnet_regiis.exe –I from the installation directory of .NET v4 64bit.
Command: aspnet_regiis.exe –I
Now I was able to log on to SAP Afaria Self-Service Portal again!
Next component to be updated is the enromment server.
Select the DB type.
Select where the DB server is running.
In case the setup program can connect to the DB server, it will show a list of databases available to the user. Select the Afaria DB. In case an error occurs, check with one of the previous blogs on how to solve this issue.
The upgrade of the API service and administrator console is listed as one step, but will be executed as two steps:
1st the API service and directly afterwards the
As both are bound together, you cannot install the admin console separately. As the API service is installed first, you can upgrade the API service and not the admin console. This should not be done! Run the installation and update both at once.
SAP Afaria API Service
Start the installation
Keep account information
Select if you want to start the services. If you want to continue with the installation, do not start them now. The installation will now continue with the Afaria Admin setup.
SAP Afaria Administration
Keep account information
Select how the admin user will authenticate. Here I am using my Active Directory.
Either way, you`ll have to configure the LDAP URL Afaria will use to authenticate the user.
Start the Afaria Server update. First agree to the license agreement, of course, only when you have read the license and agree to it.
Afaria server update starts. First the currently running server service is stopped.
The setup program will stop the Afaria services. In case this is not possible, you are asked to do it manually or to restart the computer. In case the services are stopped successfully, the setup will start the Afaria Server installation.
Select DB server type
Select host where the DB server is running on and how to log on to the DB.
At this step, while testing the DB connection, I got an error message. The installer cannot connect to the Afaria DB. In my case, this was solved by starting the MSSQLServer process (for some reasons, SQL Server wasn`t started anymore).
Error: No connection to DB
Solution: Start SQL Server
Select the Afaria DB.
Confirm installation path
Confirm service account credentials
This can take a while …
Select if you want to start the services. If you want to continue with the installation, do not start them now.