Configure MSFT NDES to work with Afaria

Afaria mobile client can request a client certificate from a corporate CA for the user. This means that the user will get automatically a valid certificate made available for him, without having to go through the complicated process of requesting and installing a certificate. The user won`t even know that a certificate was requested and installed on the device, it`s really a transparent process. For this to work, Afaria needs to be configured to send requests to a CA (using SCEP). The CA needs to be able to act on device requests. This is done by installing the type NDES to a Windows CA. After that, the CA needs to be configured to work together with Afaria.

A possible error message that can occur when this configuration is not done is visible in the Afaria log. The error message will look like: “SCEPcertificateAcquisition Exception: ASN1 bad tag value met

This error message won`t occur out of nothing, it is in the context of the Afaria client requesting a certificate at Microsoft CA/NDES.

Here, a CSR with Subject CN=rds,O=Afaria,OU=Consulting,L=Rio de Janeiro … was sent to the CA by the Android app The solution for this problem is given by SAP Note 2193313. The documentation that treats this error can be obtained either from SAP or from Microsoft:


Basically there are two solutions available:

  1. Deactive the use of a password for NDES or
  2. Activate the use of a password and configure Afaria to send the credentials

Easiest solution: deactivate usage of password when requesting a certificate. This is done by changing a Windows registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword to 0

This change requires a restart of IIS to ensure that the new value is picked up. Afterwards, the Afaria cliente can be used to request a certificate.

This request can be followed in the Afaria log:


The client received a certifcate. The certificate can be seen in the CA:

Let the world know

Afaria Setup – Windows preparations

The specific server requirements for Afaria can be taken from SAP PAM.

For the scenario of this document I assume that you simply want to try out things with Afaria, like getting a understanding of how things work, how to get a device managed by Afaria. To be able to install Afaria, you need a Windows Server 2008 R2 with SP1. To be able to enroll devices, a Certificate Authority that supports NDE is needed. While you can find Windows Ser2008 R2 on Amazon EC, these are not Enterprise Editions. And you need a EE for installing a CA that supports NDE. This feature is included in Server 2012 R2, but Afaria does not run on Windows Server 2012 R2.

To start with Afaria, you need to have a Windows Server 2008 R2 SP1 installation available. An alternative to buying one is to use the trial version. Microsoft offers a trial that is valid for 180 days. After all, the objective is to try things out with Afaria. The trial offered by Microsoft is delivered as a VHD image, so you’ll need Hyper-V (or transform it to a VMDK image).

After starting the image for the first time, Windows will configure itself.

After finishing the initial configuration, a password for the user Administrator must be given.

You do not have to change the password after the first logon, so you can already chose the one you want to work with.

In case you run your Windows 2008 R2 server in VMWare, it is a good idea to install the VM Ware tools.

Install VMWare tools

To install the VMWare tools, proceed as instructed by VMWare. Go to Manage and select Install VMWare Tools option.

This inserts a virtual CD that contains the VM Ware tools files. Open the Windows Explorer, navigate to the CD drive. Start the installation by running the file setup64.exe.

This will run the VMWare tools installer and install the tools.

To finish the installation, restart the computer.

Update system

The image provided by Microsoft is from 2009, meaning it comes with the same patch level it was built with in 2009. This also means that this Windows version does not meet the minimum requirements of Afaria: SP1 for Windows Server 2008. To get the SP1 you either download the complete SP1 stack from Microsoft or you download and install it through Windows update. The Windows update process brings the image to a current and patched version. Therefore this is the process you should follow.

Start Windows update and turn on automatic updates.

To be able to use Windows 2008 R2 with Windows update, you first must update Windows update.

Afterwards, Windows update will start searching for missing updates. This will show already 127 missing updates. Be prepared, this is only the start of a lengthy update process.

This will take a while to finish. During this first update run IE 9 will be installed. Afterwards, restart the computer. Windows will configure and install the updates.

Log on to Windows. Install more Window updates.

Restart Windows. Log on again and install more updates.

Check for updates

Important: Afaria needs Windows 2008 Server with SP1. Make sure SP1 is part of the updates to be installed list.

Download updates including SP1 for Windows 2008.

SP1 is getting installed and configured.

Let Windows reboot and log on again.

SP1 for Windows 2008 R2 Server is installed. The minimum requirement of Afaria regarding Windows are now met.

Best is to check again for new updates and install them. Go to Windows update and check for new updates.

Update Windows Update (yes, this is as funny as it sounds).


Good thing is that this will get you IE11.

After restarting Windows, continue installing patches

Restart Windows to finish installing the patches. Finally, Windows is up to date


In case you use a VM: take a snapshot or take a backup.

Let the world know