# Auth Connector > Deploy the Applivery Auth Connector as a Docker container to supply SCEP challenge passwords for NDES Certificate Authority services. Source: https://docs.applivery.com/en/device-management/general-settings/auth-connector/ • Last updated: 2026-05-27 **Key topics:** Auth Connector Deployment, Certificate Provider Configuration, Docker Container Setup, SCEP Challenge Management, Applivery, Docker, SCEP, NDES, AMD64, ARM64 --- **TL;DR:** The Applivery Auth Connector, deployed as a Docker container, simplifies certificate requests by providing SCEP challenge passwords for devices, especially in private networks with NDES services. The **Applivery Auth Connector** is a helper service that supplies your Applivery Workspace with valid SCEP challenge passwords, which are then delivered to Devices so they can request certificates. This is typically required when NDES Certificate Authority services are hosted within private networks. Applivery distributes the Auth Connector as a **Docker container** for both **AMD64** and **ARM64** architectures. From an infrastructure perspective, the Auth Connector establishes outbound connections to the PKI server running the NDES service, retrieves SCEP challenges, and reports them back to the Applivery Dashboard for use in device configurations. **Configure the Certificate Provider** Before deploying the Auth Connector, you will need to configure a new Certificate Provider. Once in the [**Applivery Dashboard**](https://dashboard.applivery.io/), navigate to the **Resources** 1 section. From the left side menu, select **Certificate providers** 2 and click the **\+ Create Certificate provider** button 3. The configuration form includes the following sections: ### Server Configuration - **Server URL**: `https:///certsrv/mscep/mscep.dll`. - **CA Fingerprint**: This value must be extracted from the CA certificate used by the NDES server. To obtain it, open the CA certificate, navigate to the **Extensions** section, and locate the **CA Fingerprint entry**. Copy this value and paste it into the field. - **Authority name**: Enter the intermediate/issuing CA name exactly as it appears in the CA certificate. ### Key Configuration - **Key Size**: Typically **2048** or **4096**, depending on security policy. - **Key Type**: RSA. ### Subject Configuration Configure subject fields as required by the consuming service. Applivery supports [interpolation tags](https://docs.applivery.com/en/device-management/general-settings/dynamic-variables-interpolation-tags/) to auto-fill values from device or user attributes. ### Challenge Configuration - **Mode**: NDES. - **URL**: `https:///certsrv/mscep_admin`. - **Username**: Domain user with permissions for the Certificate Template configured on the NDES server. - **Password**: Password for the above user. Click **Save**, then reopen the configuration to copy the **Auth Connector Token** 4 displayed at the top. ![auth connector token](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/06f0d79a-cf20-4c9f-b578-ec4ac2db686b.png) **Deploy the Auth Connector** Deploy the Auth Connector as a **Docker container**. The service is packaged as a Docker image, which you can download from the **Applivery Docker registry**: ``` europe-southwest1-docker.pkg.dev/applivery/public/auth-connector ``` ### Available versions

Architecture

Tags

linux/amd64

latest, 0.1.2

linux/arm64

latest-arm, 0.1.2-arm

### How to configure the container You need to provide a few important pieces of information for the container to run: - **CONNECTOR\_TOKEN**: The token obtained from the Certificate Provider in the previous step. - **LOG\_LEVEL**: The level of logging detail. Options are `debug`, `info`, `error`, or `silent`. Default is `info`. - **LOG\_JSON**: Set to `true` to output logs in JSON format, or `false` for plain text logs. Default is `false`. You can provide these settings in **two ways**: 1. Using a `.env` file: A file that contains all the environment variables. 2. Directly as environment variables in your **Docker run command** or **Docker Compose file**. ### Configuration file example ``` # Connector token of the Certificate provider. (required) CONNECTOR_TOKEN= # Required for private instance deployments. # TENANT= # Log level can be debug, info, error or silent. (default: info) LOG_LEVEL=info # Log as json. (default: false) LOG_JSON=false # Listening port for the report server. (default: 3000) PORT=3000 ``` :::info You only need to set the **TENANT** variable for **Private Instances**. ::: ### Examples with Docker run ```bash # Environment variables docker run \ -e CONNECTOR_TOKEN=YOUR_AUTH_TOKEN \ -p 3000:3000 \ europe-southwest1-docker.pkg.dev/applivery/public/auth-connector:latest ``` ```bash # Config file docker run \ -v .env:/app/.env \ -p 3000:3000 \ europe-southwest1-docker.pkg.dev/applivery/public/auth-connector:latest ``` ### Examples with Docker Compose ```yaml services: # Config file applivery-auth-connector: image: europe-southwest1-docker.pkg.dev/applivery/public/auth-connector:latest volumes: - .env:/app/.env ports: - 3000:3000 ``` ```yaml services: applivery-auth-connector: image: europe-southwest1-docker.pkg.dev/applivery/public/auth-connector:latest-arm environment: CONNECTOR_TOKEN: YOUR_AUTH_TOKEN #TENANT: LOG_LEVEL: info ports: - 3000:3000 ``` ## Status report An HTTP service runs on port 3000 inside the Auth Connector container, exposing a status report with information such as: - Number of challenges requested. - Total error count. - Additional operational metrics. The same status information is also available directly in the Certificate Provider configuration in the Applivery Dashboard via the connector status icon. A **green checkmark** indicates that the connector has reported successfully within the **last 20 minutes**. :::info Errors such as **The password cache is full** indicate that **the NDES server has reached its request limit**. Adjust the corresponding Windows Server registry values to increase this limit. :::