I have installed Network Device Enrollment Service (NDES) in my environment and I have a need for using a single password for challenge generated by NDES. If I set the reg key UseSinglePassword to 1, I get the follwing error: "HTTP Error 500.0 - Internal Server Error" when I access http://NDESServer/certsrv/mscep_admin If i leave it at the default (0) or set it back to 0 again NDES works just fine and I can request a challenge key from http://NDESServer/certsrv/mscep_admin I have tried several times restarting the server and IIS but it does not help. My CA and NDES server are running Windows Server 2008 R2 SP1 Enterprise. Has anyone seen this problem before and know how to fix it? Kinf regards Flagzz

There should be some other information on the HTTP Error 500.0 page like this one http://forums.iis.net/t/1144489.aspx. You'd better provide more information.

Hi, Is there any update on this problem? If you need further assistance, please help to provide more information. Regards, Bruce

I ran into this issue as well. Here is what I did to resolve: Open IIS Manager.In the navigation pane, click Application Pools.In Application Pools, click SCEP.In the Actions Pane, click Advanced Settings.Under Process Model, click Load User Profile. Set toTrue.Click OK to all open dialog boxes.Restart IIS. I hope that helps!

I encountered the same problem when using Single Password mode. Setting "Load User Profile" to True and restarting IIS worked to get the /certsrv/mscep_admin page to render properly and provide a challenge password, but restarting IIS a second time invalidated the EncryptedPassword string stored in the registry. I would receive these two errors: The Network Device Enrollment Service cannot be started (0x8009000b). Key not valid for use in specified state. The Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password's length doesn't match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry. The reason this was happening was because a local user profile did not exist for the service account under which the SCEP AppPool was configured to run. As such, even though I enabled the "Load User Profile" setting, the AppPool identity was loading under a temporary/default profile that lost its settings once unloaded (which would happen whenever the app pool was stopped). To fix this I to first stop the W3SVC service (to unload the temporary profile) then interactively log into the server as the service account. Doing so created a permanent profile. Afterwards I deleted the stored EncryptedPassword value in the registry and started up IIS. Navigating to the /certsrv/mscep_admin page then fired up the AppPool which generated a new password and encrypted/stored it in the registry. This time the app pool was able to decrypt the stored value upon subsequent IIS restarts. As you might expect, if someone were to delete the local profile for the service account the encryption key gets lost and you'll start to encounter problems again after a reboot.

I encountered the same problem when using Single Password mode. Setting "Load User Profile" to True and restarting IIS worked to get the /certsrv/mscep_admin page to render properly and provide a challenge password, but restarting IIS a second time invalidated the EncryptedPassword string stored in the registry. I would receive these two errors: The Network Device Enrollment Service cannot be started (0x8009000b). Key not valid for use in specified state. The Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password's length doesn't match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry. The reason this was happening was because a local user profile did not exist for the service account under which the SCEP AppPool was configured to run. As such, even though I enabled the "Load User Profile" setting, the AppPool identity was loading under a temporary/default profile that lost its settings once unloaded (which would happen whenever the app pool was stopped). To fix this I to first stop the W3SVC service (to unload the temporary profile) then interactively log into the server as the service account. Doing so created a permanent profile. Afterwards I deleted the stored EncryptedPassword value in the registry and started up IIS. Navigating to the /certsrv/mscep_admin page then fired up the AppPool which generated a new password and encrypted/stored it in the registry. This time the app pool was able to decrypt the stored value upon subsequent IIS restarts. As you might expect, if someone were to delete the local profile for the service account the encryption key gets lost and you'll start to encounter problems again after a reboot.

Great, that worked for me ! I found also this information on a blog : http://blog.stephendolphin.co.uk/project-work/scep-on-windows-2008r2-for-iphones-ipads/ the problem described is : The Network Device Enrollment Service cannot be started (080070002) For me it was error 500 internal error server this procedure worked for me also Thankx !