I am trying to get NDES configured on Windows 2008 Enterprise, but I have a problem. Everything appears to be installed correctly, and I can get an enrollment challenge password from the server, but it will not issue certificates.Specifically, IIS logs the following when my devices (I have tried usingtwo Juniper Netscreen firewalls, running ScreenOS 6.0.0r2.0 and5.2.0r3d.0, and a Cisco 6504 running IOS12.2(33)SXH2a) attempt to submit their certificate requests:-----2008-09-04 02:12:39 10.0.0.100 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=hsca04 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 2182008-09-04 02:12:39 10.0.0.100 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=PKIOperation&message=<base64 encoded certificate request>80 - 10.0.0.1 - 404 15 0 15-----That's the Cisco attempt, though the Netscreens return basically the same:-----2008-09-03 04:25:39 10.0.0.100 GET /certsrv/mscep/ operation=GetCACert&message=any 80 - 10.0.0.2 - 200 0 0 3282008-09-03 04:25:39 10.0.0.100 GET /certsrv/mscep/ operation=PKIOperation&message=<base64 encoded certificate request> 80 - 10.0.0.2 - 404 15 0 703-----For some reason, the actual certificate request (PKIOperation) is returning 404. If I manually type a bogus request into IE, like:"http://<server name>/certsrv/mscep/mscep.dll?operation=PKIOperation&message=this%20is%20bogus"It processes the request and returns a 644 byte file.The GetCACert command does work, and the Cisco switch is definitely loading the issuing CA certificate.Please help!Thank you.

I've figured it out.By default, IIS 7 installs with "Request Filtering" enabled, and the default maximum query string size (the length of the GET request string, it seems) is set to 2048 bytes, while the PKIOperation URL is closer to 3000 bytes. Setting the maxQueryString parameter for the NDES web site to 4096 resolved the problem.For those wonder how to do this, there seem to be a couple methods. The one I chose was to directly edit the "web.config" file in the root of the NDES site ("Default Web Site" on a stock installation), adding the following section: <security> <requestFiltering> <requestLimits maxQueryString="4096" > </requestLimits> </requestFiltering> </security> That gets inserted into the <system.webServer> ... </system.webServer> section. Restarting IIS was not necessary. An alternative is to use the "appcmd.exe" command, which is located in the%systemroot%\system32\inetsrv\ directory. That directory is not in the PATH by default.It bothers me that the lower-than-necessary query string limitwas allowed into the RTM package when installing NDES. Didn't anyone test this first?

Malachy Kidd, Thanks for posting this I had the same issue and this resolved it. To amend this on my server I used: %windir%\system32\inetsrv\appcmd set config /section:requestFiltering /requestLimits.maxQueryString:8192

Thanks for posting. Fixed me up too.pauld