Hi there!
This explains my setup:
1x RootCA (offline) running Windows Server 2003
2x Issuing CAs (CA\CA01 and CA2\CA02 - both online) running Windows Server 2003
1x new Windows Server 2008 R2 for NDES (nothing else)
I'd like to get NDES up and running, so I've installed it as explained here:

http://technet.microsoft.com/en-us/library/ff955646(v=ws.10).aspx
(in step 10 default values)
SCEP administrator account: myAccount (Domain Admin)
SCEP Service account: ndes_service (member of the local ISS_IUSR group), has Read and Request permissions on the configured CA, has Read and Enroll permissions on the device certificate template.
After installing NDES (without any errors) I've got two new certificates in the peronal computer store (one issued using the CEP Encryption template, one using the Exchange Enrollment Agent (offline request) template. The ndes_service account has Read permissions
on both certificates.
I did set an SPN for the service account:
Setspn -s http/ndes.domain.name domain\ndes_service
Setspn -s http/ndes domain\ndes_service
Nothing in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP has been changed so far. (ndes_service has Read permissions)
Nothing in IIS has been changed after installing with NDES.
When I open http://ndes/certsrv/mscep/ or

http://ndes.domain.name/CertSrv/mscep_admin/
I can only see an error 500 (500 - Internal server error.)

Application log on the server gives me:
The Network Device Enrollment Service cannot retrieve information about the certification authority (0x80004005). Unspecified error
The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
The Network Device Enrollment Service cannot be started (0x800700ea). More data is available.

I've enabled NDES logging (certutil f setreg debug 0xffffffe3), but can't find any logs.
certutil -config CA1\CA01 -ping shows me:
Connecting to CA1\CA01 ...
Server "CA01" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.

Any help is much appreciated.
Thanks in advance.
Regards,
Carsten

Need to support users over the internet? click here try our remote control online beta

Hi Carsten,
Can you check if the NDES sys account has admin privilages. If not, I would suggest temporarily elevating that account to admin and re-try to see if you get the same errors?
Kind Regards,
Martin
If you find my information useful, please rate it. :-)

There is an amazing pack of free network admin tools. click here to download it

Hi Martin,

the ndes_service account didn't have admin privilages.
I gave him local admin on the NDES server, but that didn't change the startup behavior.
The Network Device Enrollment Service cannot retrieve information about the certification authority (0x80004005). Unspecified error
The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
The Network Device Enrollment Service cannot be started (0x800700ea). More data is available.
Thank you.

Kind regards,
Wolfgang

Need to support users over the internet? click here try our remote control online beta

Hi Martin,

the ndes_service account didn't have admin privilages.
I gave him local admin on the NDES server, but that didn't change the startup behavior.
The Network Device Enrollment Service cannot retrieve information about the certification authority (0x80004005). Unspecified error
The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
The Network Device Enrollment Service cannot be started (0x800700ea). More data is available.
Thank you.

Kind regards,
Carsten

There is an amazing pack of free network admin tools. click here to download it