Hi, when I open http://<ndesserver>/certsrv/mscep from a remote machine I get to see the NDES page. when I open http://<ndesserver>/certsrv/mscep_admin I need to authenticate. If I use the local Administrator of the NDES-Server I get to see the full NDES dialog: Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). To complete certificate enrollment for your network device you will need the following information: The thumbprint (hash value) for the CA certificate is:XXXXX The enrollment challenge password is: XXXXX When I try the same using my Domain Administrator or the Deviceadmin account I'm unable to authenticate: Not Authorized -------------------------------------------------------------------------------- HTTP Error 401. The requested resource requires user authentication. The Domain Administrators are in the local Administrators group of the NDES server. What do I miss? My configuration: NDES installed Enterprise-CA installed and working SPN for NDES service account is set NDES-Service-Account is memberOf IIS_IUSRS on the NDES-Server NDES-Service-Account has "Read"" and "Request Certificates" permission on Enterprise-CA NDES-Service-Account has "Read" and "Enroll" and "Autoenroll" permissions on published Certificate-Template was set in registry for EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate Domain Adminstrators have "Read" and "Enroll" and "Autoenroll" permissions on published Certificate-Template Deviceadminuser has "Read" and "Enroll" and "Autoenroll" permissions on published Certificate-Template but no other permissions on both servers (NDES and CA) Thank you in advance! Kind regards, Carsten

Please have this asked in http://social.technet.microsoft.com/Forums/en/winserversecurity/threads forum Regards, _Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

Hi, when I open http://<ndesserver>/certsrv/mscep from a remote machine I get to see the NDES page. when I open http://<ndesserver>/certsrv/mscep_admin I need to authenticate. If I use the local administrator of the NDES-Server I get to see the full NDES dialog: Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). To complete certificate enrollment for your network device you will need the following information: The thumbprint (hash value) for the CA certificate is:XXXXX The enrollment challenge password is: XXXXX When I try the same using my Domain Administrator or the Deviceadmin account I'm unable to authenticate: Not Authorized -------------------------------------------------------------------------------- HTTP Error 401. The requested resource requires user authentication. The Domain Administrators are in the local Administrators group of the NDES server. What do I miss? My configuration: NDES installed including the default IIS components during setup Enterprise-CA installed and working SPN for NDES service account is set NDES-Service-Account is memberOf IIS_IUSRS on the NDES-Server NDES-Service-Account has "Read"" and "Request Certificates" permission on Enterprise-CA NDES-Service-Account has "Read" and "Enroll" and "Autoenroll" permissions on published Certificate-Template was set in registry for EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate Domain Adminstrators have "Read" and "Enroll" and "Autoenroll" permissions on published Certificate-Template Deviceadminuser has "Read" and "Enroll" and "Autoenroll" permissions on published Certificate-Template but no other permissions on both servers (NDES and CA) Thank you in advance! Kind regards, Carsten

If the permissions are set correctly, try to run the browser in elevated mode (UAC) /Hasain

Are you using User Account Control? It may be configured to not prompt the local admin, but all other administrative accounts. Try starting IE with Run as a admin and visit the page again. Kind regards, MMF

Heh, double post from Carsten :) I thought the same, so I think we're right ;) MMF

Hi, nope doesn't work for me. I've tried to open the link on a member server running 2003 with IE. Providing domain administrator credentials only gets me the 401. Providing the local administrator of the NDES works. Kind regards

Could you please check and provide the exact error message from IIS logs/event logs on the NDES server? /Hasain

Hello Hasain, thanks for your reply: IIS log: openening http://ndes/certsrv/mscep_admin with my client computer using the local administrator of the server works: 2012-07-02 06:25:27 192.168.5.3 GET /certsrv/mscep_admin/ - 80 NDES\administrator 192.168.2.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 200 0 0 124 If I log in using my domain administrator account I can't see anything in the logs using the credentials and after a few tries I get the 401: 2012-07-02 06:26:01 192.168.5.3 GET /certsrv/mscep_admin/ - 80 - 192.168.2.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 2 5 15 I can't find anything related in the event logs. Kind regards, Carsten

Hello Hasain, thanks for your reply: IIS log: openening http://ndes/certsrv/mscep_admin with my client computer using the local administrator of the server works: 2012-07-02 06:25:27 192.168.5.3 GET /certsrv/mscep_admin/ - 80 NDES\administrator 192.168.2.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 200 0 0 124 If I log in using my domain administrator account I can't see anything in the logs using the credentials and after a few tries I get the 401: 2012-07-02 06:26:01 192.168.5.3 GET /certsrv/mscep_admin/ - 80 - 192.168.2.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 2 5 15 I can't find anything related in the event logs. Kind regards, Carsten

This seams to be an IIS related issue, you might take a look at the tips in this blog post http://blogs.msdn.com/b/nitgupta/archive/2007/12/25/ie-prompts-3-times-for-credentials-and-fails-with-401-1-error-message-while-website-is-set-to-run-on-windows-integrated-authentication-under-iis-6-0.aspx about IIS, SPN and kerberos based authentication? /Hasain

Hi, Regarding issue which is related to IIS, we can also seek help in IIS forum to see if other experts who familiar with IIS can provide any suggestion. http://forums.iis.net/default.aspx?GroupID=41 Regards Kevin

Hi, I was experiencing the same problem... and I've got a solution "simply" changing the orders of "Providers" in Windows Authentication of "mscep_admin" virtual directory: NTLM at the TOP of the list insted of "Nogotiate"!!! Now it works!! Really strange because that was by default. Try in this way and good luck! Cheers, MB