Network Device Enrollment Service - Renewing service certificates
Hi all,I am running into some major problems with the NDES-feature of Server 2008 (non R2, up-to-date). NDES uses two certificates to service the routers requests and enroll certificates for them:- CEPEncryption (A template enrollable for machines)- Exchange Enrollment Agent (Offline Request) (A template enrollable for users)After installing NDES, everythings fine: the two certificates are in the MY - store of the local computer (the RA, actually the signing Sub CA) and the NDES_Service-Account has Read-Permission on the private key.The two certificates have a two year validity period and are not automatically enrolling after expiring.So I want to enroll these two certificates and use the new ones. And here the problems start:- even if both certificates of both required templates are requested and in the My-Store NDES stop functioning. Here's an excerpt of the eventlog:The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.The Network Device Enrollment Service cannot be started (0x80004005). Unspecified errorI am using this guide to request and install the certificates and have tried every single possiblity there is out there: http://blogs.technet.com/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx - not working.So the only thing working for me right now is the "Renew certificate with new key" on the CEP-Encryption-Certificate while being in the My-Store of the local computer. But thats just one outof two certificates, and the next one proves more difficult.Renewing the EnrollmentAgentOffline fails (because you need a user to enroll for it), so I have to manually request it, and move it there - not working.Renewing both certificates via the web enrollment pages and then moving the certificates into the My-Store of the local computer and setting Read permission for the NDES-Account - not working.A microsoft employee said, that I had to request it with the service-accounts certificates console - strange but doable, but also - not working. I am so out of ideas trying to get NDES working after changing the certificates, I would really appreciate feedback. It's really a major letdown from Microsoft to not offer any decent documentation on the NDES-feature and to not provide informative feedback (no offense to the employee but to the logs and error messages).So please - help me out and save my day. It looks like they hard-coded some information about the certificates somewhere, so you can't just change them Am I really the only one trying this? :DGreeting, MMF
March 6th, 2009 3:25pm
hi there,i see this issue is more with Active directory , certificate enrollment which you need to post it under Security forum under windows Also i saw that yo uhave already posted your problem under the blog which you have mentioned in your post , so i would suggest to a) post your query under Security forum under windows b) wait until some one checks the functionality , as this requires time to setup the architecture for NDES sainath
Windows Driver Development
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2009 9:16pm
Hi,From the following guide: Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates http://blogs.technet.com/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx We can find you need give the NDES-Account full control on Exchange Enrollment Agent certificate and CEP Encryption certificate when performing the "Setting Permissions on the Private Keys" section. Please try to change permission to test. Also, please try " Testing Enrollment" section. Visit http://<servername>/certsrv/mscep_admin to get password and visit http://<servername>/certsrv/mscep to enroll for the certificate.If there is any error, please let us know the detailed error message.Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
March 9th, 2009 2:04pm
Hi,thanks for your answers.I already tried giving full control to the keys, because I read it in the blog. Standard permissions on the RA certificatesare Read-only for the NDES-Service-Account, so I assume Read is enough. Full control doesn't work either. If I visit the mentioned links (MSCEP and MSCEP-Admin), there are only the IIS error pages shown
HTTP Error 500.0 - Internal Server Error
The page cannot be displayed because an internal server error has occurred.
In the eventlog, the following errors are listed:The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
Maybe somethings screwed up pretty badly in my testing environment, but I really can't believe it. Its a fresh install and I double-checked allpermissions (templates) and so on.Greetings MMF
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2009 10:44am
Hi,Based on my test, the error " HTTP Error 500.0 - Internal Server Error" is caused by certificates too.Lets try to request and install CEP Encryption Certificate and Exchange Enrollment CertificateLog on NDES-Service-Account, visit http://<servername>/certsrv, choose Request a certificate, click advanced certificate request, click Create and submit a request to this CA.Choose Exchange Enrollment Certificate, type some basic information, click Submit. Continue and install the certificate.Repeat to request and install CEP Encryption Certificate.Open MMC. Click File menu, click Add/Remove Snap-in button, click Certificate, click Add, choose Local Computer, click Add again, choose current User, click OK.Open Personal certificates of Current User, move new Exchange Enrollment Certificate and CEP Encryption Certificate to Personal certificate of Local Computer.Run " iisreset" to reset IIS. Try to visit http://<servername>/certsrv/mscep_admin and http://<servername>/certsrv/mscep. Whats the result?Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
March 10th, 2009 3:56pm
Thanks, I did that already a long time agoexcept for moving the Exchange Cert from the NDES-user-storeto the computer store. The background was, that I didn't want to give the NDES-Service-Account administrative privileges. I still don't want to.And it worked! Thank you all very much, and especially you Mervyn. (I requested everything over the MMC, but still the same procedure. I set the private key permissions afterwards).What I don't get - I requested the certificates with a different account (pki administrator)and moved them into the certificate store of the computer. And there's no connection whatsoever between the certificate (EnrollmentAgentOffline) and the NDES-Service-Account, at least I don't see any...So from my point of view, this should also work.But still - not a solution I can present a client :D To give the service account even temporarily administrative permissions so I canmove the certificates between theNDES-Service-Account's user store and the local machine store - that's unbelievable... Greetings MMF
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2009 5:15pm
Hi,After several install/remove testing, I suggest you try this workaround:Add the NDEC service account to Admin group before installing NDEC Service and remove it after replacing certificates.Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
March 17th, 2009 10:57am