Hi all,I am running into some major problems with the NDES-feature of Server 2008 (non R2, up-to-date). NDES uses two certificates to service the routers requests and enroll certificates for them:- CEPEncryption (A template enrollable for machines)- Exchange Enrollment Agent (Offline Request) (A template enrollable for users)After installing NDES, everythings fine: the two certificates are in the MY - store of the local computer (the RA, actually the signing Sub CA) and the NDES_Service-Account has Read-Permission on the private key.The two certificates have a two year validity period and are not automatically enrolling after expiring.So I want to enroll these two certificates and use the new ones. And here the problems start:- even if both certificates of both required templates are requested and in the My-Store NDES stop functioning. Here's an excerpt of the eventlog:The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.The Network Device Enrollment Service cannot be started (0x80004005). Unspecified errorI am using this guide to request and install the certificates and have tried every single possiblity there is out there: http://blogs.technet.com/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx - not working.So the only thing working for me right now is the "Renew certificate with new key" on the CEP-Encryption-Certificate while being in the My-Store of the local computer. But thats just one outof two certificates, and the next one proves more difficult.Renewing the EnrollmentAgentOffline fails (because you need a user to enroll for it), so I have to manually request it, and move it there - not working.Renewing both certificates via the web enrollment pages and then moving the certificates into the My-Store of the local computer and setting Read permission for the NDES-Account - not working.A microsoft employee said, that I had to request it with the service-accounts certificates console - strange but doable, but also - not working. I am so out of ideas trying to get NDES working after changing the certificates, I would really appreciate feedback. It's really a major letdown from Microsoft to not offer any decent documentation on the NDES-feature and to not provide informative feedback (no offense to the employee but to the logs and error messages).So please - help me out and save my day. It looks like they hard-coded some information about the certificates somewhere, so you can't just change them Am I really the only one trying this? :DGreeting, MMF

hi there,i see this issue is more with Active directory , certificate enrollment which you need to post it under Security forum under windows Also i saw that yo uhave already posted your problem under the blog which you have mentioned in your post , so i would suggest to a) post your query under Security forum under windows b) wait until some one checks the functionality , as this requires time to setup the architecture for NDES sainath Windows Driver Development

Hi,From the following guide: Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates http://blogs.technet.com/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx We can find you need give the NDES-Account full control on Exchange Enrollment Agent certificate and CEP Encryption certificate when performing the "Setting Permissions on the Private Keys" section. Please try to change permission to test. Also, please try " Testing Enrollment" section. Visit http://<servername>/certsrv/mscep_admin to get password and visit http://<servername>/certsrv/mscep to enroll for the certificate.If there is any error, please let us know the detailed error message.Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,thanks for your answers.I already tried giving full control to the keys, because I read it in the blog. Standard permissions on the RA certificatesare Read-only for the NDES-Service-Account, so I assume Read is enough. Full control doesn't work either. If I visit the mentioned links (MSCEP and MSCEP-Admin), there are only the IIS error pages shown HTTP Error 500.0 - Internal Server Error The page cannot be displayed because an internal server error has occurred. In the eventlog, the following errors are listed:The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error Maybe somethings screwed up pretty badly in my testing environment, but I really can't believe it. Its a fresh install and I double-checked allpermissions (templates) and so on.Greetings MMF

Hi,Based on my test, the error " HTTP Error 500.0 - Internal Server Error" is caused by certificates too.Lets try to request and install CEP Encryption Certificate and Exchange Enrollment CertificateLog on NDES-Service-Account, visit http://<servername>/certsrv, choose Request a certificate, click advanced certificate request, click Create and submit a request to this CA.Choose Exchange Enrollment Certificate, type some basic information, click Submit. Continue and install the certificate.Repeat to request and install CEP Encryption Certificate.Open MMC. Click File menu, click Add/Remove Snap-in button, click Certificate, click Add, choose Local Computer, click Add again, choose current User, click OK.Open Personal certificates of Current User, move new Exchange Enrollment Certificate and CEP Encryption Certificate to Personal certificate of Local Computer.Run " iisreset" to reset IIS. Try to visit http://<servername>/certsrv/mscep_admin and http://<servername>/certsrv/mscep. Whats the result?Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks, I did that already a long time agoexcept for moving the Exchange Cert from the NDES-user-storeto the computer store. The background was, that I didn't want to give the NDES-Service-Account administrative privileges. I still don't want to.And it worked! Thank you all very much, and especially you Mervyn. (I requested everything over the MMC, but still the same procedure. I set the private key permissions afterwards).What I don't get - I requested the certificates with a different account (pki administrator)and moved them into the certificate store of the computer. And there's no connection whatsoever between the certificate (EnrollmentAgentOffline) and the NDES-Service-Account, at least I don't see any...So from my point of view, this should also work.But still - not a solution I can present a client :D To give the service account even temporarily administrative permissions so I canmove the certificates between theNDES-Service-Account's user store and the local machine store - that's unbelievable... Greetings MMF

Hi,After several install/remove testing, I suggest you try this workaround:Add the NDEC service account to Admin group before installing NDEC Service and remove it after replacing certificates.Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Small update - almost two years and one OS later, this issue is still not fixed. First of all - the documentation is clearly wrong (http://technet.microsoft.com/en-us/library/ff955642(WS.10).aspx#BKMK_Renewing), as enrolling an Exchange Enrollment Agent (Offline Request) - certificate is not possible from the Computer's certificate store (it'a a user-template). Second of all - it's still not possible to enroll custom certificates, which meet the requirements outlined in the Active Directory Certificate Services: Network Device Enrollment Service - Whitepaper for Server 2008 R2 from Jan 2009, which states that the service is searching for appropriate certificates (EKU Certificate Request Agent and Key Usage Encryption / Signature). I enrolled two custom certificates (one EKU CertReqAgent and Encryption, one EKU CertReqAgent and Signature), based on the templates CEP encryption and Key Enrollment Agent (Computer) - which allows the NDES-server to enroll for it. And it fails - who would have guessed... I think I will open a support case. Kind regards, MMF

Hi MMF, You could try this.. duplicate your "Exchange Enrollment Agent" template then open adsiedit and open the container CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com find your copied template and edit the attribute "flags" change it from 131585 to 131649 this should change the template from user to computer. If you are interested in how that works, I used this page as a referance http://msdn.microsoft.com/en-us/library/cc226550(v=prot.13) and added 0x00000040 CT_FLAG_MACHINE_TYPE Mike.

RE: "First of all - the documentation is clearly wrong (http://technet.microsoft.com/en-us/library/ff955642(WS.10).aspx#BKMK_Renewing), as enrolling an Exchange Enrollment Agent (Offline Request) - certificate is not possible from the Computer's certificate store (it's a user-template)." I have checked this with the feature team and the documentation is accurate on the template. The template is indeed a User template, but it is placed into the Computer store. While it appears inconsistent, it is by design, and should work. That said, the product team believes the error you are expieriencing can be fixed by a software update. Therefore, opening a support case is probably the best way to go at this time.

Try this out: Open IIS Manager.In the navigation pane, click Application Pools.In Application Pools, click SCEP.In the Actions Pane, click Advanced Settings.Under Process Model, click Load User Profile. Set toTrue.Click OK to all open dialog boxes.Restart IIS. Let us know if that resolves the error, please.

Hello, I have been following this thread and I am faced with a similar issue. When trying to navigate to certsrv/mscep I get the following error found below. I followed your instructions Kurt and was able to change the Load User Profile setting from 'false' to 'true'. Unfortunately I am getting the same result. I am able to get to certsrv via 80 and 443 without any issues. Just having issues with mscep. I am a new user with 2008 R2 Enterprise as well. Not sure what I have done, but it was working fine before adding CertSrv to my Default Web Site in IIS Manager. I used the Add Role Wizard to enable Certification Authority Web Enrollment and followed the setup steps. So I can navigate to http://x.x.x.x/certsrv but not http://x.x.x.x/certsrv/mscep. When I do I get the message below. Patrick 404 - File or directory not found. The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

If you haven't already, try checking the Event Viewer to see if there are NDES events in there. I posted the NDES whitepaper to the TechNet Wiki so you can search through it online http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs-en-us.aspx I know the behavior of the NDES service installation is different if you have CA Web Enrollment installed, so if you can reinstall the service, that might be a resolution. 1. If you install NDES when CA Web Enrollment is not installed, the virtual directories CertSrv, mscep, and mscep_admin are not created. However, the ISAPI dll will still provide access to those locations. You can use the Application Pool - SCEP - Advanced Settings to control the service. 2. If you install NDES when the CA Web Enrollment pages are installed, the virtual directories CertSrv, mscpe, and mscep_admin are created. You still manage the service via Application Pool - SCEP - Advanced Settings.