Server 2008 R2 CA NDES cannot match issuer name and serial number error
I have a large set of sscep (version 20081211 and 20030417) clients running on OpenBSD 3.7/4.0. Clients generate local certs and enroll with MS CA + mscep add-on. The enrollment and obtaining crl using Win2000 or Win2003 CA with relevant mscep
add-on is working perfectly fine. However, a new standalone 2008 R2 CA setup with built-in mscep (NDES) successfully enrolls the clients but fails with Event ID 45 when crl is checked.
Is there something that I can tweak on Win2008 R2 to match the Win2000/2003 compatibility? OBSD scep calls, configuration and local.crt/local.csr are attached.
Thanks,
Error message <==========
MSCEP Event ID 45, NetworkDeviceEnrollmentService
The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any certification authority (CA) certificate.Verify that the device request contains the correct CA certificate information, then resubmit the request.
sscep enrollment <==========
./sscep: starting sscep, version 20030417
./sscep: hostname: 172.16.37.2
./sscep: directory: certsrv/mscep/mscep.dll
./sscep: port: 80
./sscep: SCEP_OPERATION_GETCA
./sscep: requesting CA certificate
./sscep: server returned status code 200
./sscep: MIME header: application/x-x509-ca-ra-cert
./sscep: valid response from server
./sscep: found certificate with
subject: /C=US/CN=SCEPCA
issuer: /CN=SCEPCA
usage: Digital Signature
SHA1 fingerprint: E8:C9:5C:C5:CF:44:37:91:DA:52:AD:3B:E8:92:03:D6:8E:EE:23:85
./sscep: writing cert
./sscep: certificate written as ./ca.crt-0
./sscep: found certificate with
subject: /C=US/CN=SCEPCA
issuer: /CN=SCEPCA
usage: Key Encipherment
SHA1 fingerprint: 84:FC:93:08:83:0E:4B:35:07:AF:B8:34:5E:5A:6A:E5:AE:21:BC:C7
./sscep: writing cert
./sscep: certificate written as ./ca.crt-1
./sscep: found certificate with
subject: /CN=SCEPCA
issuer: /CN=SCEPCA
usage: Digital Signature, Certificate Sign, CRL Sign
SHA1 fingerprint: 18:27:7C:13:EE:8F:4A:D5:C6:C9:45:F2:31:0F:8F:B8:0F:8C:11:F0
./sscep: writing cert
./sscep: certificate written as ./ca.crt-2
./sscep: starting sscep, version 20030417
./sscep: hostname: 172.16.37.2
./sscep: directory: certsrv/mscep/mscep.dll
./sscep: port: 80
./sscep: new transaction
./sscep: transaction id: DAD6C1C6EB4612955FEC920B673C8B8D
./sscep: generating selfsigned certificate
./sscep: SCEP_OPERATION_ENROLL
./sscep: sending certificate request
./sscep: creating inner PKCS#7
./sscep: data payload size: 248 bytes
./sscep: successfully encrypted payload
./sscep: envelope size: 639 bytes
./sscep: creating outer PKCS#7
./sscep: signature added successfully
./sscep: adding signed attributes
./sscep: adding string attribute transId
./sscep: adding string attribute messageType
./sscep: adding octet attribute senderNonce
./sscep: PKCS#7 data written successfully
./sscep: applying base64 encoding
./sscep: base64 encoded payload size: 1881 bytes
./sscep: server returned status code 200
./sscep: MIME header: x-pki-message
./sscep: valid response from server
./sscep: reading outer PKCS#7
./sscep: PKCS#7 payload size: 1636 bytes
./sscep: PKCS#7 contains 1022 bytes of enveloped data
./sscep: verifying signature
./sscep: signature ok
./sscep: finding signed attributes
./sscep: finding attribute transId
./sscep: allocating 32 bytes for attribute
./sscep: reply transaction id: DAD6C1C6EB4612955FEC920B673C8B8D
./sscep: finding attribute messageType
./sscep: allocating 1 bytes for attribute
./sscep: reply message type is good
./sscep: finding attribute senderNonce
./sscep: allocating 16 bytes for attribute
./sscep: senderNonce in reply: 4027FE45D2970C43AE4428FD48F1CE77
./sscep: finding attribute recipientNonce
./sscep: allocating 16 bytes for attribute
./sscep: recipientNonce in reply: 87638C2A48BAB67866B02C21CF1CD4CE
./sscep: finding attribute pkiStatus
./sscep: allocating 1 bytes for attribute
./sscep: pkistatus: SUCCESS
./sscep: reading inner PKCS#7
./sscep: decrypting inner PKCS#7
./sscep: PKCS#7 payload size: 803 bytes
./sscep: found certificate with
subject: /CN=172.16.37.5
issuer: /CN=SCEPCA
./sscep: writing cert
./sscep: certificate written as ./local.crt
./sscep: starting sscep, version 20030417
./sscep: hostname: 172.16.37.2
./sscep: directory: certsrv/mscep/mscep.dll
./sscep: port: 80
./sscep: new transaction
./sscep: transaction id: SSCEP transactionId
./sscep: SCEP_OPERATION_GETCRL
./sscep: requesting crl
./sscep: data payload size: 33 bytes
./sscep: successfully encrypted payload
./sscep: envelope size: 419 bytes
./sscep: creating outer PKCS#7
./sscep: signature added successfully
./sscep: adding signed attributes
./sscep: adding string attribute transId
./sscep: adding string attribute messageType
./sscep: adding octet attribute senderNonce
./sscep: PKCS#7 data written successfully
./sscep: applying base64 encoding
./sscep: base64 encoded payload size: 2121 bytes
./sscep: server returned status code 200
./sscep: MIME header: x-pki-message
./sscep: valid response from server
./sscep: reading outer PKCS#7
./sscep: PKCS#7 payload size: 615 bytes
./sscep: PKCS#7 contains 1 bytes of enveloped data
./sscep: verifying signature
./sscep: signature ok
./sscep: finding signed attributes
./sscep: finding attribute transId
./sscep: allocating 19 bytes for attribute
./sscep: reply transaction id: SSCEP transactionId
./sscep: finding attribute messageType
./sscep: allocating 1 bytes for attribute
./sscep: reply message type is good
./sscep: finding attribute senderNonce
./sscep: allocating 16 bytes for attribute
./sscep: senderNonce in reply: 5C25503DE15D97479A602AD6ACC5C809
./sscep: finding attribute recipientNonce
./sscep: allocating 16 bytes for attribute
./sscep: recipientNonce in reply: 07C908B0B8D06205AD04464D7B595EC0
./sscep: finding attribute pkiStatus
./sscep: allocating 1 bytes for attribute
./sscep: pkistatus: FAILURE
./sscep: finding attribute failInfo
./sscep: allocating 1 bytes for attribute
./sscep: reason: Transaction not permitted or supported
./sscep: illegal size of payload
# sscep.conf -- configuration file for SSCEP
#
URL http://172.16.37.2/certsrv/mscep/mscep.dll
IPAddress 172.16.37.5
CACertFile ./ca.crt
# CAIdentifier "CA-CA"
Verbose yes
Debug no
FingerPrint sha1
PrivateKeyFile ./local.key
LocalCertFile ./local.crt
EncCertFile ./ca.crt-1
CertReqFile ./local.csr
# GetCertSerial 1
GetCrlFile ./crl.pem
PollInterval 6
MaxPollTime 28800
MaxPollCount 256
local.crt <==========
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:4f:c4:b1:00:00:00:00:00:0a
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=SCEPCA
Validity
Not Before: Jun 26 16:57:42 2011 GMT
Not After : Jun 26 17:07:42 2012 GMT
Subject: CN=172.16.37.5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c8:4c:24:4e:82:f7:68:96:cd:35:13:58:ab:60:
b3:21:99:cf:1c:3b:12:d8:fc:11:bf:c1:da:db:71:
3d:76:81:c3:57:76:fa:3f:17:3d:f0:71:7b:0c:b2:
c1:80:cc:82:20:00:6c:e9:98:24:37:ce:3c:0a:9f:
1b:42:34:76:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name: critical
IP Address:172.16.37.5
X509v3 Subject Key Identifier:
71:7E:DE:A8:55:97:DF:F7:38:1D:85:1D:EA:4F:A5:3E:16:6E:DB:AB
X509v3 Authority Key Identifier:
keyid:AF:25:51:5F:43:9B:2F:8F:AD:8A:50:33:F4:25:A9:1F:AD:4E:88:92
X509v3 CRL Distribution Points:
URI:file://CA/CertEnroll/SCEPCA.crl
Authority Information Access:
CA Issuers - URI:file://CA/CertEnroll/CA_SCEPCA.crt
1.3.6.1.4.1.311.20.2:
.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e
Signature Algorithm: sha1WithRSAEncryption
a9:13:78:63:c2:7f:22:66:83:2d:19:a8:48:34:9c:6d:67:2f:
b0:ea:67:6d:0e:d9:f4:28:35:75:59:7a:b6:8b:5c:ec:af:06:.............<snip>
local.csr <==========
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=172.16.37.5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c8:4c:24:4e:82:f7:68:96:cd:35:13:58:ab:60:
b3:21:99:cf:1c:3b:12:d8:fc:11:bf:c1:da:db:71:
3d:76:81:c3:57:76:fa:3f:17:3d:f0:71:7b:0c:b2:
c1:80:cc:82:20:00:6c:e9:98:24:37:ce:3c:0a:9f:
1b:42:34:76:3f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name: critical
IP Address:172.16.37.5
Signature Algorithm: md5WithRSAEncryption
58:82:5c:07:e8:ec:0a:35:9f:e7:64:9b:c4:77:e4:13:3c:48:
90:d1:b2:d0:dd:e5:92:26:d9:83:76:32:67:dd:99:2d:e4:d0:
58:d4:f0:7e:8d:c0:1c:74:f7:d9:eb:34:25:50:de:2f:0f:fc:
17:c4:0b:bb:99:51:6f:8d:34:d3
-----BEGIN CERTIFICATE REQUEST-----
MIH1MIGgAgEAMBYxFDASBgNVBAMTCzE3Mi4xNi4zNy41MFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBAMhMJE6C92iWzTUTWKtgsyGZzxw7Etj8Eb/B2ttxPXaBw1d2+j8X
PfBxewyywYDMgiAAbOmYJDfOPAqfG0I0dj8CAwEAAaAlMCMGCSqGSIb3DQEJDjEW
MBQwEgYDVR0RAQH/BAgwBocErBAlBTANBgkqhkiG9w0BAQQFAANBAFiCXAfo7Ao1
n+dkm8R35BM8SJDRstDd5ZIm2YN2MmfdmS3k0FjU8H6NwBx099nrNCVQ3i8P/BfE
C7uZUW+NNNM=
-----END CERTIFICATE REQUEST-----
ms
June 26th, 2011 5:18pm
Event ID: 45
The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any CA certificate. Verify that the device request contains the correct CA certificate information, and then resubmit the request.
Internal Name: EVENT_MSCEP_NOMATCH_ISSUERNAME_SERIALNUMBER
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Description This event occurs in the scenario in which the device certificate was pended by the CA and subsequently issued interactively by a CA manager. In this scenario, the device administrator must submit another request to the service to obtain the
device certificate. In this case, the service was unable to match the issuer information in the request to the CA certificate.
See:
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs-en-us.aspx
Free Windows Admin Tool Kit Click here and download it now
April 14th, 2012 12:07am
I have a similar problem running sscep but my failure happens during enrollment. The Windows Server 2008 R2 event log shows EventID 18, "The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005). Bad Data.". I successfully
retrieved a CA cert prior to enrolling. Any ideas what is causing this? I've enabled CAPI2 logging but it never shows any errors. Thanks in advance.
June 20th, 2012 6:37pm
I'm now getting the same problem that you have using sscep to get CRL. EventID 45 error description doesn't help. Were you able to fix the problem? Thanks for your help.
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 9:52am
The solution was roll back to Windows 2003! It works perfectly fine with it and Windows 2000. I would be very interested if Microsoft picks this issue and brings a resolution.ms
June 22nd, 2012 11:34pm