Server 2008 R2 CA NDES cannot match issuer name and serial number error
I have a large set of sscep (version 20081211 and 20030417) clients running on OpenBSD 3.7/4.0. Clients generate local certs and enroll with MS CA + mscep add-on. The enrollment and obtaining crl using Win2000 or Win2003 CA with relevant mscep add-on is working perfectly fine. However, a new standalone 2008 R2 CA setup with built-in mscep (NDES) successfully enrolls the clients but fails with Event ID 45 when crl is checked. Is there something that I can tweak on Win2008 R2 to match the Win2000/2003 compatibility? OBSD scep calls, configuration and local.crt/local.csr are attached. Thanks, Error message <========== MSCEP Event ID 45, NetworkDeviceEnrollmentService The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any certification authority (CA) certificate.Verify that the device request contains the correct CA certificate information, then resubmit the request. sscep enrollment <========== ./sscep: starting sscep, version 20030417 ./sscep: hostname: ./sscep: directory: certsrv/mscep/mscep.dll ./sscep: port: 80 ./sscep: SCEP_OPERATION_GETCA ./sscep: requesting CA certificate ./sscep: server returned status code 200 ./sscep: MIME header: application/x-x509-ca-ra-cert ./sscep: valid response from server ./sscep: found certificate with subject: /C=US/CN=SCEPCA issuer: /CN=SCEPCA usage: Digital Signature SHA1 fingerprint: E8:C9:5C:C5:CF:44:37:91:DA:52:AD:3B:E8:92:03:D6:8E:EE:23:85 ./sscep: writing cert ./sscep: certificate written as ./ca.crt-0 ./sscep: found certificate with subject: /C=US/CN=SCEPCA issuer: /CN=SCEPCA usage: Key Encipherment SHA1 fingerprint: 84:FC:93:08:83:0E:4B:35:07:AF:B8:34:5E:5A:6A:E5:AE:21:BC:C7 ./sscep: writing cert ./sscep: certificate written as ./ca.crt-1 ./sscep: found certificate with subject: /CN=SCEPCA issuer: /CN=SCEPCA usage: Digital Signature, Certificate Sign, CRL Sign SHA1 fingerprint: 18:27:7C:13:EE:8F:4A:D5:C6:C9:45:F2:31:0F:8F:B8:0F:8C:11:F0 ./sscep: writing cert ./sscep: certificate written as ./ca.crt-2 ./sscep: starting sscep, version 20030417 ./sscep: hostname: ./sscep: directory: certsrv/mscep/mscep.dll ./sscep: port: 80 ./sscep: new transaction ./sscep: transaction id: DAD6C1C6EB4612955FEC920B673C8B8D ./sscep: generating selfsigned certificate ./sscep: SCEP_OPERATION_ENROLL ./sscep: sending certificate request ./sscep: creating inner PKCS#7 ./sscep: data payload size: 248 bytes ./sscep: successfully encrypted payload ./sscep: envelope size: 639 bytes ./sscep: creating outer PKCS#7 ./sscep: signature added successfully ./sscep: adding signed attributes ./sscep: adding string attribute transId ./sscep: adding string attribute messageType ./sscep: adding octet attribute senderNonce ./sscep: PKCS#7 data written successfully ./sscep: applying base64 encoding ./sscep: base64 encoded payload size: 1881 bytes ./sscep: server returned status code 200 ./sscep: MIME header: x-pki-message ./sscep: valid response from server ./sscep: reading outer PKCS#7 ./sscep: PKCS#7 payload size: 1636 bytes ./sscep: PKCS#7 contains 1022 bytes of enveloped data ./sscep: verifying signature ./sscep: signature ok ./sscep: finding signed attributes ./sscep: finding attribute transId ./sscep: allocating 32 bytes for attribute ./sscep: reply transaction id: DAD6C1C6EB4612955FEC920B673C8B8D ./sscep: finding attribute messageType ./sscep: allocating 1 bytes for attribute ./sscep: reply message type is good ./sscep: finding attribute senderNonce ./sscep: allocating 16 bytes for attribute ./sscep: senderNonce in reply: 4027FE45D2970C43AE4428FD48F1CE77 ./sscep: finding attribute recipientNonce ./sscep: allocating 16 bytes for attribute ./sscep: recipientNonce in reply: 87638C2A48BAB67866B02C21CF1CD4CE ./sscep: finding attribute pkiStatus ./sscep: allocating 1 bytes for attribute ./sscep: pkistatus: SUCCESS ./sscep: reading inner PKCS#7 ./sscep: decrypting inner PKCS#7 ./sscep: PKCS#7 payload size: 803 bytes ./sscep: found certificate with subject: /CN= issuer: /CN=SCEPCA ./sscep: writing cert ./sscep: certificate written as ./local.crt ./sscep: starting sscep, version 20030417 ./sscep: hostname: ./sscep: directory: certsrv/mscep/mscep.dll ./sscep: port: 80 ./sscep: new transaction ./sscep: transaction id: SSCEP transactionId ./sscep: SCEP_OPERATION_GETCRL ./sscep: requesting crl ./sscep: data payload size: 33 bytes ./sscep: successfully encrypted payload ./sscep: envelope size: 419 bytes ./sscep: creating outer PKCS#7 ./sscep: signature added successfully ./sscep: adding signed attributes ./sscep: adding string attribute transId ./sscep: adding string attribute messageType ./sscep: adding octet attribute senderNonce ./sscep: PKCS#7 data written successfully ./sscep: applying base64 encoding ./sscep: base64 encoded payload size: 2121 bytes ./sscep: server returned status code 200 ./sscep: MIME header: x-pki-message ./sscep: valid response from server ./sscep: reading outer PKCS#7 ./sscep: PKCS#7 payload size: 615 bytes ./sscep: PKCS#7 contains 1 bytes of enveloped data ./sscep: verifying signature ./sscep: signature ok ./sscep: finding signed attributes ./sscep: finding attribute transId ./sscep: allocating 19 bytes for attribute ./sscep: reply transaction id: SSCEP transactionId ./sscep: finding attribute messageType ./sscep: allocating 1 bytes for attribute ./sscep: reply message type is good ./sscep: finding attribute senderNonce ./sscep: allocating 16 bytes for attribute ./sscep: senderNonce in reply: 5C25503DE15D97479A602AD6ACC5C809 ./sscep: finding attribute recipientNonce ./sscep: allocating 16 bytes for attribute ./sscep: recipientNonce in reply: 07C908B0B8D06205AD04464D7B595EC0 ./sscep: finding attribute pkiStatus ./sscep: allocating 1 bytes for attribute ./sscep: pkistatus: FAILURE ./sscep: finding attribute failInfo ./sscep: allocating 1 bytes for attribute ./sscep: reason: Transaction not permitted or supported ./sscep: illegal size of payload # sscep.conf -- configuration file for SSCEP # URL IPAddress CACertFile ./ca.crt # CAIdentifier "CA-CA" Verbose yes Debug no FingerPrint sha1 PrivateKeyFile ./local.key LocalCertFile ./local.crt EncCertFile ./ca.crt-1 CertReqFile ./local.csr # GetCertSerial 1 GetCrlFile ./crl.pem PollInterval 6 MaxPollTime 28800 MaxPollCount 256 local.crt <========== Certificate: Data: Version: 3 (0x2) Serial Number: 12:4f:c4:b1:00:00:00:00:00:0a Signature Algorithm: sha1WithRSAEncryption Issuer: CN=SCEPCA Validity Not Before: Jun 26 16:57:42 2011 GMT Not After : Jun 26 17:07:42 2012 GMT Subject: CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:c8:4c:24:4e:82:f7:68:96:cd:35:13:58:ab:60: b3:21:99:cf:1c:3b:12:d8:fc:11:bf:c1:da:db:71: 3d:76:81:c3:57:76:fa:3f:17:3d:f0:71:7b:0c:b2: c1:80:cc:82:20:00:6c:e9:98:24:37:ce:3c:0a:9f: 1b:42:34:76:3f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: critical IP Address: X509v3 Subject Key Identifier: 71:7E:DE:A8:55:97:DF:F7:38:1D:85:1D:EA:4F:A5:3E:16:6E:DB:AB X509v3 Authority Key Identifier: keyid:AF:25:51:5F:43:9B:2F:8F:AD:8A:50:33:F4:25:A9:1F:AD:4E:88:92 X509v3 CRL Distribution Points: URI:file://CA/CertEnroll/SCEPCA.crl Authority Information Access: CA Issuers - URI:file://CA/CertEnroll/CA_SCEPCA.crt .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption a9:13:78:63:c2:7f:22:66:83:2d:19:a8:48:34:9c:6d:67:2f: b0:ea:67:6d:0e:d9:f4:28:35:75:59:7a:b6:8b:5c:ec:af:06:.............<snip> local.csr <========== Certificate Request: Data: Version: 0 (0x0) Subject: CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:c8:4c:24:4e:82:f7:68:96:cd:35:13:58:ab:60: b3:21:99:cf:1c:3b:12:d8:fc:11:bf:c1:da:db:71: 3d:76:81:c3:57:76:fa:3f:17:3d:f0:71:7b:0c:b2: c1:80:cc:82:20:00:6c:e9:98:24:37:ce:3c:0a:9f: 1b:42:34:76:3f Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: critical IP Address: Signature Algorithm: md5WithRSAEncryption 58:82:5c:07:e8:ec:0a:35:9f:e7:64:9b:c4:77:e4:13:3c:48: 90:d1:b2:d0:dd:e5:92:26:d9:83:76:32:67:dd:99:2d:e4:d0: 58:d4:f0:7e:8d:c0:1c:74:f7:d9:eb:34:25:50:de:2f:0f:fc: 17:c4:0b:bb:99:51:6f:8d:34:d3 -----BEGIN CERTIFICATE REQUEST----- MIH1MIGgAgEAMBYxFDASBgNVBAMTCzE3Mi4xNi4zNy41MFwwDQYJKoZIhvcNAQEB BQADSwAwSAJBAMhMJE6C92iWzTUTWKtgsyGZzxw7Etj8Eb/B2ttxPXaBw1d2+j8X PfBxewyywYDMgiAAbOmYJDfOPAqfG0I0dj8CAwEAAaAlMCMGCSqGSIb3DQEJDjEW MBQwEgYDVR0RAQH/BAgwBocErBAlBTANBgkqhkiG9w0BAQQFAANBAFiCXAfo7Ao1 n+dkm8R35BM8SJDRstDd5ZIm2YN2MmfdmS3k0FjU8H6NwBx099nrNCVQ3i8P/BfE C7uZUW+NNNM= -----END CERTIFICATE REQUEST----- ms
June 26th, 2011 10:18am

Event ID: 45 The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any CA certificate. Verify that the device request contains the correct CA certificate information, and then resubmit the request. Internal Name: EVENT_MSCEP_NOMATCH_ISSUERNAME_SERIALNUMBER Source: Microsoft-Windows-NetworkDeviceEnrollmentService Description This event occurs in the scenario in which the device certificate was pended by the CA and subsequently issued interactively by a CA manager. In this scenario, the device administrator must submit another request to the service to obtain the device certificate. In this case, the service was unable to match the issuer information in the request to the CA certificate. See:
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2012 11:58pm

I'm now getting the same problem that you have using sscep to get CRL. EventID 45 error description doesn't help. Were you able to fix the problem? Thanks for your help.
June 21st, 2012 9:51am

The solution was roll back to Windows 2003! It works perfectly fine with it and Windows 2000. I would be very interested if Microsoft picks this issue and brings a
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 11:33pm

Thank you for the reply. I really hope they fix this in Server 2008 R2.
June 29th, 2012 11:19am

FYI for anyone else with this problem. I opened a case with MSDN tech support and they showed me how to enable a setting in Server 2008 R2 ADCS that allows a simple http call to retrieve a CRL. in Server Manager, go to Active Directory Certificate Services->yourcaname, right-mouse->Properties->Extensions. In the list of CRL locations, select the entry with an http path such as "http://<ServerDNSName>/...". Check "Include in the CDP extension of issued certificates". Now you can issue a command from a browser like this http://MyCAFullMachineName/CertEnroll/MyCAName.crl". It will return the CRL. If you write a C app to do it then strip off the leading text header of the returned file.
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2012 6:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics