Server 2012 Error 505 on http://localhost/certsrv/mscep_adm in

Ok apparently I cant get past this. Installed NDES etc on Server 2012. This server is not hosting the domain CA. I created the recommended domain user account for the service, added the user account to read on the domain ca for request certs, added to local IIS group, added spn,

I go to http://localhost/certsrv/mscep_admin and get the 505 error with the following two event log entries:
     The network device enrollment service cannot retrieve one of its required certs
     The network device enrollment service cannot be started 0x80070057

           

I have tried the following so far:
     Logging in with that service account so a user account is created.
     Changing the SCEP App Pool advanced setting Load User Profile from False to True
     http://support.microsoft.com/kb/2800975 (but the ExtensionlessUrlHandler-ISAPI-4.0_64bit that is mention to move
            below StaticFile does not exist. Am I supposed to manually add it somewhere in the comfig file like this example

      <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
      
   Checked srv memory and there is enough.
Help... did I miss some step.
thx


  • Edited by Carito Thursday, April 24, 2014 4:19 PM
  • Moved by Amy Wang_Moderator Friday, April 25, 2014 5:54 AM Certificate related
April 24th, 2014 4:18pm

Hi,

Please make sure that the issuing CA is online to issue required certificates, and the following templates exist: Exchange Enrollment Agent and CEP Encryption.

More information for you:

Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)

http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx

Network Device Enrollment Service Guidance

http://technet.microsoft.com/en-us/library/hh831498.aspx

Best Regards,

Amy

Free Windows Admin Tool Kit Click here and download it now
April 25th, 2014 8:40am

Thanks. Network Device Enrollment Service Guidance link is the one I initially followed. I did find the other though and as far as I can tell I completed evertything.

The enterprise CA is online, and bot the cep encryption and exchange enrollment agent templates exists. One thing I noticed though is it mention must be a member of the Enterprise Admins group at least for the install but not after. I know my account is not at that level, but having not known that, there were no errors during the install to show otherwise.

I am guessing I need to remove the ndes role and reinstall it once added to the Enterprise Admins?

April 25th, 2014 4:11pm

Yes, that is correct. Also, ensure that the NDES service account and the NDES computer account are assigned Read and Enroll permissions to the appropriate certificate templates (CEP encryption and exchange enrollment agent). Once enrolled, both should be in the local Machine certificate store (you can validate using the Certificates MMC).

Brian

Free Windows Admin Tool Kit Click here and download it now
April 25th, 2014 4:34pm

Thanks. I went back through this all over again with a enterprise admin account and am still getting a 500 error when trying to access the page.

According to this http://support.microsoft.com/kb/2800975/en-us  for the 500 error I need to

2) Open IIS.
3) Select Default Web Site. 
4) Click View Applications in the action panel on the right.
5) Double click the mscep application.
6) Double click Handler Mappings.
7) Click View Ordered List in the action panel.
8) Select ExtensionlessUrlHandler-ISAPI-4.0_64bit and move it down so it is below StaticFile.
9) Repeat steps 6-8 for the mscep_admin application.
10) Restart IIS.

I dont have ExtensionlessUrlHandler-ISAPI-4.0_64bit  in the list. So was I supposed to select something else in the IIS setup during the install? I just took the defaults that the role selected.

April 25th, 2014 9:13pm

Ok so I installed the Certificate Authority Web Enrollment. I didnt think I needed that since the instructions say to unselect CA and select NDES on the role. So now I see a Default Web Site\CertSrv with a mscep and mscep_admin under it.

If I go to http://localhost/certsrv I get the same page I get as if going to the online CA on the other server.

If I go to http://localhost/certsrv/mscep_admin/ or admin I get the 500 error.

IIS

Module   IsapiModule
Notification   ExecuteRequestHandler
Handler   ISAPI-dll
Error Code   0x80070057
Requested URL   http://localhost:80/certsrv/mscep_admin/mscep.dll
Physical Path   C:\Windows\system32\CertSrv\mscep\mscep.dll
Logon Method   Negotiate

EVENTLOG
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057).  The parameter is incorrect.

Nothing seems to have changed so not sure if I messing it up worse or just missing something.

Free Windows Admin Tool Kit Click here and download it now
April 25th, 2014 9:45pm

I am having this exact same problem.  I posted about my problem at:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/b037dd06-0109-4b27-8469-a6bf9e0f1548/ndes-cannot-retrieve-certificates?forum=winservergen

March 6th, 2015 3:17pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics