i'd like to allow"power" users on our network team to obtain certs for routers, switches, waps, etc... i've added these accounts to the local iis_iusrs group on the ca with the ndes role services, but they receive the "you do not have sufficient permissions to enroll with scep" message when they browse the /certsrv/mscep_admin page.what am i missing? permissions in the ca, on the ra certs, or iis?

Hi, Have you designated the certificate templates (Signature, Encryption, and GeneralPurpose) in the HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP registry key? If you have designated the certificate templates, please ensure that the Device Administration (the power users in this case) have been assigned the Read and Enrollment permission for the designated certificate templates. If you do not designate the certificate templates, please ensure that the Device Administration has the Read and Enrollment permission for the IPsec (Offline Request) certificate template. After you grant the permission, please access the web page again and check the result. For more information about NDES, you can refer to the following article: Microsoft SCEP Implementation Whitepaper http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e11780de-819f-40d7-8b8e-10845bc8d446 Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.