the application event log on our ca running ndes/scep has recorded numerous (at least one per minute) of the following error messages: Log Name: ApplicationSource: Microsoft-Windows-NetworkDeviceEnrollmentServiceDate: 02/06/2010 06:02:04 PMEvent ID: 29Task Category: NoneLevel: ErrorKeywords: ClassicUser: N/AComputer: CA.domain.localDescription:The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.does anybody know how i can determine which device is causing thousands of these errors to be generated? is there a log level parameter that might disclose an ip address, or something about the offending device?

Perhaps your CA logged the request in the Failed Requests list. Checkt he CA mmc if there are failed requests that may tell some more story of user or machine name generating the request.

thanks for the suggestion, but it doesn't appear that the mmc shows any of our scep certs and/or requests.

Cryptography Next Generation (CNG) has increased auditing abilitities assuming you are on Winderz 2008 I guess. The event are captured by the Key Service Provider (KSP) in user mode. KSP audit logs are not generated automatically. You must use auditpol.exe to enalbe collection of all KSP auditing by running: auditpol /set /subcategory:"other system evens" /success:enable /failure:enable How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain. http://support.microsoft.com/kb/921469