none
Network Device Enrollment Service - Renewing service certificates

    Question

  • Hi all, 

    I am running into some major problems with the NDES-feature of Server 2008 (non R2, up-to-date).

    NDES uses two certificates to service the routers requests and enroll certificates for them:

    - CEPEncryption (A template enrollable for machines)

    - Exchange Enrollment Agent (Offline Request)  (A template enrollable for users)

    After installing NDES, everythings fine: the two certificates are in the MY - store of the local computer (the RA, actually the signing Sub CA) and the NDES_Service-Account has Read-Permission on the private key.

    The two certificates have a two year validity period and are not automatically enrolling after expiring.

    So I want to enroll these two certificates and use the new ones. And here the problems start:

    - even if both certificates of both required templates are requested and in the My-Store NDES stop functioning. Here's an excerpt of the eventlog:

    The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

    The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error

    I am using this guide to request and install the certificates and have tried every single possiblity there is out there: http://blogs.technet.com/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx - not working.

    So the only thing working for me right now is the "Renew certificate with new key" on the CEP-Encryption-Certificate while being in the My-Store of the local computer. But thats just one out
    of two certificates, and the next one proves more difficult. 

    Renewing the EnrollmentAgentOffline fails (because you need a user to enroll for it), so I have to manually request it, and move it there - not working

    Renewing both certificates via the web enrollment pages and then moving the certificates into the My-Store of the local computer and setting Read permission for the NDES-Account - not working.

    A microsoft employee said, that I had to request it with the service-accounts certificates console - strange but doable, but also - not working. 

    I am so out of ideas trying to get NDES working after changing the certificates, I would really appreciate feedback. It's really a major letdown from Microsoft to not offer any decent documentation on the NDES-feature and to not provide informative feedback (no offense to the employee but to the logs and error messages).

    So please - help me out and save my day. It looks like they hard-coded some information about the certificates somewhere, so you can't just change them Am I really the only one trying this? :D

    Greeting, MMF



    Friday, March 06, 2009 12:25 PM

Answers

  • Hi, 

    Based on my test, the error " HTTP Error 500.0 - Internal Server Error" is caused by certificates too. 

    Let’s try to request and install CEP Encryption Certificate and Exchange Enrollment Certificate

    Log on NDES-Service-Account, visit http://<servername>/certsrv, choose Request a certificate, click advanced certificate request, click Create and submit a request to this CA. 

    Choose Exchange Enrollment Certificate, type some basic information, click Submit. Continue and install the certificate.

    Repeat to request and install CEP Encryption Certificate. 

    Open MMC. Click File menu, click Add/Remove Snap-in button, click Certificate, click Add, choose Local Computer, click Add again, choose current User, click OK.

    Open Personal certificates of Current User, move new Exchange Enrollment Certificate and CEP Encryption Certificate to Personal certificate of Local Computer. 

    Run " iisreset" to reset IIS. Try to visit http://<servername>/certsrv/mscep_admin and http://<servername>/certsrv/mscep. What’s the result?

    Thanks. 


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 10, 2009 12:56 PM

All replies

  • hi there,

    i see this issue is more with Active directory , certificate enrollment which you need to post it under

    Security forum under windows


    Also i saw that yo uhave already posted your problem under the blog which you have mentioned in your post , so i would suggest to

    a) post your query under Security forum under windows

    b) wait until some one checks the functionality , as this requires time to setup the architecture for NDES
    sainath Windows Driver Development
    Friday, March 06, 2009 6:16 PM
  • Hi,

    From the following guide:

    Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates
    http://blogs.technet.com/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx

    We can find you need give the NDES-Account full control on Exchange Enrollment Agent certificate and CEP Encryption certificate when performing the "Setting Permissions on the Private Keys" section. Please try to change permission to test.

    Also, please try " Testing Enrollment" section. Visit http://<servername>/certsrv/mscep_admin to get password and visit http://<servername>/certsrv/mscep to enroll for the certificate.

    If there is any error, please let us know the detailed error message.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, March 09, 2009 11:04 AM
  • Hi,

    thanks for your answers.

    I already tried giving full control to the keys, because I read it in the blog. Standard permissions on the RA certificates
    are Read-only for the NDES-Service-Account, so I assume Read is enough. Full control doesn't work either.

    If I visit the mentioned links (MSCEP and MSCEP-Admin), there are only the IIS error pages shown

    HTTP Error 500.0 - Internal Server Error

    The page cannot be displayed because an internal server error has occurred.

    In the eventlog, the following errors are listed:

    The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
    The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error

    Maybe somethings screwed up pretty badly in my testing environment, but I really can't believe it. Its a fresh install and I double-checked all
    permissions (templates) and so on.

    Greetings MMF


    Tuesday, March 10, 2009 7:44 AM
  • Hi, 

    Based on my test, the error " HTTP Error 500.0 - Internal Server Error" is caused by certificates too. 

    Let’s try to request and install CEP Encryption Certificate and Exchange Enrollment Certificate

    Log on NDES-Service-Account, visit http://<servername>/certsrv, choose Request a certificate, click advanced certificate request, click Create and submit a request to this CA. 

    Choose Exchange Enrollment Certificate, type some basic information, click Submit. Continue and install the certificate.

    Repeat to request and install CEP Encryption Certificate. 

    Open MMC. Click File menu, click Add/Remove Snap-in button, click Certificate, click Add, choose Local Computer, click Add again, choose current User, click OK.

    Open Personal certificates of Current User, move new Exchange Enrollment Certificate and CEP Encryption Certificate to Personal certificate of Local Computer. 

    Run " iisreset" to reset IIS. Try to visit http://<servername>/certsrv/mscep_admin and http://<servername>/certsrv/mscep. What’s the result?

    Thanks. 


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 10, 2009 12:56 PM
  • Thanks,

    I did that already a long time ago except for moving the Exchange Cert from the NDES-user-store to the computer store. The background was, that I didn't want to give the NDES-Service-Account administrative privileges. I still don't want to.

    And it worked! Thank you all very much, and especially you Mervyn. (I requested everything over the MMC, but still the same procedure. I set the private key permissions afterwards).

    What I don't get - I requested the certificates with a different account (pki administrator) and moved them into the certificate store of the computer. And there's no connection whatsoever between the certificate (EnrollmentAgentOffline) and the NDES-Service-Account, at least I don't see any...
    So from my point of view, this should also work.

    But still - not a solution I can present a client :D To give the service account even temporarily administrative permissions so I can
    move the certificates between the NDES-Service-Account's user store and the local machine store - that's unbelievable...


    Greetings MMF
    Wednesday, March 11, 2009 2:15 PM
  • Hi,

    After several install/remove testing, I suggest you try this workaround:

    Add the NDEC service account to Admin group before installing NDEC Service and remove it after replacing certificates.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Matt Kerr Wednesday, May 12, 2010 5:50 PM
    Tuesday, March 17, 2009 7:57 AM
  • Small update - almost two years and one OS later, this issue is still not fixed. First of all - the documentation is clearly wrong (http://technet.microsoft.com/en-us/library/ff955642(WS.10).aspx#BKMK_Renewing), as enrolling an Exchange Enrollment Agent (Offline Request) - certificate is not possible from the Computer's certificate store (it'a a user-template).

    Second of all - it's still not possible to enroll custom certificates, which meet the requirements outlined in the Active Directory Certificate Services: Network Device Enrollment Service - Whitepaper for Server 2008 R2 from Jan 2009, which states that the service is searching for appropriate certificates (EKU Certificate Request Agent and Key Usage Encryption / Signature).

    I enrolled two custom certificates (one EKU CertReqAgent and Encryption, one EKU CertReqAgent and Signature), based on the templates CEP encryption and Key Enrollment Agent (Computer) - which allows the NDES-server to enroll for it.

    And it fails - who would have guessed... I think I will open a support case.

    Kind regards,

    MMF

    Monday, January 16, 2012 6:06 AM
  • Hi MMF,

    You could try this.. duplicate your "Exchange Enrollment Agent" template then open adsiedit and open the container CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com find your copied template and edit the attribute "flags" change it from 131585 to 131649 this should change the template from user to computer.

    If you are interested in how that works,

    I used this page as a referance http://msdn.microsoft.com/en-us/library/cc226550(v=prot.13)

    and added

    0x00000040

    CT_FLAG_MACHINE_TYPE

    Mike.

    Sunday, March 04, 2012 9:15 PM
  • RE: "First of all - the documentation is clearly wrong (http://technet.microsoft.com/en-us/library/ff955642(WS.10).aspx#BKMK_Renewing), as enrolling an Exchange Enrollment Agent (Offline Request) - certificate is not possible from the Computer's certificate store (it's a user-template)."

    I have checked this with the feature team and the documentation is accurate on the template. The template is indeed a User template, but it is placed into the Computer store. While it appears inconsistent, it is by design, and should work.

    That said, the product team believes the error you are expieriencing can be fixed by a software update. Therefore, opening a support case is probably the best way to go at this time.

    Wednesday, April 04, 2012 8:15 PM
  • Try this out: 

    1. Open IIS Manager.
    2. In the navigation pane, click Application Pools.
    3. In Application Pools, click SCEP.
    4. In the Actions Pane, click Advanced Settings.
    5. Under Process Model, click Load User Profile. Set toTrue.
    6. Click OK to all open dialog boxes.
    7. Restart IIS.

    Let us know if that resolves the error, please.

    Thursday, April 05, 2012 12:15 AM
  • Hello,

    I have been following this thread and I am faced with a similar issue.  When trying to navigate to certsrv/mscep I get the following error found below.  I followed your instructions Kurt and was able to change the Load User Profile setting from 'false' to 'true'.  Unfortunately I am getting the same result.

    I am able to get to certsrv via 80 and 443 without any issues.  Just having issues with mscep.

    I am a new user with 2008 R2 Enterprise as well.  Not sure what I have done, but it was working fine before adding CertSrv to my Default Web Site in IIS Manager.  I used the Add Role Wizard to enable Certification Authority Web Enrollment and followed the setup steps.

    So I can navigate to http://x.x.x.x/certsrv but not http://x.x.x.x/certsrv/mscep.  When I do I get the message below.

    Patrick 

    404 - File or directory not found.

    The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

    Monday, April 16, 2012 4:12 PM
  • If you haven't already, try checking the Event Viewer to see if there are NDES events in there. I posted the NDES whitepaper to the TechNet Wiki so you can search through it online

    http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs-en-us.aspx

    I know the behavior of the NDES service installation is different if you have CA Web Enrollment installed, so if you can reinstall the service, that might be a resolution.

    1. If you install NDES when CA Web Enrollment is not installed, the virtual directories CertSrv, mscep, and mscep_admin are not created. However, the ISAPI dll will still provide access to those locations. You can use the Application Pool - SCEP - Advanced Settings to control the service.

    2. If you install NDES when the CA Web Enrollment pages are installed, the virtual directories CertSrv, mscep, and mscep_admin are created. You still manage the service via Application Pool - SCEP - Advanced Settings.


    Monday, April 16, 2012 5:42 PM
  • Another thing that I just ran into this time was that my CRL was out of date. Ensure that you keep your CRL updated or you could run into an Internal Server Error.

    To update the CRL, on the CA as a CA administrator open an administrative command prompt and run: certutil -crl

    Tuesday, October 16, 2012 9:09 PM
  • RE: "First of all - the documentation is clearly wrong (http://technet.microsoft.com/en-us/library/ff955642(WS.10).aspx#BKMK_Renewing), as enrolling an Exchange Enrollment Agent (Offline Request) - certificate is not possible from the Computer's certificate store (it's a user-template)."

    I have checked this with the feature team and the documentation is accurate on the template. The template is indeed a User template, but it is placed into the Computer store. While it appears inconsistent, it is by design, and should work.

    I think M-M-F is right and documentation is either wrong or at least incomplete. When you try to enroll for new NDES certificates using MMC Certificates console from MY store of local computer (where both NDES certificates should finally reside), "Exchange Enrollment Agent (Offline Request)" template is not offered (irregardless of template ACL), because it is user template. "CEP Encryption" template is offered, it is computer/device template.

    There is one more point missing from documentation: when you attempt to request a certificate from Certificates console opened for local computer, that's computer account who acts as requester, and computer account is checked against certificate template ACLs when a list of available templates is being built, not your user account. So even for requesting new "CEP Encryption" certificate, you need an additional step - ensure that NDES computer account has Read and Enroll permissions on the template. Documentation doesn't say a word about that, it only mentions that Administrator must have Enroll permissions on both templates and tells us to enroll for both certificates from Certificates console.

    So Certificates console is not very easy to use for new NDES certificates, and process is not obvious. For "Exchange Enrollment Agent (Offline Request)" certificate, the working way (as described in this thread) is to request it from NDES service account and then move to MY store of local computer.

    When using certreq.exe, that's quite different. With this utility, it's really your current user (administrator) account which is being checked against certificate template ACL, so first you need different set of permissions on certificate templates (as opposed to using MMC console). Second, with certreq you also get template scope conflict with "Exchange Enrollment Agent (Offline Request)", because you are requesting certificate based on user template, but put "MachineKeySet=TRUE" in .inf file. But unlike Certificates console which simply doesn't offer such conflicting templates for enrollment, certreq.exe warns you and permits to proceed.

    Thursday, December 06, 2012 9:34 AM
  • I know this is an old thread, but thought I'd put my solution here for those who stumble across this in the future (maybe even future-me when I encounter this issue again and forget the solution.)

    Symptom:  Browse to "http://<server address>/certsrv/MSCEP_Admin/, get a error 500.  Also, application log shows:  "The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified."

    Solution:  Log on to the NDES server as NDES account (the account under which the NDES runs).  This is the user account that was specified during the NDES setup wizard.  This creates a user profile on the server.  You never have to logon as this account again, this is a one-time fix.

    Upon successful logon (for example, through RDP or at the console), the issue should be resolved.  

    Props to Symantec, I found the fix here:  http://www.symantec.com/business/support/index?page=content&id=TECH177406


    Chris


    Thursday, March 21, 2013 6:38 PM
  • Hi,

    I have the same problem/message after installation of OCSP Responder service on the same 2008R2 server as NDES (NDES worked before OCSP installation):

    The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057).  The parameter is incorrect.

    I renewed CEP and Exchange Enrollment Agent certificates, placed them in 'Local Computer''s personal store (Exchange Enrollment Agent is a user certificate template and needed to be moved from user to local computer store).
    Private key is present (key displayed over the certificate icon) and the system has full control on them.

    After restarting IIS i have a HTTP 500 error on http://host/certsrv/mscep and http://host/certsrv/mscep_admin

    Is there a way to have more explicit debug messages about key and incorrect parameter ?

    Monday, June 02, 2014 4:28 PM
  • Have you checked the permissions on the new certificates private keys?

    You should add permissions that ensure that the Application Pool from IIS is able to read the private key.

    If the application pool runs as ApplicationPoolIdentity the you should give the private key of the  CEP and Exchange Enrollment Agent certificates permissions for "IIS APPPOOL\SCEP", granting it read permissions.

    If the Application Pool runs as a Domain Account then you should give that account Read Permissions.

    One thing to check also is that the private key length matches the length of the previous certificates. I came across an issue where the certificates was renewed with a 1024 key and it did not work, which is strange...

    Definitely check the permissions.

    Regards

    Luis Sousa


    • Edited by Luis.Sousa Thursday, July 17, 2014 5:19 PM
    • Proposed as answer by Luis.Sousa Thursday, July 17, 2014 6:01 PM
    Thursday, July 17, 2014 5:19 PM