Installing NDES on Server 2012 R2 Problem RRS feed

  • Question

  • Hi,

    I’ve a 2012 R2 CA which is running very nicely.  I’m now trying to install NDES on a separate server (also 2012 R2) but when I run the Install-AdcsNetworkDeviceEnrollmentService cmdlet I have two principal problems.

    Problem 1

    The NDES installation triggers a restart of the CA, with the following error in the event log on the CA:

    The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

    {D99E6E73-FC88-11D0-B498-00A0C90312F3} and APPID {D99E6E74-FC88-11D0-B498-00A0C90312F3}

     to the user MYDOMAIN\sysmanager SID (S-1-5-21-3632170022-1329408639-436904516-1004) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    I have not made any changes to permissions on the CA over and above those configured on the Certification Authority snap-in itself.  I even tried running the Install-AdcsNetworkDeviceEnrollmentService cmdlet on the CA itself (rather than the separate server) and I go the same result.  I've checked that the NDES service account I'm specifying has rights on the relevant templates, etc. - I even went mad and put the service account into DA and EA groups just to eliminate any obvious permissions issues.  Note: I've followed the various guides for NDES on the (excellent) PKI document reference and library wiki on TechNet.

    Problem 2

    Following the CA restart, the NDES installation appears to continue but then fails because it can’t enrol for the EnrollmentAgentOffline certificate – it errors with:

    The certificate has invalid policy. 0x800b0113 (-2146762477 CERT_E_INVALID_POLICY)

    AdditionalInformation Error Constructing or Publishing Certificate

    I’m pretty sure this is because I have expressed issuance policies on the CA, and these issuance policies are not configured on the two certificate templates (Exchange Enrollment Agent and CEP Encryption) – and because these two templates are v1 I don’t know how I can remedy this.

    So, if anyone can give any advice for moving forward with either of the two problems I’d be most grateful.  I’ve a hunch that the first problem, whilst seemingly nasty, may allow me following a CA restart to continue with the install then I’ve just got the Issuance Policy problem to tackle.

    Regards, Chipeater

    Wednesday, November 6, 2013 4:26 PM


All replies

  • Hi,

    Have you followed the below article before install it:

    Network Device Enrollment Service Guidance



    Yan Li

    Regards, Yan Li

    • Marked as answer by Yan Li_ Tuesday, November 19, 2013 1:58 AM
    Friday, November 8, 2013 2:44 AM
  • Hello Chip Eater

    did you solve the problem or did you get additional information?

    Would it be possible for you to tell what issuance policies you have configured?

    Thank you


    Friday, May 9, 2014 6:13 AM