The Network Device Enrollment Service (NDES) is one of the role services of the Active Directory Certificate Services (AD CS) role. It implements the Simple Certificate Enrollment Protocol (SCEP). SCEP defines the communication between network devices and a Registration Authority (RA) for certificate enrollment and is defined in detail in https://tools.ietf.org/html/draft-nourse-scep-18
"The goal of SCEP is to support the secure issuance of certificates to network devices in a scalable manner, using existing technology whenever possible ."
This article was updated to cover the Windows Server 2012 release with the following exceptions:
↑ Return to Top
This article is intended for those with a basic understanding of PKI concepts and x509 certificates.
The need to secure networks has grown substantially over the last few years. One of the security challenges organizations face is authentication. There are few protocols that can be used for authentication-one of which, Internet Protocol Security (IPSec), uses X509 version 3 certificates as a means to identify the entities involved in a secure session. However, the challenge has moved from authentication to issuance certificate to these end entities. Moreover, our network includes devices that do not run with established credentials (domain known), for example, routers. SCEP enables network devices that do not run with domain credentials to enroll for x509 version 3 certificates from a Certification Authority (CA).
At the end of the transactions defined in this protocol, the network device will have a private key and associated certificate that is issued by a CA. Applications on the device may use the key and its associated certificate to interact with other entities on the network. The most common usage of this certificate on a network device is to authenticate the device in an IPSec session.
The following entities are involved in SCEP.
Figure 1 illustrates the various steps for enrolling certificates through the Network Device Enrollment Service.
Figure 1: Enrollment Process
The enrollment process includes the following steps.
Step 1: Generates a public-private key pair
In this step, the device must create a private and public key pair. The device must define the cryptography actions enabled for this key from the following list.
At the end of the step, the device must have a public-private key pair for cryptography operations.
Step 2: Obtains a password from the Network Device Enrollment Service
In this step, the device administrator obtains a password from the Network Device Enrollment Service at https://<ServerName>/certsrv/mscep_admin (Figure 2).
https is not required but is recommended.
By default, the service requires a password for authenticating the devices in step 4; however, the service can be configured to accept requests without obtaining passwords.
The service gets the requestor credentials and verifies that it possesses the following permissions.
Next, the service will check that the password table is not full. If it is not full, the service will create a random password and embed it in the HTML page returned to the caller. For more information about the service password table, see Password and Password Cache.
Figure 2: Administration Web Page
Step 3: Sets the device to trust the Enterprise PKI
This step is specific for each device. By the end of this step, the device should be configured to trust the enterprise PKI. It is usually achieved when the device is invoking the GetCACert operation implemented by the service, and trusting the returned CA certificate. The following is an example of a call to get the CA certificate.
https://myregistrationauthority/certsrv/mscep?operation=GetCACert&message=MyDeviceID
Step 4: Submits a certificate enrollment request to the service
In this step, the device administrator performs the required steps to submit a request from the device to the service. If the service requires a password, the administrator needs to configure the device with the password that was received from the service in Step 2.
This step is device-specific. Once it is completed, the service must receive a PKCS #7 request containing the required information for the device enrollment. The KeyUsage extension of the enrollment request should be one of the following:
If the request does not contain a KeyUsage extension, the service will treat the request as it was sent for both cryptographic operations (0xa0).
The request syntax is specified in
https://tools.ietf.org/html/draft-nourse-scep-18
Step 5: Sends an enrollment request to the CA
After receiving the enrollment request from the device, the service does the following:
Step 6a: CA issues the device certificate immediately
If the CA issues the certificate immediately, the service will get the certificate and return it to the device.
For a stand-alone CA, the default issuance policy is to hold all certificate requests for approval by a CA manager.
Step 6b: Asynchronous issuance
If the certificate request is not issued immediately, the service will return the status to the device.
The device administrator will have to send another request to receive status for the pending certificate request. The service will receive the updated status from the CA; if the certificate has already been issued, it will return the issued certificate to the device.
The NDES supports certificate renewal where a device uses a previously issued certificate to validate the new certificate request. This feature is supported on Windows Server 2012, Windows Server 2008 R2, Windows Server 2008 Service Pack 2, or on Windows Server 2008 with the KB959193 hotfix installed ( https://support.microsoft.com/kb/959193 ).
The certificate subject name is configured in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<CA Name>
Multi String value=SubjectTemplate
The Network Device Enrollment Service does not require a complex deployment plan. It can be installed on any machine that runs Internet Information Services (IIS) as long as it can communicate with the CA through the Distributed Component Object Model (DCOM).
Note that the screenshots provided in this section are based on the user interface as it implemented in Windows Server 2008 R2. The difference in user interface between Windows Server 2008 and Windows Server 2008 R2 is not significant so it should be easy for the reader to follow instructions in Windows Server 2008 as well.
There are two deployment scenarios for the Network Device Enrollment Service.
In an enterprise scenario deployment, the service will use an existing Enterprise CA.
Since the CA computer has access to the CA key, it is recommended to reduce the attack surface of the computer hosting the CA by not enabling additional services. Therefore, the recommended setting is to install the Network Device Enrollment Service on a different computer than the one hosting the CA service. Figure 3 illustrates a network diagram of this deployment model.
Figure 3: Enterprise Scenario Deployment
In this deployment scenario, all permissions will be based on permissions set on certificate templates published in DC. In addition, the certificate requests sent to the CA will be based on certificate templates.
In this deployment scenario, the service will not use an existing Enterprise CA. Instead, it will use a stand-alone CA. It is recommended that the stand-alone CA will be deployed on the same computer as the Network Device Enrollment Service and will be used to issue device certificates only.
Figure 4 illustrates a network diagram of this deployment model.
Figure 4 : Stand-alone Scenario Deployment
There are three roles related to setting up and running the service.
The following are the required permissions for each of the entities.
SCEPAdmin
SCEPSvc
DeviceAdmin :
Installing and configuring the Network Device Enrollment Service are done through the Add Roles Wizard. This wizard collects the required information for installing Windows Server Roles.
Figure 5 illustrates a summary of the steps for setting up the Network Device Enrollment Service.
Figure 5: Setup Steps Summary
The following sections provide the wizard steps for setting up the service.
Before you set up the service, you will need to
There are two scenarios for installing the Network Device Enrollment Service.
Launch the Server Manager Microsoft Management Console (MMC), click Manage Roles in the left panel, and then click Add role services in the Active Directory Certificate Services section (red rectangle in Figure 6). Go to Step 2: Add the Network Device Enrollment Service role service
Figure 6: Server Manager
Launch the Server Manager MMC, and then click Add Roles. The Add Roles Wizard will appear. On the Select Server Role page, select the Active Directory Certificate Services" role, then and click Next. The default service selected is the Certification Authority, clear the check box, and then go to Step 2: Add the Network Device Enrollment Service role service.
In the Add Roles Wizard (Figure 7 ), on the Select Role Services page, select the Network Device Enrollment Service check box. The wizard will detect whether all the required dependencies are installed. If any dependencies are missing, you will be prompted with a dialog box explaining what is missing and requesting your permission to install the dependencies. Click Yes to continue the installation.
Figure 7: Setup - Select Role Services
In the Add Roles Wizard (Figure 8), on the Specify User Account page, set the credentials for the Network Device Enrollment Service. If you are using a local CA for this service, you cannot select the Network Service Account option. If you are using a remote CA, it is highly recommended that you create a dedicated account for this service. Setting the service to run as a network service may have security implications.
Note that in Windows Server 2008 R2, the network service option has been replaced with application pool identity (UI is not shown here). The application pool identity is a more secure option than network service as it doesn't possess impersonate privilege and is not shared with other services on the machine.
Figure 8 : Setup - Specify User Account
The selected account should have the permissions specified for the SCEPSvc in the PERMISSIONS REQUIRED FOR THE NETWORK DEVICE ENROLLMENT SERVICE section.
If the user is not a member of the local IIS_IUSRS account, the following error will appear (Figure 9).
Figure 9: Setup - Permissions Error
Open another instance of Server Manager and add the selected account to the IIS_IUSRS group before proceeding.
The service needs to be configured with a CA. This CA will be used for two purposes.
This step will set up the CA (Figure 10). You can browse to the CA by looking for the CA's name stored on the domain controller (upper browse button) or by typing the machine name (lower browse button). The CA must be online during the service setup. Some devices have restrictions on your enterprise PKI, for example, not supporting special characters in the CA name. Check your manufacturer's specification restrictions.
Figure 10 : Setup - Specify CA
On the Specify Registration Authority Information page (Figure 11), all the required and optional fields for setting up the service as the RA are collected. The information you provide here will be used to construct the signing certificate issued to the service.
Figure 11 : Setup - Specify Registration Authority Information
The Network Device Enrollment Service uses two certificates and their keys to enable device enrollment. Organizations might want to use different Cryptographic Service Providers (CSPs) to store these keys, or they may want to change the length of the keys used by the service.
The Configure Cryptography for Registration Authority (Figure 12) page enables you to change these key properties.
If you do not have a specific requirement to change the settings, it is recommended to keep the default settings.
Figure 12: Setup - Configure Cryptography
On the Confirm Installation Selections page (Figure 12, review all the settings for the service and then click Install.
Figure 13: Setup - Confirmation Page
Windows Server 2008 is the first Windows release that includes a service which implements SCEP natively. The service is available only on Enterprise and Datacenter SKUs; it is not available on other Windows Server 2008 SKUs.
Since a previous implementation of the protocol was distributed previously with the Windows Server Resource Kit - MSCEP, there are some unique upgrade scenarios.
The service is implemented as an ISAPI extension. It requires IIS to be installed on the same computer. It does not require the CA to be installed on the same computer.
The Internet Server API (ISAPI) extension runs in its own application pool: SCEP. This application pool is created during setup and is configured to run with the credentials that were provided during setup.
The SCEP specification does not require devices to support Secure Socket Layer (SSL). However, the process of retrieving a one-time password from the service should be protected using SSL. Therefore, setup will create two virtual applications - one for the device and one for the administrator.
Passwords are used by the service to authenticate the device before forwarding its enrollment request to the CA. This password should be obtained through a call to the administration virtual application https://localhost/certsrv/mscep_admin.
Every password can be used for the following:
Password restrictions
Reusing a password for multiple devices
In some environments, such as manufacturing, it may be desirable to reuse the same challenge for more than one device.
Warning: Although you can configure NDES to use a single password (UseSinglePassword mode), it should only be used in tightly controlled network environments where all devices requesting certificates as well as the people/software in possession of that password can be trusted. When NDES is configured to use a single password, any device on the network can be used to request a password using the same password. In contrast, when you are deploying certificates to mobile devices, we do not recommend using a single password as any one of your employees or their devices may leak the password. For additional information, see Can I use a single password or passphrase for device enrollment?
To enable this feature, follow these steps:
After the above steps are complete, the NDES will use only one password for all certificate requests. This password can be obtained in the same way as a one-time password by going to the admin page of the NDES. Administrators can deploy that password to their devices in an automated way.
Note that this functionality is supported on Windows Server 2008 R2, Windows Server 2008 Service Pack 2, or on Windows Server 2008 with the KB959193 hotfix installed ( https://support.microsoft.com/kb/959193 ).
The service uses two certificates for two different scenarios.
During setup, the service enrolls for the two service certificates based on two preconfigured certificate templates.
Note These certificate templates are hard-coded to the Network Device Enrollment Service setup and cannot be modified.
In addition, setup will set the required permissions on the Certificate Template object and the CA that the service is configured with, for example, adding the required Certificate Templates to the list of templates supported by the CA.
For more information about Windows PKI Certificate Template, see https://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?mfr=true
When the service starts, it searches for two certificates that can be used for the previous two scenarios. These certificates do not have to be the same certificate the service enrolled for during setup. The following logic is used by the service for finding the certificate for the two scenarios at startup.
The Network Device Enrollment Service is configured during its setup to use a CA. It supports a Microsoft CA running on any of the following operating system (OS) versions.
Once the CA is selected, the service will call the CA and retrieve its type-Enterprise or Stand-alone CA.
Two virtual applications are created for the service during setup.
The first virtual application will authenticate the caller and verify that the caller has the required permissions to obtain a new password. If the validation succeeds, the service will generate a password and return it in clear text.
Since the password should be secured, it is highly recommended that SSL be enabled only on this virtual application.
The service uses the registry to store configuration settings. All settings are stored under one Registry key.
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
If the key is not present, the service will use the hard-coded default value from the following table.
This table defines the registry keys and their associated values.
0 = Passwords are not enforced.
Offline template.
0 = Stand-alone
0 = The service will look for its certificates in the computer "CEP" store.
Note: If the key does not exist, the service will look for its certificates in the computer "CEP" store.
DisableRenewalSubjectNameMatch
Like any other service, the Network Device Enrollment Service can be deployed and configured in multiple ways. The following sections present the tradeoffs for various configurations and recommendations based mainly on prioritizing security above other considerations.
Recommendation: Always set up the administrator site with SSL-only configuration. (Disable http access to this site.)
Pros: The password is returned encrypted.
Cons: An additional step is required to enroll for a server certificate and to configure the IIS for SSL.
This is a tradeoff between manageability and security. The longer the certificates are valid, the less frequent the enrollment process needs to occur. However, a longer validity period for keys might provide an attacker enough time to compute the private key information.
The service default setting validity period is one year.
Recommendation: For deployments of more than 100 devices, if the security risk is acceptable, you may consider extending the validity period of the device certificates to two years.
Pros: Management is easier the longer the device certificates are valid.
Cons: The security of the keys might be compromised if the certificate is valid for a longer period of time.
Recommendation: After completing enrollment for all your devices, it is recommended to stop IIS. Before renewal, you will need to start IIS.
Stopping IIS will clear all data stored in the service cache, for example, all passwords that are not used will be deleted from the password cache.
If IIS is used by other applications on the same machine, you may stop the SCEP application pool instead.
Pros: The attack surface of the service and its associated keys is reduced.
Cons: IIS must be restarted before the enrollment process.
Recommendation: Before setting up the service, it is recommended that you install IIS and lock it down using the Security Configuration Wizard. In addition, it is recommended that no other services will run on the same computer.
Pros: The attack surface of the computer hosting the service is reduced.
Cons: An additional configuration task is required.
Based on existing PKI policies, CA administrators should consider setting up a separate account for the service administrators and an additional account as the device administrator. (This account should have the permissions to request a password.)
Pros: Different accounts for managing enterprise PKI, running the services, setting up the service, and requesting a password increase the security of an Enterprise PKI deployment.
Cons: Additional setup tasks are required to configure accounts and permissions.
The procedures in this section provide the operational tasks related to the ongoing maintenance and usage of the Network Device Enrollment Service.
The service uses two certificates. The encryption certificate is based on the "CEPEncryption" template, and the signature certificate is based on the "Exchange Enrollment Agent (Offline Request)" template. Since these are version 1 templates, they cannot be modified.
If the PKI administrator wants to change any of the service certificate templates, new ones will need to be created and enrolled. It is recommended that the default template is duplicated and the duplicated templates are used for enrollment.
To duplicate the CEP Encryption template
Next step is to enable the CA to issue certificates based on this template.
To enable the CA to issue certificates based on this template
Now, the CA is ready to receive enrollment requests based on the CEP Encryption V2 certificate template.
The following section explains how to use the template you just created.
The service needs two valid certificates. If the service certificates have expired, or are about to expire, the service administrator needs to enroll for new certificates.
To enroll for new certificates
By default, the service is configured to submit enrollment requests based on the IPSec (Offline Request) certificate template.
To change the default by modifying registry keys
The service can be configured to log additional information for troubleshooting purposes in a special log file. This log file can only be consumed by Microsoft's support personnel. The information will be logged in the profile of the account the service is running as. Therefore, you have to log on as this account to create its profile first.
To create the profile
You may want to back up NDES if you have implemented a non-default configuration. By default, NDES obtains its service certificates based on the CEP Encryption and Enrollment Agent (Offline) certificate templates. These templates do not allow the export of private keys by default, so you will be unable to back up the certificate with its private key by default. If you have a need to recover NDES, you can reinstall the service or install NDES on another computer.
This section contains some resolutions for common issues.
NDES will fail to function properly if the registration authority certificate cannot validate the CRL. You can refresh your CRL by running certutil -crl on your CA from an administrative command prompt.
You do not see the link to the server manager console.
Resolution: Ensure that you are a member of the local administrator group.
During setup, the option to select a Network Service account is disabled.
Resolution: If an Enterprise CA is installed on the same computer, the service cannot use Network Service for its credentials.
The Network Device Enrollment Setup failed.
Resolution: The following must be verified.
When opening the administration page, Figure 14 will appear.
Figure 14 : Cache is full error
Resolution: Try the following suggestions.
When an administrator tries to retrieve a password while logging on to the same computer that hosts the Network Device Enrollment Service, the retrieval will fail. This is due to the User Access Control (UAC) feature in Windows Vista and Windows Server 2008.
The error message displayed for the administrator will be either Figure 15 or Figure 16 .
Figure 15 : Unauthorized error
Figure 16 : Insufficient Permission error
When opening the administrator page, Figure 17 will appear.
Figure 17 : No Sufficient Permissions error
Resolution: The administrator who browsed to this page MUST have the following permissions.
The device does not accept your PKI certificate (CA certificate and chain, certificate revocation list (CRL), device encryption certificates).
Resolution: The following are possible reasons.
Check your device specifications for certificate restrictions.
Everything used to work, but now the device can no longer enroll.
For more information, check your computer event logs.
Check the error code in the event description for the specific reason the Network Device Enrollment Service failed to start.
Check resources on the computer running the enrollment service to ensure that there is sufficient memory. Also, check the IIS logs for errors and warnings that may provide more information. An error 0x80004005 or 0x800700ea could mean that we have failed to connect to the CA, it might have been down when the first request was serviced by IIS and even if it is fully operational now, we might still get an error on every request we try to service. If the CA was down (due to a server reboot or service restart), confirm that it is operational at this time and re-start the IIS application pool for NDES.
From an administrative command prompt:
c:\windows\system32\inetsrv\appcmd stop apppool /apppool.name:SCEP
c:\windows\system32\inetsrv\appcmd start apppool /apppool.name:SCEP
For Windows Server 2012, also check:
https://support.microsoft.com/kb/2800975/EN-US
Event ID: 4
The Network Device Enrollment Service cannot be stopped (%ErrorCode) %ErrorMessage
Check the error code in the event description for the specific reason the Network Device Enrollment Service was unable to shut down.
Also, check the IIS logs for errors and warnings that may provide more information.
Event ID: 6
The Network Device Enrollment Service cannot provide its password because the user does not have Enroll permissions on the configured certificate template, or the certification authority is not enabled to issue certificates based on the configured certificate template.
On the Network Device Enrollment Service computer, check for the registry entries SignatureTemplate, EncryptionTemplate, and GeneralPurposeTemplate under the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\".
Use the Certificate Templates MMC to check the permissions on the IPSec (Offline Request) template or any templates identified in the previous registry entries.
Note You must be able to connect to Active Directory, where Certificate Templates are stored, to perform this step.
Open the Certificate Templates MMC and grant the requesting user Read and Enroll permissions on the IPSec (Offline Request) template or any templates identified in the previous registry entries.
Event ID: 7
The Network Device Enrollment Service failed to return the certification authority certificate to the caller (%ErrorCode). %ErrorMessage
Note the error code and error message included in the event description.
Ensure that the CA is available and Certificate Services is running on the CA (certutil -ping on CA). Ensure that the Network Device Enrollment Service can connect to the CA and to Active Directory.
Otherwise, your computer may be low on physical memory.
Event ID: 8
The Network Device Enrollment Service cannot retrieve information about the Certification Authority (%ErrorCode). %ErrorMessage
Event ID: 9
The Network Device Enrollment Service cannot retrieve the certification authority certificate (%ErrorCode). %ErrorMessage
Ensure that the CA is available and Certificate Services is running on CA (certutil -ping on CA). Ensure that the Network Device Enrollment service can connect to the CA and to Active Directory.
Event ID: 10
The Network Device Enrollment Service cannot retrieve one of its required certificates (%ErrorCode). %ErrorMessage
The Network Device Enrollment Service certificates are stored in either the default machine certificate store (if the value of the registry entry "CertsInMyStore" is 1) or in the "CEP" store (if the registry entry does not exist or if its value is 0).
Use the Certificates MMC on the enrollment service machine to check the validity of any enrollment service certificates. Verify that all of the requirements documented in Service Startup section have been met. To validate certificate chain, certutil.exe -verify command can be used.
Event ID: 11
The Network Device Enrollment Service received an http message without the "Operation" tag or with an invalid "Operation" tag.
Check IIS log to find out what query string was submitted. Note the query string's <operation>.
Use certutil to check whether the Public Key Cryptography Standard 7 (PKCS7) package from the client is valid. (certutil -v p7request.txt, where p7request.txt is a file in which the query string is captured.)
Otherwise, enable CAPI2 diagnostics and reproduce the error.
Event ID: 12
The Network Device Enrollment Service received an http message without the "Message" tag.
Check IIS log to find out what query string was submitted. Note the query string's <message>.
Use certutil to check whether the PKCS7 package from the client is valid (certutil -v p7request.txt, where p7request.txt is a file in which the query string is captured).
Event ID: 13
The Network Device Enrollment Service cannot encrypt the response to a client request (%ErrorCode). %ErrorMessage
The computer running the Network Device Enrollment Service may be low on physical memory, or the event description may contain a more specific error code to help diagnose the issue.
Check resources on the enrollment service computer. Also, check the IIS logs for errors and warnings that may provide more information.
Otherwise, enable Microsoft-Windows-CAPI2/Diagnostics in the Windows Event Viewer. Re-run the operation and examine the logged CAPI2 diagnostics entries.
Event ID: 14
The Network Device Enrollment Service cannot sign the response to a client request (%ErrorCode). %ErrorMessage
Event ID: 15
The Network Device Enrollment Service cannot convert encoded portions of the client's http message, or the converted message is larger than 64K (%ErrorCode). %ErrorMessage
Check the IIS log to find out what query string was submitted.
Otherwise, enable CAPI2 diagnostics and, if possible, reproduce the error.
Event ID: 16
The Network Device Enrollment Service cannot decode the http message from the client (%ErrorCode). %ErrorMessage
Event ID: 17
The Network Device Enrollment Service cannot retrieve required information, such as the transaction ID, message type, or signing certificate, from the client's PKCS7 message (%ErrorCode). %ErrorMessage
Event ID: 18
The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (%ErrorCode). %ErrorMessage
Event ID: 19
The Network Device Enrollment Service failed trying to retrieve a certificate from the CA. Verify that the CA service is running. Use the Certification Authority MMC to verify that the Network Device Enrollment Service account has Read permissions on the CA service. Verify that the serial number specified in the GETCERT request is correct, and that the CA service has successfully created a certificate with the specified serial number (%ErrorCode). %ErrorMessage
Event ID: 23
The Network Device Enrollment Service cannot complete the PKCS7 request. (%ErrorCode). %ErrorMessage
Ensure that the CA is available and Certificate Services is running on the CA (certutil -ping on CA).
Ensure that the Network Device Enrollment Service can connect to the CA.
Ensure that the enrollment service has Read and Enroll permissions on the certificate template(s) configured for device enrollment. [These will be the templates identified in the registry entries "SignatureTemplate", "EncryptionTemplate", and "GeneralPurposeTemplate" under the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\" on the enrollment service computer; otherwise, the default is the "IPSec (Offline Request)" template.]
Resolve any specific errors identified in the event description, as well as any connectivity or permissions problems identified previously, and try to resubmit the request.
Event ID: 24
The Network Device Enrollment Service cannot find the issuer name or serial number in the client's PKCS7 message. (%ErrorCode). %ErrorMessage
Event ID: 25
The Network Device Enrollment Service cannot locate a valid certificate request ID that matches the transaction ID in the client's PKCS7 message. (%ErrorCode). %ErrorMessage
Event ID: 26
The Network Device Enrollment Service was not able to query the Certification Authority (CA) for a previously submitted device certificate request. Verify that the CA service is running and that the Network Device Enrollment Service account has Read permissions on the CA service. Use the Certification Authority MMC to verify the permissions on the CA service. The error returned was (%ErrorCode). %ErrorMessage
Follow the troubleshooting steps identified in the error message.
Ensure that the CA is available and Certificate Services is running on the CA, for example, by executing the command "certutil -ping" at the command line on the CA.
Use the Certification Authority MMC to verify the Network Device Enrollment Service account has Read permissions on the CA service.
Otherwise, resolve any specific errors identified in the event description and try to resubmit the request.
Event ID: 28
Windows 2008 text: The Network Device Enrollment Service cannot locate a required password in the certificate request.
Windows 2008 R2 text: The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name.
Check the device configuration to ensure that the password is being submitted as part of the request.
Use certutil to check whether the Public PKCS7 package from the client is valid (certutil -v p7request.txt, where p7request.txt is a file in which the query string is captured).
Event ID: 29
The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.
Check the device configuration to ensure that the correct password is being submitted as part of the request.
Event ID: 30
The Network Device Enrollment Service cannot add an alternative subject name extension to the certificate request (%ErrorCode). %ErrorMessage
Event ID: 31
The Network Device Enrollment Service cannot submit the certificate request (%ErrorCode). %ErrorMessage
Ensure that the enrollment service has Read and Enroll permissions on the certificate template(s) configured for device enrollment. (These will be the templates identified in the registry entries "SignatureTemplate", "EncryptionTemplate", and "GeneralPurposeTemplate" under the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\" on the enrollment service computer; otherwise, the default "IPSec (Offline Request)" template will be used).
Event ID: 32
The Network Device Enrollment Service cannot retrieve the certificate identified by this request ID (%ErrorCode). %ErrorMessage
Event ID: 33
The Network Device Enrollment Service failed to cache this certificate ID and transaction ID (%ErrorCode). %ErrorMessage
Event ID: 34
At least one of the certificates for the Network Device Enrollment Service has expired. Verify that both the encryption and signing certificates are valid and restart the service.
Event ID: 35
At least one of the certificates for the Network Device Enrollment Service will expire soon. Check the validity period for both the encryption and signing certificates. Renew any certificates that are nearing the end of their validity period and restart the service.
This event is of type "error", but it can be treated as a warning. As indicated in the event description, the Network Device Enrollment Service's key exchange (encryption) and/or enrollment agent (signing) certificates are near the end of their validity period and are at risk of expiring.
Event ID: 36
The Network Device Enrollment Service failed while attempting to write the header portion of an http response (%ErrorCode). %ErrorMessage
EVENT_SCEP_SERVER_SUPPORT
Event ID: 37
The Network Device Enrollment Service failed while attempting to write the data portion of an http response (%ErrorCode). %ErrorMessage
Event ID: 38
The Network Device Enrollment Service detected an invalid message type in the client's PKCS7 message.
Check the device configuration to ensure that the correct message type is being submitted as part of the request.
Event ID: 39
The Network Device Enrollment Service cannot find key usage information in the certificate request and will use both the Signature and Exchange key usages.
Check the device configuration to ensure that the correct key usage information is being submitted as part of the request.
Event ID: 41
The Network Device Enrollment Service cannot issue a password because the requester is not an administrator on the Certification Authority.
Event ID: 42
The Network Device Enrollment Service cannot decode an X509 certificate request.
Event ID: 43
This password has already been used to request a (%KeyUsage) certificate. Only one signing certificate and one exchange certificate can be issued per password. Obtain a new password to use with this request, or create a new request with a different key usage and the same password, and then try again.
Event ID: 44
The Network Device Enrollment Service cannot obtain the CRL for key (%KeyID) from the Certification Authority. Verify that the CA service is running, the Network Device Enrollment Service account has Read permissions on the CA service, and the CA service has successfully created the latest CRL. Use the Certification Authority MMC to verify the permissions on the CA service. Use the command Certutil -config "%ConfigString" -cainfo crl %KeyID to verify that the CA service has created the latest CRL. The error returned was (%ErrorCode). %ErrorString.
Event ID: 45
The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any CA certificate. Verify that the device request contains the correct CA certificate information, and then resubmit the request.
Event ID: 46
The Network Device Enrollment Service failed to load the hash algorithm specified at location %RegistryLocation. Use the command "certutil -v -csplist" to verify that the computer on which the Network Device Enrollment Service is installed supports the hash algorithm specified. Near the end of the command output, look for the section labeled "Hash Algorithms". If the algorithm specified in the registry is not listed, configure a different hash algorithm in the registry. The error returned was (%ErrorCode). %ErrorMessage
Event ID: 49
The Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password's length doesn't match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry.
EVENT_MSCEP_FAILED_DECRYPT_PASSWORD
Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID: 51
The Network Device Enrollment Service cannot create or modify the registry key "%1"; Grant Read and Write permissions on the registry key "%2"; to the account that the Network Device Enrollment Service is running as.
MSCEP is available for previous versions of Windows through the appropriate resource kit for that version. After installing the resource kit, start the cepsetup.exe application. This setup application will guide you through the required configuration for setting up MSCEP.
The following features are included in Windows Server 2008 and were not implemented in previous releases.
The following script can be used to set default values to all the registry keys that the service uses.
To run the script
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP1]
"SignatureTemplate"="IPSECIntermediateOffline"
"EncryptionTemplate"="IPSECIntermediateOffline"
"GeneralPurposeTemplate"="IPSECIntermediateOffline"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP1\EnforcePassword]
"EnforcePassword"=dword:1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP1\Refresh]
"RefreshPeriod"=hex:07
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP1\CacheRequest]
"CacheRequest"=dword:14
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP1\PasswordMax]
"PasswordMax"=dword:5
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP1\PasswordValidity]
"PasswordValidity"=dword:3c
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP1\PasswordLength]
"PasswordLength"=dword:8
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP1\HashAlgorithm]
"HashAlgorithm"="SHA1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword]
"UseSinglePassword"=dword:00000000