I have a Windows CA set up on Windows Server 2016. It's an Enterprise CA with CEWS running as a managed service account.
Additionally, on the same server, SCEP is running with another managed service account. The account has full control of the two MSCEP private keys, and Read and Enroll permissions on the IPSec (Offline request) certificate template.
When requesting a certificate via NDES, I receive the following error:
The Network Device Enrollment Service cannot submit the certificate request (0x80070534). No mapping between account names and security IDs was done.
I've followed the steps in the wiki, but nothing changed.
--------------------------------------
Event ID: 31
The Network Device Enrollment Service cannot submit the certificate request (%ErrorCode). %ErrorMessage
Internal Name: EVENT_MSCEP_FAIL_SUBMIT
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Description: The Network Device Enrollment Service failed while submitting a certificate request on behalf of a client device.
Diagnose: Note the error code and error message included in the event description.
Ensure that the CA is available and Certificate Services is running on the CA (certutil -ping on CA).
Ensure that the Network Device Enrollment Service can connect to the CA.
Ensure that the enrollment service has Read and Enroll permissions on the certificate template(s) configured for device enrollment. (These will be the templates identified in the registry entries "SignatureTemplate", "EncryptionTemplate", and "GeneralPurposeTemplate" under the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\" on the enrollment service computer; otherwise, the default "IPSec (Offline Request)" template will be used).
Otherwise, your computer may be low on physical memory.
Resolve: Resolve any specific errors identified in the event description, as well as any connectivity or permissions problems identified previously, and try to resubmit the request.
--------------------------------------
Anybody have any more ideas?