Installing NDES on Server 2012 R2 Problem

Hi,

I’ve a 2012 R2 CA which is running very nicely.  I’m now trying to install NDES on a separate server (also 2012 R2) but when I run the Install-AdcsNetworkDeviceEnrollmentService cmdlet I have two principal problems.

Problem 1

The NDES installation triggers a restart of the CA, with the following error in the event log on the CA:

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{D99E6E73-FC88-11D0-B498-00A0C90312F3} and APPID {D99E6E74-FC88-11D0-B498-00A0C90312F3}

 to the user MYDOMAIN\sysmanager SID (S-1-5-21-3632170022-1329408639-436904516-1004) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

I have not made any changes to permissions on the CA over and above those configured on the Certification Authority snap-in itself.  I even tried running the Install-AdcsNetworkDeviceEnrollmentService cmdlet on the CA itself (rather than the separate server) and I go the same result.  I've checked that the NDES service account I'm specifying has rights on the relevant templates, etc. - I even went mad and put the service account into DA and EA groups just to eliminate any obvious permissions issues. Note: I've followed the various guides for NDES on the (excellent) PKI document reference and library wiki on TechNet.

Problem 2

Following the CA restart, the NDES installation appears to continue but then fails because it can’t enrol for the EnrollmentAgentOffline certificate – it errors with:

The certificate has invalid policy. 0x800b0113 (-2146762477 CERT_E_INVALID_POLICY)

AdditionalInformation Error Constructing or Publishing Certificate

I’m pretty sure this is because I have expressed issuance policies on the CA, and these issuance policies are not configured on the two certificate templates (Exchange Enrollment Agent and CEP Encryption) – and because these two templates are v1 I don’t know how I can remedy this.

So, if anyone can give any advice for moving forward with either of the two problems I’d be most grateful.  I’ve a hunch that the first problem, whilst seemingly nasty, may allow me following a CA restart to continue with the install then I’ve just got the Issuance Policy problem to tackle.

Regards, Chipeater