I absolutely cannot get this to work. I simply cannot figure out what I am either doing wrong or missing.
Neither site works and in the event log I get the following:
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057).
The Network Device Enrollment Service cannot be started (0x80070057).
It seems like I've read every site on this and tried everything but simply cant make it work. Have not tried on 2008 r2. Below is what I have done if someone can help me I would be grateful.
I tried adding more permissions than needed on local machine certs, templates, and domain level as well
Tried the http://support.microsoft.com/kb/2800975 where you move the ExtensionlessUrlHandler-ISAPI-4.0_64bit below
the static file.
I tried using and not using the use local profile in IIS for the SCEP pool
Both the ndesservice acccount and admin account have full control on everything.
I also tried to leave the default settings in the reg for the templates.
This is the NDES log out put when turned on:
========================================================================
402.534.948: Begin: 7/23/2014 4:01 PM 32.507s
402.539.0: taskhost.exe
402.543.0: GMT - 5.00
2005.220.0: certca.dll: 6.3:9600.16384 retail
2005.220.0: certenroll.dll: 6.3:9600.16384 retail
2004.621.0:<2014/7/23, 16:01:32>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
2004.642.0:<2014/7/23, 16:01:32>: 0x80070006 (WIN32: 6 ERROR_INVALID_HANDLE)
402.379.949: End: 7/23/2014 4:01 PM 32.585s
402.534.948: Begin: 7/24/2014 2:31 PM 03.904s
402.539.0: taskhost.exe
402.543.0: GMT - 5.00
2005.220.0: certca.dll: 6.3:9600.16384 retail
2005.220.0: certenroll.dll: 6.3:9600.16384 retail
2004.621.0:<2014/7/24, 14:31:3>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
2004.642.0:<2014/7/24, 14:31:6>: 0x80070006 (WIN32: 6 ERROR_INVALID_HANDLE)
402.379.949: End: 7/24/2014 2:31 PM 06.122s
EVENT LOG
HTTP Error 500.0 - Internal Server Error
Detailed Error Information:
Module IsapiModule
Notification ExecuteRequestHandler
Handler ISAPI-dll Error Code 0x80070057
Requested URL
http://localhost:80/certsrv/mscep_admin/mscep.dll
Physical Path
C:\Windows\system32\CertSrv\mscep\mscep.dll
Logon Method Negotiate
Logon User FARAWAY\NdesService
INSTALL STEPS
SETUP DOMAIN ACCTS:
Created Domain acct ndesservice (added to ndes server admin group and IIS group)
Created Domain acct ndesadmin (added to Enterprise Admins and ndes server admin group)
Ndes Server Profile Added
-Logged on as ndesservice account so profile is created on ndes server
DOMAIN CA (Server 2008 r2)
-Applied kb2483564 to 2008 r2 domain CA
-Duplicated (Exchange Enrollment Agent (Offline request),Cep Encryption,IPSec (Offline request) templates)
Added ndesservice, ndesadmin, and ndes server with read and enroll on all three
-All three cer copies prefixed with ndes
-Issued Certs
-CA properties (added ndesservice account and ndes machine acct read and request)
-Added ndesservice account to local admin group
Set SPN for ndesservice domain account
-setspn –s http/gimli.faraway.com faraway\NdesService)
NDES SERVER (Server 2012 R2)
Installed NDES under CA Role using ndesadmin account (member of enterprrise admins group)
-Added Request Filtering in IIS (tried with adding and without)
-Added .Net extensability options (tried with adding and without)
Post Deployment on NDES Server
-set creds to configure role services to faraway\ndesadmin
-Set service account to faraway\ndesservice
-Set ca to pippin.faraway.com\farway (it picked this up automatically)
-Entered cert info left keys at defualt of 2048
NDES Server Registry changes
-HKLM\Software\Microsoft\Cryptography\MSCEP (changed templates from default of IPSECIntermediateOffline to NDESIPSECIntermediateOffline
also tried the template name NDESIPSec(Offlinerequest) from the copy
-Added faraway\ndesservice account full control of MSCEP and below
-HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword (change from 1 to 0)
Ndes Server IIS applicattion Pool Identity
-IIS SCEP App pool set Load User profile from false to true
NDES Server Certificates
There were two Certs created when the role was installed in the machines personal store. I dont think I am supposed to do anything here other than add permissions?
-Added ndesservice account and machine account with full control
Both the CA and NDES server have been restarted multiple time. Am I doing this right and missing something in IIS 8.5? I Hope I provided enough info.