I built a two tier PKI in my test lab at work, one offline root CA (Windows 2012R2) and one Enterprise CA (Windows 2016, domain member of a 2016 AD). The Enterprise CA is issuing certificates to domain members with no problems. Next, I deployed an NDES server (Windows Server 2016) and the install goes without error. However, when I try to go the NDES admin page (http://localhost/certsrv/mscep_admin) I get "HTTP Error 500.0 - Internal Server Error
Looking at the Application log on the NDES server, get the following pair of event ID's:
- Event ID 2: The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect
- Event ID 10: The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
I've been t-shooting this issue for a week, and have tried everything I can find on Google to resolve this issue. I've even gone so far as to decommission the NDES server and install the NDES role directly on Enterprise CA server itself (not best practice, but it's a test lab so I'm not really concerned about that). I've done the following and more to resolve this issue:
- Verified service account has enrollment permissions on the CA and has full permissions on the CEP Encryption and Exchange Enrollment Agent (Offline request) templates
- Verified that the CA issued the Exchange Enrollment and CEP Encryption certificates
- Verified that the Exchange Enrollment and CEP Encryption certificates are in the local personal certificate store of the server, and that the service account has full rights to the private keys
- Verified that the service account is a member of the local IIS_IUSR group and has local admin rights
- Verified that the service account is configured in the SCEP application pool identity setting and that the load profile option is set to true. Log on to the server with the service to verify it had a profile
- Even though I'm not issuing Delta CRL's, enabled doublespacing on the IIS server hosting the virtual directory of the CRLs
- Verified the time on all of the servers
- Verified that the CRL CDP is accessible by the service account and from the server. Doublechecked that the CRL location is specified in the certificates issued
I've been at this for over a week and I'm not sure what else to do, short of completely rebuilding my PKI. I'm definitely not an expert on PKI, but I've deployed NDES a few time before in the past without any problems.
Any advice would be greatly appreciated from anyone who is far smarter than me on these matters. Thanks in advance