troubleshooting Question

Cannot Get Windows Server 2016 NDES Service to Start

Avatar of Gerald Wynn
Gerald WynnFlag for United States of America asked on
Windows Server 2016* Public Key Infrastructure (PKI)* ADCSWindows 10Azure
2 Comments1 Solution23 ViewsLast Modified:
I built a two tier PKI in my test lab at work, one offline root CA (Windows 2012R2) and one Enterprise CA (Windows 2016, domain member of a 2016 AD).  The Enterprise CA is issuing certificates to domain members with no problems.  Next, I deployed an NDES server (Windows Server 2016) and the install goes without error.  However, when I try to go the NDES admin page (http://localhost/certsrv/mscep_admin) I get "HTTP Error 500.0 - Internal Server Error".  Looking at the Application log on the NDES server, get the following pair of event ID's:
  • Event ID 2: The Network Device Enrollment Service cannot be started (0x80070057).  The parameter is incorrect
  • Event ID 10: The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057).  The parameter is incorrect.
 I've been t-shooting this issue for a week, and have tried everything I can find on Google to resolve this issue.  I've even gone so far as to decommission the NDES server and install the NDES role directly on Enterprise CA server itself (not best practice, but it's a test lab so I'm not really concerned about that).  I've done the following and more to resolve this issue:
  • Verified service account has enrollment permissions on the CA and has full permissions on the CEP Encryption and Exchange Enrollment Agent (Offline request) templates
  • Verified that the CA issued the Exchange Enrollment and CEP Encryption certificates
  • Verified that the Exchange Enrollment and CEP Encryption certificates are in the local personal certificate store of the server, and that the service account has full rights to the private keys
  • Verified that the service account is a member of the local IIS_IUSR group and has local admin rights
  • Verified that the service account is configured in the SCEP application pool identity setting and that the load profile option is set to true.  Log on to the server with the service to verify it had a profile
  • Even though I'm not issuing Delta CRL's, enabled doublespacing on the IIS server hosting the virtual directory of the CRLs
  • Verified the time on all of the servers
  • Verified that the CRL CDP is accessible by the service account and from the server.  Doublechecked that the CRL location is specified in the certificates issued

I've been at this for over a week and I'm not sure what else to do, short of completely rebuilding my PKI.  I'm definitely not an expert on PKI, but I've deployed NDES a few time before in the past without any problems.  

Any advice would be greatly appreciated from anyone who is far smarter than me on these matters.  Thanks in advance

ASKER CERTIFIED SOLUTION
Gerald Wynn
Systems Engineer

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 2 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros