B
B - a technology trainer
I am trying to get NDES working on Windows Server 2016. I have followed the configurations in the NDES in the much referenced TechNet NDES Configuration article (Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES)) but I continue to receive "The Network Device Enrollment Service cannot submit the certificate request (0x80070005). Access is denied."
I am using Enterprise CA with the NDES installed on a separate server 2016 installation.
When installing the NDES, my NdesInstaller account was a member of the Enterprise Admins account when I configured it. My NdesService account is part of the IIS_ISURS group, has logon as a service, and logon locally enabled, has Request permissions on the CA, has Read, Enroll, and AutoEnroll on all templates that support, has SPN registered, and has IIS Kernel Mode disabled on the two different sites /certsrv/mscep/ and /certsrv/mscep_admin/. The application pool is running under the DOMAIN\NdesService login.
I can open the /CertSrv/mscep/ site fine from any browser and it runs great. When I open the /CertSrv/mscep_admin page it fails when I provide credentials unless I open the browser to "run as administrator" and then it opens the page correctly and I can see the Enrollment Challenge Password and the CA Certificate thumbprint.
When I open the IIS logs, %systemdrive%\inetpub\logs\LogFiles\W3SVC1\ I can see the following codes (IP's have been changed to {NDES} for the Ndes Server IP and {REQUESTOR} for the program that requests the certificate):
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2020-07-23 15:41:57
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-07-23 15:41:57 {NDES} GET /CertSrv/mscep_admin/ - 80 - {REQUESTOR} - - 401 2 5 320
2020-07-23 15:41:57 {NDES} GET /CertSrv/mscep_admin/ - 80 - {REQUESTOR} - - 401 1 2148074254 15
2020-07-23 15:41:57 {NDES} GET /CertSrv/mscep_admin/ - 80 DOMAIN\ndesservice {REQUESTOR} - - 200 0 0 677
2020-07-23 15:41:57 {NDES} GET /CertSrv/mscep/ operation=GetCACert&message=ignore 80 - {REQUESTOR} - - 200 0 0 31
2020-07-23 15:41:58 {NDES} GET /CertSrv/mscep/ ... 80 - {REQUESTOR} - - 200 0 0 46
I am at a loss. I have tried a lot of different options to get this working. Any help here is greatly appreciated.
Continue reading...
I am using Enterprise CA with the NDES installed on a separate server 2016 installation.
When installing the NDES, my NdesInstaller account was a member of the Enterprise Admins account when I configured it. My NdesService account is part of the IIS_ISURS group, has logon as a service, and logon locally enabled, has Request permissions on the CA, has Read, Enroll, and AutoEnroll on all templates that support, has SPN registered, and has IIS Kernel Mode disabled on the two different sites /certsrv/mscep/ and /certsrv/mscep_admin/. The application pool is running under the DOMAIN\NdesService login.
I can open the /CertSrv/mscep/ site fine from any browser and it runs great. When I open the /CertSrv/mscep_admin page it fails when I provide credentials unless I open the browser to "run as administrator" and then it opens the page correctly and I can see the Enrollment Challenge Password and the CA Certificate thumbprint.
When I open the IIS logs, %systemdrive%\inetpub\logs\LogFiles\W3SVC1\ I can see the following codes (IP's have been changed to {NDES} for the Ndes Server IP and {REQUESTOR} for the program that requests the certificate):
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2020-07-23 15:41:57
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-07-23 15:41:57 {NDES} GET /CertSrv/mscep_admin/ - 80 - {REQUESTOR} - - 401 2 5 320
2020-07-23 15:41:57 {NDES} GET /CertSrv/mscep_admin/ - 80 - {REQUESTOR} - - 401 1 2148074254 15
2020-07-23 15:41:57 {NDES} GET /CertSrv/mscep_admin/ - 80 DOMAIN\ndesservice {REQUESTOR} - - 200 0 0 677
2020-07-23 15:41:57 {NDES} GET /CertSrv/mscep/ operation=GetCACert&message=ignore 80 - {REQUESTOR} - - 200 0 0 31
2020-07-23 15:41:58 {NDES} GET /CertSrv/mscep/ ... 80 - {REQUESTOR} - - 200 0 0 46
I am at a loss. I have tried a lot of different options to get this working. Any help here is greatly appreciated.
Continue reading...