I am running into some major problems with the NDES-feature of Server 2008 (non R2, up-to-date).
NDES uses two certificates to service the routers requests and enroll certificates for them:
- CEPEncryption (A template enrollable for machines)
- Exchange Enrollment Agent (Offline Request) (A template enrollable for users)
After installing NDES, everythings fine: the two certificates are in the MY - store of the local computer (the RA, actually the signing Sub CA) and the NDES_Service-Account has Read-Permission on the private key.
The two certificates have a two year validity period and are not automatically enrolling after expiring.
So I want to enroll these two certificates and use the new ones. And here the problems start:
- even if both certificates of both required templates are requested and in the My-Store NDES stop functioning. Here's an excerpt of the eventlog:
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
I am using this guide to request and install the certificates and have tried every single possiblity there is out there: http://blogs.technet.com/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx - not working.
So the only thing working for me right now is the "Renew certificate with new key" on the CEP-Encryption-Certificate while being in the My-Store of the local computer. But thats just one outof two certificates, and the next one proves more difficult.
Renewing the EnrollmentAgentOffline fails (because you need a user to enroll for it), so I have to manually request it, and move it there - not working.
Renewing both certificates via the web enrollment pages and then moving the certificates into the My-Store of the local computer and setting Read permission for the NDES-Account - not working.
A microsoft employee said, that I had to request it with the service-accounts certificates console - strange but doable, but also - not working.
I am so out of ideas trying to get NDES working after changing the certificates, I would really appreciate feedback. It's really a major letdown from Microsoft to not offer any decent documentation on the NDES-feature and to not provide informative feedback (no offense to the employee but to the logs and error messages).
So please - help me out and save my day. It looks like they hard-coded some information about the certificates somewhere, so you can't just change them Am I really the only one trying this? :D