[SOLVED]* Network Device Enrollment Service - Renewing service certificates

Posted on: Oct 16 2012 Category :Windows > Windows Server General Views: 7755 | Subscribe

Solved : Go to Solution

Hi all, 

I am running into some major problems with the NDES-feature of Server 2008 (non R2, up-to-date).

NDES uses two certificates to service the routers requests and enroll certificates for them:

- CEPEncryption (A template enrollable for machines)

- Exchange Enrollment Agent (Offline Request)  (A template enrollable for users)

After installing NDES, everythings fine: the two certificates are in the MY - store of the local computer (the RA, actually the signing Sub CA) and the NDES_Service-Account has Read-Permission on the private key.

The two certificates have a two year validity period and are not automatically enrolling after expiring.

So I want to enroll these two certificates and use the new ones. And here the problems start:

- even if both certificates of both required templates are requested and in the My-Store NDES stop functioning. Here's an excerpt of the eventlog:

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error

I am using this guide to request and install the certificates and have tried every single possiblity there is out there: http://blogs.technet.com/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx - not working.

So the only thing working for me right now is the "Renew certificate with new key" on the CEP-Encryption-Certificate while being in the My-Store of the local computer. But thats just one outof two certificates, and the next one proves more difficult. 

Renewing the EnrollmentAgentOffline fails (because you need a user to enroll for it), so I have to manually request it, and move it there - not working. 

Renewing both certificates via the web enrollment pages and then moving the certificates into the My-Store of the local computer and setting Read permission for the NDES-Account - not working.

A microsoft employee said, that I had to request it with the service-accounts certificates console - strange but doable, but also - not working. 

I am so out of ideas trying to get NDES working after changing the certificates, I would really appreciate feedback. It's really a major letdown from Microsoft to not offer any decent documentation on the NDES-feature and to not provide informative feedback (no offense to the employee but to the logs and error messages).

So please - help me out and save my day. It looks like they hard-coded some information about the certificates somewhere, so you can't just change them Am I really the only one trying this? :D

Greeting, MMF

Read this Solution : Error: An internal error has occurred: The parameter is incorrect: (0x80070057)

This posting is provided AS IS with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

Get email updates. Virus Removal Tips, News, How to, Threat Alerts.

Leave a comment!

Get Answers, News and other Updates