Enabling Debug Logging for the Network Device Enrollment Service (NDES)

When trying to track down an error in the Network Device Enrollment Service (NDES), it is helpful to enable debug logging.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Installation log

During the installation (role configuration) the actions are written to the following log file.

%WINDIR%\certocm.log

Enable debug logging

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Debug logging can be enabled with the following command:

certutil -setreg enroll\debug 0xffffffe3

The log files are written to the following locations:

  • %WINDIR%\mscep.logif the NDES service account has write permissions to this directory (if the account has local administrator rights, which should be avoided for security reasons).
  • %WINDIR%\System32\config\systemprofile\AppData\Local\mscep.log if the NDES service account does not have write access to the above directory.

Even if the second case applies, write permissions must be assigned. One should create the file %WINDIR%\System32\config\systemprofile\AppData\Local\mscep.log in advance as an empty text file and assign write permissions for the NDES service account.

Before logging becomes active, the NDES service must be restarted with the iisreset command.

iisreset

Subsequently, the log file (after the first call of the mcsep or mscep_admin pages) should now fill with content.

Disable debug logging

Debug logging can be disabled again with the following command line command:

certutil -delreg enroll\debug

Afterwards, a restart of the NDES service with the iisreset command is required again to stop logging.

Related links:

en_USEnglish