The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect."

Assume the following scenario:

• An NDES server is configured on the network.
• HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
• The events no. 2 and 10 stored in the application event log:

The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

This error occurs when the NDES service does not provide the required Registration Authority certificates cannot be used.

Possible causes may include:

• There are no Registration Authority certificates at all (e.g. if the service was installed manually and these have not yet been applied for).
• The Registration Authority (RA) certificates have expired and must be renewed.
• The Registration Authority (RA) certificates use a Key Storage Provider (KSP) instead of a Cryptographic Service Provider (CSP) for the storage of the private keys. The NDES RA certificates must necessarily use a CSP.
• The Registration Authority certificates have been issued by the wrong certification authority. They must always come from the certification authority that the NDES server points to for requesting the Device certificates is configured. If several certification authorities offer the Registration Authority certificate templates, it is possible that the wrong certification authority was selected when applying for or renewing the certificates, for example if the application was made by Autoenrollment or via Microsoft Management Console is performed, since in this case a certification authority is selected at random when there are several to choose from.
• One or both Registration Authority certificates have not configured the correct Key Usage extension. The CEP Encryption certificate requires "Key Encipherment", the Enrollment Agent certificate requires "Signature".
• The SCEP application pool identity in the Internet Information Server (IIS) does not have read access to the private keys of the certificates (for example, if a domain account or a Group Managed Service Account (gMSA) is configured, or if the Registration Authority certificates manually requested have been and no Permissions for the SCEP application pool on the private key were awarded).
• The Registration Authority certificates cannot be verified because their revocation status cannot be verified. Examples may include:
  • The Registration Authority certificates do not contain any CRL Distribution Point (CRLDP) information, since the certification authority is not configured to enter this information in the issued certificates.
  • The revocation list distribution points are not accessible.
  • The blacklists or cannot be retrieved from the revocation list distribution point. Here also remember that "Double Escaping" must be enabled on the IIS web server if delta revocation lists are used.
  • The blacklists have expired.

Related links:

• Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).
• Renew the Registration Authority (RA) certificates for Network Device Enrollment Service (NDES).
• Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions
• List of use cases for certificates that require specific Cryptographic Service Providers (CSP) or Key Storage Providers (KSP).
• Basics: Checking the revocation status of certificates

External sources

• Microsoft - NDES Site Shows 'HTTP Error 500.0 - Internal Server Error'. (Steve Long)
• ConfigMgr - NDES Certificate Deployment fails due to Network Device Enrollment Service failure (Martin Wüthrich)
• 0x80070057 - A story of Network Device Enrollment Service and certificates (Robert Kooistra)