Assume the following scenario:
- An NDES server is configured on the network.
- When calling the administration web page (certsrv/mscep_admin) the following message appears:
You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
Possible causes
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Possibility 1: Permissions on the device template are not correct
The user who logs in to the NDES administration page must have the enroll right on the configured certificate template.
Possibility 2: Wrong device template configured
In addition, it should be configured whether the correct certificate template has been configured on the NDES server. The configuration of the appropriate certificate templates can be found in the registry on the NDES server at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
Note that the name of the LDAP object of the certificate template is entered, i.e. the name without the spaces.
Possibility 3: The device template is not published on the certification authority
The error message appears even if the configured certificate template is not published at all on the corresponding certification authority.
After publishing, the NDES service must be restarted for the changes to be applied.
Import-Module -Name WebAdministration Restart-WebAppPool -Name SCEP Start-Sleep -Seconds 15 [void](Invoke-WebRequest -Uri "http://localhost/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACaps")
Possibility 4: Order of handler mappings is not correct
If the previous methods have not been successful, the order of the handler mappings should be checked.
To do this, navigate to the Default Web Site in the IIS Management Console and click on "View Applications" on the right-hand side.
NDES splits into two applications:
- The interface for requesting one-time passwords (mscep_admin).
- The interface for requesting the certificates (mscep).
The following steps must be performed consecutively for both applications.
After double-clicking the application, the "Handler Mappings" option is selected.
View Ordered List" is selected on the right side.
The "StaticFile" handler must be placed above the " ExtensionlessUrlHandler-ISAPI-4.0_64bit".
NDES must then be restarted using the iisreset command.
Possibility 5: The managed pipeline mode is not correct
By default, the managed pipeline mode for the "SCEP" application pool is set to "classic". If ASP.NET 4.5 (or 4.6, 4.7, 4.8) is installed on the web server (as it is in the case of the Microsoft Intune Connector for NDES is the case), the mode must be configured to "Integrated".
3 thoughts on “Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.“”
Comments are closed.