Assume the following scenario:
- An NDES server is configured on the network.
- HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
- It will be the Event No. 2 stored in the application event log:
The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
The error "The system cannot find the file specified" usually occurs when there is a problem with the registry of the NDES.
Under certain circumstances the Event #10 logged.
Possibility 1: Inconsistent registry
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
This error may occur if the NDES server registry is not consistent , for example, if the "EnforcePassword" registry value does not exist.
Possibility 2: No access to the EncryptedPassword registry value
Occurs only if the NDES server is configured to use a static password.
This error message occurs on an NDES server configured to use a static password when the NDES service account cannot access the registry path for NDES to generate the EncryptedPassword subkey.
Since the static password is stored in the registry, the NDES service account must be granted write permission to the MSCEP registry key.
The desired setting can be found in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
This is achieved via the "Full Control" authorization.
Provided that the NDES service runs with the identity of the IIS application pool, this can be entered with the following syntax:
IIS APPPOOL\SCEP
If the NDES service account is a domain account, the "Load User Profile" option must still be enabled in the advanced configuration of the IIS application pool.
Likewise, a user profile must exist, i.e. the NDES service account must log on to the NDES server interactively once for this to be generated. This circumstance also automatically excludes the use of group-managed service accounts (gMSA) for operation with a static password.
This setting can also be set with the following Windows PowerShell command:
Set-ItemProperty IIS:\AppPools\SCEP -name processModel -value @{LoadUserProfile="true"}
6 thoughts on “Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.“”
Comments are closed.