Requesting certificates via Network Device Enrollment Service (NDES) fails with HTTP error code 500

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • The NDES server uses a domain account for the identity of the SCEP IIS application pool.
  • Requesting certificates via NDES fails with HTTP error code 500 (Internal Server Error).
  • Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
  • Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Detailed error description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

If you call the mscep page directly on the NDES server, you get more details. One sees the error code

Error code 0x80070542 (ERROR_BAD_IMPERSONATION_LEVEL)

The error code 0x80070542 means:

0x80070542 (WIN32: 1346 ERROR_BAD_IMPERSONATION_LEVEL) -- 2147943746 (-2147023550)
Either a required impersonation level was not provided, or the provided impersonation level is invalid.

If you observe the IIS process (w3wp.exe) with the Process Monitor, a BAD IMPERSONATION is also reported here.

Calling mscep_admin works, but only if you log in with the NDES service account.

Logging in to the mscep_admin page as an NDES service account causes the service to start, but a certificate request still fails with HTTP error message 500.

A request for a certificate with the NDES service account generates error code 0x8007025c (ERROR_INVALID_VARIANT).

In this case, two events from NDES service (events no. 14 and 18) logged:

The Network Device Enrollment Service cannot sign the response to a client request (0x80070005).
The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80070005).

The error code 0x80070005 means E_ACCESSDENIED (General access denied error.). This can also be found in the Process Monitor. However, the NDES service account has the required read permissions on the listed registry keys.

If you temporarily add the NDES service account to the local administrators group, the service will work as intended.

Solution

In this case, hardening settings were distributed via group policies to all servers, including the NDES server. This removed the "Impersonate a Client after Authentication" (SeImpersonatePrivilege) privilege from the NDES service account. So after a restart of the server, the web server service or the SCEP application pool, the NDES service account no longer has this privilege.

However, it is required by the NDES service account. By default, it obtains this right via membership in the IIS_IUSRS group. It must therefore be reassigned accordingly.

Afterwards, an iisreset command must be used to restart the NDES service so that the permissions are applied correctly.

Error code 0x80070057 (ERROR_INVALID_PARAMETER)

See article "The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect."„.

Related links:

en_USEnglish