Assume the following scenario:
- One installs a Network Device Enrollment Service (NDES) server.
- One has the necessary permissions to install the role (local administrator, enterprise administrator).
- The role configuration fails with the following error message:
Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
Cause
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
This error does not occur on the NDES server, but on the certification authority. The NDES role configuration restarts the certification authority service during configuration.
The Certification Authority will use the Event no. 34 report and the certification authority service will not start after termination.
The error indicates that the certification authority can no longer bind the RPC port because it has not yet been released again. A typical suspect here is the key storage provider of the hardware security module (HSM).
Especially with Gemalto / SafeNet HSMs there is a known bug in some key storage providers that can trigger this behavior.
Workaround: Install NDES without role configuration wizard
There is an option to install the NDES role without the role configuration wizard. Accordingly, the requirements that can trigger the previously described error are then omitted. How to install NDES manually is described in the article "Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions". Please note that the method described there is not supported by the manufacturer, so you will not get product support in case of error.
3 thoughts on “Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)“”
Comments are closed.