Month: March 2020

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_SERVER_REQUIRES_NEGOTIATE_AUTH".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
The remote endpoint requires HTTP authentication scheme 'negotiate'. 0x803d001f (-2143485921 WS_E_SERVER_REQUIRES_NEGOTIATE_AUTH)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_SERVER_REQUIRES_NEGOTIATE_AUTH““

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_INVALID_FORMAT".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
The input data was not in the expected format or did not have the expected value. 0x803d0000 (-2143485952 WS_E_INVALID_FORMAT)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_INVALID_FORMAT““

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_ENDPOINT_NOT_FOUND".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
The remote endpoint does not exist or could not be located. 0x803d000d (-2143485939 WS_E_ENDPOINT_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_ENDPOINT_NOT_FOUND““

Certificate Enrollment Policy creation for Certificate Enrollment Policy Web Service (CEP) fails with error code "WS_E_INVALID_FORMAT".

Assume the following scenario:

  • A Certificate Enrollment Policy Web Service (CEP) is implemented in the network.
  • An enrollment policy is configured.
  • Testing the connection fails with the following error message: 
Error: The input data was not in the expected format or did not have the expected value. 0x803d0000 (-2143485952 WS_E_INVALID_FORMAT)
Continue reading „Die Erstellung einer Zertifikatregistrierungsrichtlinie (Enrollment Policy) für den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit dem Fehlercode „WS_E_INVALID_FORMAT““

Configuring the Network Device Enrollment Service (NDES) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate NDES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“

Enabling Debug Logging for the Network Device Enrollment Service (NDES)

When trying to track down an error in the Network Device Enrollment Service (NDES), it is helpful to enable debug logging.

Continue reading „Debug Protokollierung für den Registrierungsdienst für Netzwerkgeräte (NDES) aktivieren“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified."

Assume the following scenario:

  • An NDES server is configured on the network.
  • HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
  • It will be the Event No. 2 stored in the application event log: 
The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.““

Renew the Registration Authority (RA) certificates for the Network Device Enrollment Service (NDES).

Once NDES has been in operation for some time (typically two years), one is faced with the challenge of renewing the Registration Authority (RA) certificates. Unfortunately, this process is not necessarily solved intuitively and is therefore described in more detail in this article.

Continue reading „Die Registration Authority (RA) Zertifikate für den Registrierungsdienst für Netzwerkgeräte (NDES) erneuern“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect."

Assume the following scenario:

  • An NDES server is configured on the network.
  • HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
  • The events no. 2 and 10 stored in the application event log:
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.““

Configuring the Network Device Enrollment Service (NDES) to operate without a password.

There are situations in which you cannot operate NDES with changing passwords. This is usually the case when there is either no management solution for the devices to be managed, or when it cannot handle changing passwords. Some solutions cannot handle a password at all.

In this case, you can configure NDES not to generate or require a password.

Continue reading „Den Network Device Enrollment Service (NDES) für den Betrieb ohne Passwort konfigurieren“

Public Key Infrastructures (PKI) basics

A public key infrastructure comprises all components (hardware, software, people and processes) required for the use of digital certificates. A PKI consists of one or more certification authorities (CA). The tasks of a PKI include:

  • Ensuring the authenticity of keys, i.e. establishing a traceable link between a key and its origin to prevent misuse.
  • Revocation of certificates, i.e., ensuring that decommissioned or compromised (e.g., stolen) keys can no longer be used.
  • Guarantee of liability (non-repudiation), i.e., the owner of a key cannot deny that it belongs to him.
  • Enforcement of policies, i.e. standardized procedures for the use of certificates.
Continue reading „Grundlagen Public Key Infrastrukturen (PKI)“

Cryptography basics

The need for the use for cryptography can be summarized under the notion of ensuring secure communication in the presence of untrusted third parties. The goals of cryptography are:

  1. To prevent data from falling into unauthorized hands (To ensure the confidentiality of data).
  2. Find out if data has been modified during transport (Ensure the integrity of the data).
  3. To clearly identify the source of the data (To ensure the authenticity of the data).
  4. Additionally, users or computers can authenticate themselves using cryptography.
Continue reading „Grundlagen Kryptographie“

Configuring the Network Device Enrollment Service (NDES) to work with a static password.

There are situations in which you cannot operate NDES with changing passwords. This is usually the case when there is either no management solution for the devices to be managed, or when it cannot handle changing passwords.

In this case, you can configure NDES to generate a static password that will not change afterwards.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem statischen Passwort konfigurieren“

Creating a virtual smart card in a Hyper-V guest system

For test environments, it is often helpful to be able to work with smartcards. Below is a brief guide on how to set up a virtual smartcard in a Hyper-V guest using a virtualized Trusted Platform Module (TPM).

Continue reading „Erstellen einer virtuellen Smartcard in einem Hyper-V Gastsystem“
en_USEnglish
de_DEDeutsch en_USEnglish