Category: Network Device Registration Service (NDES)

Should HTTPS be used for the Network Device Enrollment Service (NDES)?

The Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco in the early 2000s. The first implementation was released with Windows Server 2003.

It may come as a surprise that NDES does not use Secure Socket Layer (SSL) for the HTTP connections in the default setting to this day. This fact is explained and evaluated in more detail below.

Continue reading „Sollte HTTPS für den Registrierungsdienst für Netzwerkgeräte (NDES) verwendet werden?“

Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)".

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • Requesting a certificate fails with the following error message: 
"The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)"
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)““

Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • Requesting a certificate fails with the following error message:
The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)““

Requesting certificates via Network Device Enrollment Service (NDES) fails with HTTP error code 500

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • The NDES server uses a domain account for the identity of the SCEP IIS application pool.
  • Requesting certificates via NDES fails with HTTP error code 500 (Internal Server Error).
  • Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
  • Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt mit HTTP Fehlercode 500 fehl“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error"

Assume the following scenario:

  • An NDES server is configured on the network.
  • When accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin), HTTP error 500 (Internal Server Error) is reported with error code 0x80004005.
  • The events are No. 2 and No. 8 stored in the application event log: 
The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error““

Overview of Windows events generated by the Network Device Enrollment Service (NDES).

The following is an overview of the events generated by the Network Devices Registration Service (NDES) in the Windows Event Viewer.

The events of the Network Devices Registration Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

Continue reading „Übersicht über die vom Registrierungsdienst für Netzwerkgeräte (NDES) generierten Windows-Ereignisse“

Performing a functional test for the network device registration service (NDES)

After installing a Network Device Enrollment Service (NDES), or after more extensive maintenance, an extensive functional test should be performed to ensure that all components are operating as desired.

Continue reading „Funktionstest durchführen für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Configuring the Network Device Enrollment Service (NDES) for use with an alias.

The following describes the steps required to configure the Network Device Enrollment Service (NDES) for use with an alias.

The term alias means that the service is not called with the name of the server on which it is installed, but with a generic name independent of this name. The use of an alias allows the service to be moved to another system at a later time without having to inform all participants of the new address.

Continue reading „Den Network Device Enrollment Service (NDES) für die Verwendung mit einem Alias konfigurieren“

Classification of ADCS components in the Administrative Tiering Model

If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.

Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“

Required firewall rules for the Network Device Enrollment Service (NDES)

Implementing a Network Device Enrollment Service (NDES) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Configuring the Network Device Enrollment Service (NDES) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate NDES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“

Enabling Debug Logging for the Network Device Enrollment Service (NDES)

When trying to track down an error in the Network Device Enrollment Service (NDES), it is helpful to enable debug logging.

Continue reading „Debug Protokollierung für den Registrierungsdienst für Netzwerkgeräte (NDES) aktivieren“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified."

Assume the following scenario:

  • An NDES server is configured on the network.
  • HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
  • It will be the Event No. 2 stored in the application event log: 
The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.““

Renew the Registration Authority (RA) certificates for the Network Device Enrollment Service (NDES).

Once NDES has been in operation for some time (typically two years), one is faced with the challenge of renewing the Registration Authority (RA) certificates. Unfortunately, this process is not necessarily solved intuitively and is therefore described in more detail in this article.

Continue reading „Die Registration Authority (RA) Zertifikate für den Registrierungsdienst für Netzwerkgeräte (NDES) erneuern“
en_USEnglish
de_DEDeutsch en_USEnglish