The Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin) reports "You do not have sufficient permission to enroll with SCEP. Please contact your system administrator."

Assume the following scenario:

An NDES server is configured on the network.
When calling the administration web page (certsrv/mscep_admin) the following message appears:

You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Causes

Possibility 1: Permissions on the device template are not correct

The user who logs in to the NDES administration page must have the enroll right on the configured certificate template.

Possibility 2: Wrong device template configured

In addition, it should be configured whether the correct certificate template has been configured on the NDES server. The configuration of the appropriate certificate templates can be found in the registry on the NDES server at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

Note that the name of the LDAP object of the certificate template is entered, i.e. the name without the spaces.

Possibility 3: The device template is not published on the certification authority

The error message appears even if the configured certificate template is not published at all on the corresponding certification authority.

After publishing, the NDES service must be restarted for the changes to be applied.

Import-Module -Name WebAdministration
Restart-WebAppPool -Name SCEP
Start-Sleep -Seconds 15
[void](Invoke-WebRequest -Uri "http://localhost/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACaps")

Possibility 4: Order of handler mappings is not correct

If the previous methods have not been successful, the order of the handler mappings should be checked.

To do this, navigate to the Default Web Site in the IIS Management Console and click on "View Applications" on the right-hand side.

NDES splits into two applications:

The interface for requesting one-time passwords (mscep_admin).
The interface for requesting the certificates (mscep).

The following steps must be performed consecutively for both applications.

After double-clicking the application, the "Handler Mappings" option is selected.

View Ordered List" is selected on the right side.

The "StaticFile" handler must be placed above the " ExtensionlessUrlHandler-ISAPI-4.0_64bit".

NDES must then be restarted using the iisreset command.

Possibility 5: The managed pipeline mode is not correct

By default, the managed pipeline mode for the "SCEP" application pool is set to "classic". If ASP.NET 4.5 (or 4.6, 4.7, 4.8) is installed on the web server (as it is in the case of the Microsoft Intune Connector for NDES is the case), the mode must be configured to "Integrated".