Assume the following scenario:
- An NDES server is configured on the network.
- The NDES server is configured to work with a static password.
- When accessing the NDES administration web page (certsrv/mscep_admin), users are repeatedly prompted for authentication despite having correct credentials.
- The following event is stored in the application event log:
The Network Device Enrollment Service cannot create or modify the registry key "Software\Microsoft\Cryptography\MSCEP\EncryptedPassword". Grant Read and Write permissions on the registry key "Software\Microsoft\Cryptography\MSCEP" to the account that the Network Device Enrollment Service is running as.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
The NDES service account must enter the static password into the registry, but is not authorized to do so. The registry for NDES is located within the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
The NDES service account requires read and write permissions to this registry key. They can be granted with the "Full Control" permission.
Provided that the NDES service runs with the identity of the IIS application pool, this can be entered with the following syntax:
IIS APPPOOL\SCEP
English 
Deutsch
5 thoughts on “Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot create or modify the registry key Software\Microsoft\Cryptography\MSCEP\EncryptedPassword.“”
Comments are closed.