The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error"

Assume the following scenario:

• An NDES server is configured on the network.
• When accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin), HTTP error 500 (Internal Server Error) is reported with error code 0x80004005.
• The events are No. 2 and No. 8 stored in the application event log:

The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

The Network Device Enrollment Service cannot retrieve information about the certification authority (0x80004005). Unspecified error

Possible cause: missing firewall rules

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The error occurs, among other things, when the NDES server cannot communicate with the certification authority over the network. In this case, calling the mscep page also takes an unusually long time.

Network protocol	Destination port	Protocol
TCP	135	RPC Endpoint Mapper
TCP	49152-65535	RPC dynamic ports

Possible cause: missing permissions

The error also occurs if the service account under which NDES is running does not have the "Access this Computer from the network" permission on the certificate authority.

Related links:

• Required firewall rules for the Network Device Enrollment Service (NDES)
• Required Windows security permissions for the Network Device Enrollment Service (NDES)
• Overview of Windows events generated by the Network Device Enrollment Service (NDES).