The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified."

Author Uwe GradeneggerPosted on Categories Network Device Registration Service (NDES), TroubleshootingTags , ,

Assume the following scenario:

  • An NDES server is configured on the network.
  • HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
  • It will be the Event No. 2 stored in the application event log: 
The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

The error "The system cannot find the file specified" usually occurs when there is a problem with the registry of the NDES.

Under certain circumstances the Event #10 logged.

Possibility 1: Inconsistent registry

This error may occur if the NDES server registry is not consistent , for example, if the "EnforcePassword" registry value does not exist.

Possibility 2: No access to the EncryptedPassword registry value

Occurs only if the NDES server is configured to use a static password.

This error message occurs on an NDES server configured to use a static password when the NDES service account cannot access the registry path for NDES to generate the EncryptedPassword subkey.

Since the static password is stored in the registry, the NDES service account must be granted write permission to the MSCEP registry key.

The desired setting can be found in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

This is achieved via the "Full Control" authorization.

Provided that the NDES service runs with the identity of the IIS application pool, this can be entered with the following syntax: 

IIS APPPOOL\SCEP

If the NDES service account is a domain account, the "Load User Profile" option must still be enabled in the advanced configuration of the IIS application pool.

Likewise, a user profile must exist, i.e. the NDES service account must log on to the NDES server interactively once for this to be generated. This circumstance also automatically excludes the use of group-managed service accounts (gMSA) for operation with a static password.

This setting can also be set with the following Windows PowerShell command: 

Set-ItemProperty IIS:\AppPools\SCEP -name processModel -value @{LoadUserProfile="true"}

Related links:

en_USEnglish
de_DEDeutsch en_USEnglish