Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)".

Author Uwe GradeneggerPosted on Categories Network Device Registration Service (NDES), TroubleshootingTags , ,

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server.
  • One has the necessary permissions to install the role (local administrator, enterprise administrator).
  • The role configuration fails with the following error message: 
Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Cause

This error does not occur on the NDES server, but on the certification authority. The NDES role configuration restarts the certification authority service during configuration.

The Certification Authority will use the Event no. 34 report and the certification authority service will not start after termination.

The error indicates that the certification authority can no longer bind the RPC port because it has not yet been released again. A typical suspect here is the key storage provider of the hardware security module (HSM).

Especially with Gemalto / SafeNet HSMs there is a known bug in some key storage providers that can trigger this behavior.

Workaround: Install NDES without role configuration wizard

There is an option to install the NDES role without the role configuration wizard. Accordingly, the requirements that can trigger the previously described error are then omitted. How to install NDES manually is described in the article "Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions". Please note that the method described there is not supported by the manufacturer, so you will not get product support in case of error.

Related links:

3 thoughts on “Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)“”

  1. Pingback: Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator Permissions - Uwe Gradenegger
  2. Pingback: Details about the event with ID 34 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  3. Pingback: A policy module to tame them: Presentation of the TameMyCerts Policy Module for the Microsoft Certification Authority - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish