When calling the Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin), one is always prompted to log in.

Author Uwe GradeneggerPosted on Categories Network Device Registration Service (NDES), TroubleshootingTags ,

Assume the following scenario:

  • An NDES server is configured on the network.
  • The NDES server is called under a DNS alias.
  • Despite entering the correct login data, you are always prompted to log in again when you access the NDES administration web page (certsrv/mscep_admin).

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The error occurs because authentication fails. Possible causes can be:

  • If a CNAME record is used as an alias for the NDES login page address, authentication fails when logging in to the NDES administration web page via Kerberos, i.e. the accessed address does not match the Service Principal Name (SPN). The solution in this case is to use an A-record instead of a CNAME.
  • If the NDES server uses a Domain account or a Group Managed Service Account (gMSA), kernel mode authentication must be disabled in IIS, otherwise the service tickets cannot be decrypted.

Related links:

2 thoughts on “Bei Aufruf der Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) wird man immer wieder zur Anmeldung aufgefordert.”

  1. Pingback: Performing a functional test for the Network Device Enrollment Service (NDES) - Uwe Gradenegger
  2. Pingback: Configuring the Network Device Enrollment Service (NDES) for use with an alias - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish