HTTP Error 500 when testing Network Device Enrollment Service in Windows 2012 R2 RRS feed

  • Question

  • Hi,

    I have a problem with the implementation of SCEP from Network Device Enrollment Service Role in Windows Server 2012 R2.  Here is my setup:

    I have an Enterprise CA installed on a workgroup computer isolated from my network.  I have created a Subordinate CA as an Enterprise CA.

    The Subordinate CA distribute my certificate to all of joined computer in the domain and work fine.  Now I need SCEP for Cisco ISE.  I decided to install the Network Device Enrollement Service on the already present Subordinate CA.  After installing the role, the SCEP account use a domain user account and is member of the IUSR_IIS group on the server.  I have create a SPN for the user, delegate the private keys of my SubCA server, create Template and add it for read and enroll right.

    When I try the url from local SubCA server or another server (http://servername/certsrv/mscep_admin), with a domain admins and enterprise admins or the SCEP user service account, I always receive an HTTP Error 500 and I receive 2 errors in the application log.

    First error: NetworkEnrollementDeviceService Error: 10

    The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057).  The parameter is incorrect.

    Second Error: NetworkEnrollementDeviceService Error: 2

    The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.

    I have try to remove the role and re-install it many times, but I always receive the same HTT Error 500.

    Steve Gauvin


    Wednesday, July 16, 2014 8:49 PM