I was struggling a little bit within my LAB trying to get the Network Device Enrollment Service (NDES) up and running again for the Simple Certificate Enrollment Protocol (SCEP), which is I believe not that simple, but anyway. I was really unsure what I did have changed (because I changed a lot in the last month within my LAB), that would have stopped the functionality of the Certificates to my devices, but I had a start point, the event log of the NDES Server told me the following:
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.
I knew that Pieter Wigleven did an excellent job on his blogs to configure System Center Configuration Manager (SCCM) with SCEP based on a Windows PKI and NDES: Find Blog here
So I checked the settings Pieter is mentioning on his blogs, I did also a lot of researching, but could not find a solution for this issue, but a lot of other people with this error.
Little frustrated, I began to work on my new WiFi Solution with VLAN and Multi-SSID. When I was trying to authenticate against my Radius with a Client Certificate, the Network Policy Server told me, that the Certificate Revocation List (CRL) could not be retrieved. I was quite sure, that I was able to download the CRL, and I double checked that. But I did not check the availability of the Delta CRL, which was visible on the web site, and when I finally tried to download this file, it failed. I then remembered myself, that I had some changes made on my public IIS, and I probably forgot to set the setting “Allow double escaping” (See this Link for explanation and configuration steps):
After enabling this, I was able to retrieve a Certificate through NDES again.
So if your NDES Server is throwing “The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.”, do not only check the certificates on the Server, check also the CRLs and DeltaCRLs!