{"id":2410,"date":"2016-11-28T16:47:28","date_gmt":"2016-11-28T14:47:28","guid":{"rendered":"http:\/\/blog.hosebei.ch\/?p=2410"},"modified":"2016-11-28T16:47:28","modified_gmt":"2016-11-28T14:47:28","slug":"configmgr-ndes-certificate-deployment-fails-due-to-network-device-enrollment-service-failure","status":"publish","type":"post","link":"https:\/\/blog.hosebei.ch\/?p=2410","title":{"rendered":"ConfigMgr &#8211; NDES Certificate Deployment fails due to Network Device Enrollment Service failure"},"content":{"rendered":"<p>I was struggling a little bit within my LAB trying to get the Network Device Enrollment Service (NDES) up and running again for the Simple Certificate Enrollment Protocol (SCEP), which is I believe not that simple, but anyway. I was really unsure what I did have changed (because I changed a lot in the last month within my LAB), that would have stopped the functionality of the Certificates to my devices, but I had a start point, the event log of the NDES Server told me the following:<br \/>\n<code>The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057).  The parameter is incorrect.<br \/>\nThe Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.<\/code><br \/>\n<a href=\"http:\/\/blog.hosebei.ch\/wp-content\/uploads\/2016\/11\/ndes01.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/blog.hosebei.ch\/wp-content\/uploads\/2016\/11\/ndes01.png?w=256\" alt=\"Network Device Enrollment Service error\" width=\"256\" height=\"300\" class=\"aligncenter size-medium wp-image-2411\" srcset=\"https:\/\/blog.hosebei.ch\/wp-content\/uploads\/2016\/11\/ndes01.png 718w, https:\/\/blog.hosebei.ch\/wp-content\/uploads\/2016\/11\/ndes01-256x300.png 256w\" sizes=\"auto, (max-width: 256px) 100vw, 256px\" \/><\/a><br \/>\n<!--more--><\/p>\n<p>I knew that Pieter Wigleven did an excellent job on his blogs to configure System Center Configuration Manager (SCCM) with SCEP based on a Windows PKI and NDES: <a href=\"https:\/\/blogs.technet.microsoft.com\/tune_in_to_windows_intune\/2014\/04\/25\/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune\/\">Find Blog here<\/a><br \/>\nSo I checked the settings Pieter is mentioning on his blogs, I did also a lot of researching, but could not find a solution for this issue, but a lot of other people with this error.<br \/>\nLittle frustrated, I began to work on my new WiFi Solution with VLAN and Multi-SSID. When I was trying to authenticate against my Radius with a Client Certificate, the Network Policy Server told me, that the Certificate Revocation List (CRL) could not be retrieved. I was quite sure, that I was able to download the CRL, and I double checked that. But I did not check the availability of the Delta CRL, which was visible on the web site, and when I finally tried to download this file, it failed. I then remembered myself, that I had some changes made on my public IIS, and I probably forgot to set the setting &#8220;Allow double escaping&#8221; (See this <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/dd379478(v=ws.10).aspx\" target=\"_blank\">Link<\/a> for explanation and configuration steps):<br \/>\n<a href=\"http:\/\/blog.hosebei.ch\/wp-content\/uploads\/2016\/11\/ndes02.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/blog.hosebei.ch\/wp-content\/uploads\/2016\/11\/ndes02.png?w=300\" alt=\"enable double escaping\" width=\"300\" height=\"230\" class=\"aligncenter size-medium wp-image-2418\" srcset=\"https:\/\/blog.hosebei.ch\/wp-content\/uploads\/2016\/11\/ndes02.png 701w, https:\/\/blog.hosebei.ch\/wp-content\/uploads\/2016\/11\/ndes02-300x230.png 300w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><br \/>\nAfter enabling this, I was able to retrieve a Certificate through NDES again.<br \/>\nSo if your NDES Server is throwing &#8220;The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057).  The parameter is incorrect.&#8221;, do not only check the certificates on the Server, <strong>check also the CRLs and DeltaCRLs!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was struggling a little bit within my LAB trying to get the Network Device Enrollment Service (NDES) up and running again for the Simple Certificate Enrollment Protocol (SCEP), which is I believe not that simple, but anyway. I was really unsure what I did have changed (because I changed a lot in the last [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,12,15,33,35,36],"tags":[],"class_list":["post-2410","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-client-settings","category-configmgr","category-sccm","category-sccm-2012","category-setup"],"_links":{"self":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/2410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2410"}],"version-history":[{"count":0,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/2410\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}