NDES mscep_admin page opens only with "localhost" hostname

Mohamed Roushdy 66 Reputation points
2022-12-27T11:18:22.617+00:00

Merry Christmas and Happy New Year :)

I'm new to NDES services, so thanks in advance in supporting me. I've deployed NDES, and both "/certsrv/mscep/mscep.dll" and "/certsrv/mscep_admin" work fine with the "localhost" as a FQDN, but the later URL refuses to open with the FQDN of the server (http://server.example.local/..........), and prompts for a login, I've tried both the SA account and another domain-admin account, but neither opens, so, I can't open the mscep_admin page from any remote servers, what should I exactly configurte pleasE?

274323-capture.png

Regards

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
2,211 questions
No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Wesley Li-MSFT 931 Reputation points Microsoft Employee
    2022-12-29T07:39:35.38+00:00

    Hello@Mohamed Roushdy

    Thank you for posting in our Q&A forum.

    • Is there any error message when SA account and domain administrator account cannot open mscep_admin page?
    • Is there a related event log?

    Here are some similar cases for reference:
    https://social.technet.microsoft.com/Forums/en-US/558e4b6b-27cb-4a74-9e31-6edeb09ffd9f/ndes-401-unauthorized-access-is-denied-due-to-invalid-credentials
    https://knowledge.broadcom.com/external/article/155634/scep-server-shows-a-500-error-when-tryin.html

    Hope above information can help you.

    Best Regards,
    Wesley Li

    No comments

  2. Mohamed Roushdy 66 Reputation points
    2022-12-29T11:25:21.477+00:00

    Hello,

    I will double check the event log. Though, I'm not prompted for credentials if I use "localhost"as the FQDN of the server, and the MSCEP_ADMIN page opens with no issues. Again, on the NDES server, if I navigate to "http://localhost/certsrv/mscep_admin"the page opens normally without asking me for credentials, and I can successfully retrieve the challenge password, but, if i browse to the server with the FQDN "http://servername.domain.com/certsrv/mscep_admin" I'm asked to login, and the crendentials never works at all, so, if the MDM solution would face the same issue then it will never be able to retreive the challenge password for end-point devices. is this normal? or it should also login normally with FQDN? I saw a video for MVP demonestrating this and he said that this behaviour is fine, but I need to be 100% sure im on the right track before handing over the environment please :).


  3. Mohamed Roushdy 66 Reputation points
    2023-01-03T12:21:56.973+00:00

    Hello again,

    Thanks for trying to help, but I've managed to fix the issue by altering some advanced settings in IIS. Here's the blog I've refered to: https://www.gradenegger.eu/?p=145

    Problem Solved!

    No comments

  4. Wesley Li-MSFT 931 Reputation points Microsoft Employee
    2023-01-09T07:08:43.707+00:00

    Hello

    Do you have any other questions?

    If the above reply is helpful to you, please mark it as answer.

    Thanks

    No comments