NDES installation fails

Akr ofly 256 Reputation points
2021-01-21T11:18:09.01+00:00

During the installation of NDES in a domain with windows 2012 r2 domain controllers, the NDES installation fails during the configuration stage.

The Error message is:
Failed to add the following certificate templates to the enterprise Ative Directory Certificate Services or update security settings on those templates:
EnrollmentAgentOffline
CEPEncryption
IPSEC (Offline request)
Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
The NDES service account has all the necessary permissions and then some. The installer (yours truely) has maxed permissions.
I cannot seem to figure out what the problem is nor have I found sufficient information as to the cause or the possible solution.

What I have attempted (short of reinstalling the default templates):
► I have escalated the NDES service account's permissions via placing it in the enterprise admins group and by directly adding the account to the permissions ACL directly on the template object
► Uninstalled it and reinstalled the service

Any idea as to what is wrong is much appreciated.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,720 questions
0 comments
Accepted answer
  1. Akr ofly 256 Reputation points
    2021-01-29T11:04:22.953+00:00

    I resolved the issue.
    Although this issue could be related to the lack of permissions, it was not the case here.

    I solved this issue by removing and re-importing the CA certificate under trusted root certification authorities on the NDES server.

    2 people found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-01-22T08:41:50.517+00:00

    Hello @Akr ofly ,

    Thank you for posting here.

    I tried to use service account, and it failed. and then I used to use built-in domain Administrator account to deploy NDES successfully.

    You can try to use built-in domain Administrator account to deploy NDES to see if it helps.

    Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES)
    https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx

    Best Regards,
    Daisy Zhou

  2. The Other Other PKI Guy 1 Reputation point
    2021-01-22T19:44:25.117+00:00

    The stage where it is failing is when the call is made to publish the default templates you mentioned to the CA, and then stop / start the CA service. What permissions does the EA account or service account have on the CA (certsrv.msc) that was chosen as the target for NDES in the previous step?

  3. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-01-26T08:16:32.527+00:00

    Hello @Akr ofly ,

    Thank your update and patience.

    I took the time to deploy NDES in my test environment. Here are the detailed deployment steps for your reference (I use the built-in domain Administrator account instead of any service account).

    AD domain

    Domain name: fabrikam.com

    Enterprise root CA server is installed on one domain member server (CA2.fabrikam.com).

    It is an existing CA server: CA2.fabrikam.com

    Deploy NDES steps

    Step1
    On CA server, add Domain Administrator account---fabrikam\Administrator to local IIS_IUSRS group.
    60548-nd1.png

    Step2
    Give built-in Domain Administratorthe read and enroll permissions on the following three certificate templates.

    And issue the three certificate templates on CA server.

    60571-nd10.png

    Step3
    Installed NDES on the same server as CA server.

    1.Add NDES role.
    60504-nd2.png

    2.Install NDES.
    60457-nd3.png

    3.Configure NDES.

    60572-nd4.png

    60438-nd6.png

    60514-nd7.png

    Step4

    Access mscep webpage in IE.
    http://ca2.b.local/certsrv/mscep/

    60439-nd8.png

    OR http://ca2/CertSrv/mscep_admin/
    60573-nd9.png

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

  4. The Other Other PKI Guy 1 Reputation point
    2021-01-26T14:49:41.89+00:00

    The default permissions on the CA would grant the local server admins, admin rights on the CA as well if they have not been updated. The other permission issue can be the default permissions on the specified templates. The server hosting the CA must have at least read access to the templates. This can be through the Authenticated User group or via direct permissions on the templates.

    To rule out issues, can you logon to the CA and attempt to manually publish the templates to the CA?

    certutil -setcatemplates +CEPEncryption
    certutil -setcatemplates +EnrollmentAgentOffline
    certutil -setcatemplates +IPSECIntermediateOffline

    The first error you posted will be returned if the CA does not have access to read the template.

    Command when CA had no Read access to template:
    certutil -setcatemplates +EnrollmentAgentOffline
    EnrollmentAgentOffline: Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
    0: EnrollmentAgentOffline: Invalid Template
    CertUtil: -SetCATemplates command FAILED: 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
    CertUtil: Element not found.

    Command when CA had Read access to template:
    certutil -setcatemplates +EnrollmentAgentOffline
    0: EnrollmentAgentOffline: Adding
    CertUtil: -SetCATemplates command completed successfully.

    I get the same error you got