NDES configuration fails

PKInoob88 101 Reputation points
2021-02-22T04:49:15.07+00:00

Hi all, i am trying to deploy NDES on a separate web server but keep failing at the configuration. Failed to add the following certificate templates to the enterprise Active Directory Certificate Services or update security settings on those templates: EnrollmentAgentOffline CEPEncryption IPSEC (Offline request) Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND) I have added NdesAdmin & NdesService to be able to read and enroll for these templates. Both are part of the local IIS_IUSRS group in domain and locally. NdesAdmin is part of the Enterprise Admins group. Added the Enterprise CA's cert into the trusted root store (as suggested by someone else on this forum) Do i have to add the NdesAdmin account to be able to add templates to the CA? (How can i do this if i need to?) Thanks for your assistance in advance!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,728 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Daisy Zhou 17,991 Reputation points Microsoft Vendor
    2021-02-22T05:48:03.813+00:00

    Hello @PKInoob88 ,

    Thank you for posting here.

    We can refer to this similar case with marked answer.

    If it does not work. Also, please check the steps I provided in this link.

    NDES installation fails
    https://learn.microsoft.com/en-us/answers/questions/239902/ndes-installation-fails.html

    Hope the infomration above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou


  2. Daisy Zhou 17,991 Reputation points Microsoft Vendor
    2021-02-23T05:51:04.94+00:00

    Hello @PKInoob88 ,

    I find you used the following three templates (one is "EnrollmentAgent" certificate template).

    70897-ex2.png

    If so, we should use the following three templates.

    "Exchange Enrollment Agent (Offline Request)" certificate template instead of "EnrollmentAgent" certificate template
    "CEPEncryption" certificate template
    "IPSec (Offline Request)" certificate template

    70958-ex.png

    Q:Do i have to add the NdesAdmin account to be able to add templates to the CA? (How can i do this if i need to?)
    A:You can try to add the NdesAdmin account to be able to add templates to the CA to see if it helps.

    Best Regards,
    Daisy Zhou