I have reviewed all the permissions for the scep accounts (installation, service and user) but I still have something missing.
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect. Is the error, the IIS logs definitely show 2021-10-29 15:39:28 ::1 GET /certsrv/mscep/mscep.dll - 443 - ::1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 500 0 87 59
Permissions have been checked on the following:
on our CA server (not the same as the NDES server) the NDES server does not have the CA installed.
Admin acct that ran the Installation
• Must be part of the local administrators' group. yes as a member of 'DomainAdmins'
• Must be logged on locally when the installation of the Network Device Enrollment Service role is triggered. yes
• For setting up the service with an Enterprise CA, this user should have the following permissions as well.
o Must have Enroll permission on the "Exchange Enrollment Agent (Offline request)" and "CEP Encryption" templates. yes as a member of domain admins
o Must have permission to add templates to the selected CA. yes as a member of domainadmins
o Must be a member of the Enterprise Admins group (this is just required for installation and not for ongoing administration). yes as a member of enterprise admins
For the SCEP service account
o Must be a member of the local IIS Server's IIS_IUSRS group (this is an installer prerequisite). yes
o Must have Request permission on the configured CA. set this in ca mmc on the CA server and for good measure the ADCS was restarted
o I did the following Open CA Console -> Right Click CA -> Properties-> Security -> Add SCEP Service -> Given "Read" and "Request Certificates" permissions.
o Must be a domain user account and have Read and Enroll permissions on the configured templates. For more information about the configured template, see Configuring Templates for Device Enrollment. yes on both the exchange offline and the CEP templates
DeviceAdmin account (I tested this with both the accounts used above installation and the service account)
o If the service is configured with an Enterprise CA, the user must have Enroll permissions on all templates configured in the registry. yes
Im not sure what I am missing here