NDES - Error 12186 in ndesplugin.log
Are you trying to configure certificate deployment for mobile devices and run into the error 12186 in ndesplugin.log? This post might help you reach a solution.
The exact error shown in ndesplugin.log is:
Failed to send http request /CMCertificateRegistration/Certificate/VerifyRequest. Error 12186
This error occurs if the account under which NDES application pool runs may not have read permission to the client certificate's private key while doing https connection to the Certificate Registration Point (CRP).
In order to assign this permission connect to the NDES server and perform the next steps:
- Get the Unique Container Name of the NDES client certificate:
certutil -VerifyStore My
The container will be listed as something similar to this:
Key Container = fc9b3ab746d7b0739ae8c6c0468e0eb5_6de86d88-a02c-4b33-91b0-43d27ebe455b - Check the location of the certificate by matching the unique container name acquired at step 1 with the filenames, on Windows Server 2012 R2 check this location:
%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys
(these certs will be hidden, use ATTRIB or adjust Explorer to show hidden files.) - Run the icacls.exe command line tool to grant R (Read) permission for the NDES user account (DOMAIN\User). Make sure you adjust the filename starting with fc9b3……
iCacls.exe %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys\fc9b3ab746d7b0739ae8c6c0468e0eb5_6de86d88-a02c-4b33-91b0-43d27ebe455b /grant DOMAIN\User:R
Restart the NDES server and you should not get the same error. Please consider leaving a reply in case this post helped you.
Comments
- Anonymous
October 23, 2017
Cheers, it helped me out.However the key container started with te-intunendesssl and did not find it in the machinekey list. i did a backup of all old keys and restarted the server and only one showed up after that and ran icacls on that file and it seemed to sort out the issue. perhaps it could help anyone else with the same issue I had