NDES Cannot Retrieve Certificates

i'm pulling hair out trying ndes working on server 2012.  i tried normal install following guides , didn't work.  then removed , reinstalled role trying take account every "fix" searching found.

created service account (ndes).  i (temporarily) made ndes account enterprise admin member of iis_usr group.  i logged in ndes account , used install ndes role.  i see in local machine personal store 2 mscep-ra certificates.  both have enhanced key usage = certificate request agent. 1 has key usage = key encipherment (20) , 1 = digital signature (80).  both certificates show private keys installed , made sure ndes account has full control permission on them.  the ndes account has full control on mscep registry tree.  enforcepassword=1.  certsinmystore=1.   i've tried scep application pool set load user profile = true , false.  i set request filtering allow len , bytes = 65534.

no matter try, going http://[server]/certsrv/mscep_admin results in event log entry:  "event id 10: network device enrollment service cannot retrieve 1 of required certificates (0x80070057). parameter incorrect."


help... please...
 

hello,

have seen https://social.technet.microsoft.com/forums/windowsserver/en-us/6ca9e9bf-41f2-4743-ba99-80a6a259a80e/server-2012-error-505-on-httplocalhostcertsrvmscepadmin?forum=winserversecurity , http://blogs.technet.com/b/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx

if maybe more ca , certificate related better ask in https://social.technet.microsoft.com/forums/windowsserver/en-us/home?forum=winserversecurity

---

best regards

meinolf weber

mvp, mcp, mcts

microsoft mvp - directory services

my blog: http://blogs.msmvps.com/mweber

disclaimer: posting provided no warranties or guarantees , confers no rights.

twitter:  

Windows Server  >  Windows Server General Forum