You do not have sufficient permission to enroll with SCEP

Hello

It's Rafal Sosnowski from Microsoft Dubai Security PFE Team. Today I want to talk about common error that can appear when browsing NDES webpage in order to obtain OTP (One Time Password).

NDES (Network Device Enrollment Service) is an implementation of Simple Certificate Enrollment Protocol (SCEP) used to enroll certificates to the network devices. It works as a proxy to Certification Authority (CA). So if you need certificates for your routers/switches or mobile devices you would go for NDES implementation.

When accessing the ndes/certsrv/mscep_admin webpage as a person who manages network devices in the enterprise (commonly called Device Admin) you get an error:

“You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.”

First step of troubleshooting is to enable debugging on NDES server (not on CA) by executing the command:

certutil –setreg Enroll\Debug 0xffffffe3

and then reset the IIS. We reproduce the error and review the log which will be placed in the C:\Users\app_pool_account\mscep.log

If you configure NDES application pool with some build-in account (for example Local system/Local service) you might find the log in the C:\Windows directory.

In the log we can see error indicating that we do not have permissions to “IPSec (Offline Request)” template (IPSECIntermediateOffline)

0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED): IPSECIntermediateOffline

By default, NDES uses 3 certificate templates:

CEP Encryption – used by network devices to encrypt the request and pass it to NDES. Certificate is stored in computer personal store on NDES server.

Exchange Enrollment Agent (offline request) - used to request certificates on behalf of another subject and supply the subject name in the request. Certificate is stored in computer personal store on NDES server.

IPSec (Offline Request) – used to generate certificate for network device. Certificate is stored in CA database and on network device.

So we check the certificate templates (certtmpl.msc) and verify that:

1. Device Admin user has Read and Enroll permission
2. Application Pool Account used in IIS has Read and Enroll permission

We can also check if Application Pool Account has also Read and Enroll permission on “CEP Encryption” and “Exchange Enrollment Agent (offline request)” templates. However, in this case this is not main cause.

Hmm. so we have all required permissions but still getting an error “Access Denied” to IPSECIntermediateOffline template.

By default, Server Manager installs and configures NDES with Classic Application Pool:

Solution is to change the type of SCEP Application Pool in IIS console from Classic to Integrated.

After that you will be able to obtain One Time Password for your network devices.

Alternative solution is to uninstall ASP.Net 4.5 form the NDES Server as it seems to cause some compatibility issues with NDES ISAPI filter.

NDES server in this scenario is installed on separate machine than Certification Authority and both servers are running Windows Server 2012 R2.