Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            BlockID Windows Passwordless – Troubleshooting steps for NDES & CA

            Modified on Thu, 23 Nov, 2023 at 3:40 AM

            Introduction


            This documentation states the procedure to troubleshoot the errors during user enrolment while SCEP configuration is enabled. 


            Step 1: Validate AD broker logs 

            • AD Broker logs show the detailed flow of user enrollment with SCEP enabledSCEP-enabled.
            • Every successful enrollment displays the ScepEnroll success message. 
            • Success scenario logs 
              • ScepEnroll challenge url: http://xx.xx.xx.xx/CertSrv/mscep_admin agent: ndes 
              • ScepEnroll ntlm getPassword success 
              • ScepEnroll success returning payload. 
              • ScepEnroll pkiStatus=SUCCESS AD server returned a certificate 

            • Failure scenario logs 

            • NTLM GetPassword returned bad password, verify SCEP agent password/configuration 
            • ScepEnroll challenge url: http://xx.xx.xx.xx/CertSrv/mscep_admin agent: ndes 
            • getEntries ScepEnroll failed: NTLM GetPassword returned bad password, verify SCEP agent password/configuration 


            Step 2: Validate the NDES server events logs 

            • Open the Server Manager window on the NDES server 
            • Navigate to Tools > Event Viewer  
            • Windows Logs Application > Filter Current Log > Event Sources as "NetworkDeviceEnrollmentService"

            A screenshot of a computer Description automatically generated 


            • Click OK 
            • Check if any errors are present in the event log 


            • Failure Scenario log 
              • The Network Device Enrollment Service cannot retrieve information about the certification authority (0x80004005). Unspecified error 
              • The Network Device Enrollment Service cannot be started (0x80070057) 


            Step 3: Validate the NDES server and CA server connectivity. 

            • Open a command prompt as administrator in NDES server 
            • Type “certutil -ping {ca-hostname}” and press enter 
            • Verify that the connectivity is present between NDES server and CA server 
            • Failure Scenario Log 
              • ERROR_ACCESS_DENIED 

            A black screen with white text Description automatically generated 

            • RPC_S_SERVER_UNAVAILABLE 

            A black screen with white text Description automatically generated 


            Step 4: Validate the msecp_admin website running status in IIS. 

            • Open the Server Manager window on the NDES server 
            • Tools Internet Information Services (IIS) Manager 
            • Sites > Default Web Site  

            A screenshot of a computer Description automatically generated 


             

            Step 5: Validate the ndes service account permissions on the Smartcard logon template. 

            • Open the Server Manager window on the NDES server 
            • Tools > Certificate Authority 
            • Right-click on certificate templates Manage 

            A screenshot of a computer Description automatically generated 


            • Smartcard Logon Properties > Security  

             

             

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0