P.7ce77903-00e7-432b-a91b-ff918ec70731 { MARGIN: 0cm 0cm 0pt } LI.7ce77903-00e7-432b-a91b-ff918ec70731 { MARGIN: 0cm 0cm 0pt } DIV.7ce77903-00e7-432b-a91b-ff918ec70731 { MARGIN: 0cm 0cm 0pt } TABLE.7ce77903-00e7-432b-a91b-ff918ec70731Table { MARGIN: 0cm 0cm 0pt } DIV.Section1 { page: Section1 } P.a60b2ef1-d250-425f-a84f-c5663c2449c9 { MARGIN: 0cm 0cm 0pt } LI.a60b2ef1-d250-425f-a84f-c5663c2449c9 { MARGIN: 0cm 0cm 0pt } DIV.a60b2ef1-d250-425f-a84f-c5663c2449c9 { MARGIN: 0cm 0cm 0pt } TABLE.a60b2ef1-d250-425f-a84f-c5663c2449c9Table { MARGIN: 0cm 0cm 0pt } DIV.Section1 { page: Section1 }

I have an existing MS CA running on Server 2008 R2 SP1 with CA and Web Enrollment role services enabled.  We have used this CA extensively with great success for several years, and nothing has changed with that.  We are implementing an NDES server now to facilitate a MaaS360 deployment, and I'm having trouble completing the NDES role service configuration.  I went through all of the pre-reqs (i.e., http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx), and got part way through the Installation but had overlooked the IIS_IUSRS group.  I fixed that and double checked all the remaining  pre-reqs;   SCEPAdmin         member of local and domain administrators group

                                Enroll permission on the "Exchange Enrollment Agent (Offline request)" template Enroll permission on the "CEP Encryption" template

Permissions to add templates to myCA

                                member of the Enterprise Admins group

SCEPSvc               member of the local IIS Server's IIS_IUSRS group

                                Request permission on myCA

                                domain user account and have Read and Enroll permissions on the configured templates                                 Setspn (not required since single NDES server)                                 Disable IIS Kernel-mode Authentication (not required since single NDES server)   Now every time I launch the AD CS Role Services wizard I can confirm the SCEP Admin credentials (and that is who I am logged in as), but the next screen to Select the Role Services (i.e., NDES) never un-grey's so I can make a selection.  The new NDES server with the error above is Server 2012 R2 Standard.   From the link above I have already checked the CRL list, and it is current.  Server manager loads successfully.  The issuing CA is online, the "Exchange Enrollment Agent (Offline request)", and "CEP Encryption" templates exist on the CA.  SCEPAdmin is a member of the Enterprise Administrator group.   When I launch http://cskndes01.our-firm.com/certsrv/mscepadmin/ and provide SCEPAdmin credentials I get http 500.0 When I query for the web.config file, all the copies are located under c:\windows\WinSXS... so I am assuming those aren’t the file I should edit as suggested on the http 500 page above.   Any thoughts or suggestions would be greatly appreciated.  

Keith D. Beahm | Messaging and Storage Architect | Stinson Leonard Street LLP
1201 Walnut Street, Suite 2900 | Kansas City, MO 64106-2150
T: 816.691.3374 | M: 816.808.8983 | F: 816.412.1022
kbeahm@xxxxxxxxxxxxxxxx | www.stinson.com

This communication (including any attachments) is from a law firm and may contain confidential and/or privileged information.  If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others.