SOLVED

NDES certificate problem

%3CLINGO-SUB%20id%3D%22lingo-sub-1791765%22%20slang%3D%22en-US%22%3ENDES%20certificate%20problem%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1791765%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20set%20up%20the%20environment%20used%20with%20this%20guide%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-aadj-sso-cert%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-aadj-sso-cert%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverything%20seems%20ok%2C%20NDES%20check%20tool%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fmem%2Fintune%2Fverify-ndes-configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fmem%2Fintune%2Fverify-ndes-configuration%3C%2FA%3E)%20did%20not%20find%20any%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20on%20NDES%20server%2C%26nbsp%3BC%3A%5CProgram%20Files%5CMicrosoft%20Intune%5CNDESPolicyModule%5CLogs%5CNDESPlugin.log%20shows%20the%20following%20errors%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECalling%20VerifyRequest%20...%3C%2FP%3E%3CP%3ESending%20request%20to%20certificate%20registration%20point...%3C%2FP%3E%3CP%3EFailed%20to%20retrieve%20client%20certificate.%20Error%20-2147024809%3C%2FP%3E%3CP%3EExiting%20VerifyRequest%20with%200x80070057%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20NDES%20server%2C%20Application%20log%20for%26nbsp%3BNetworkDeviceEnrollmentService%2C%20doesnt%20show%20any%20error%2Fwarning%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20next%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help!%3C%2FP%3E%3CP%3EKR%2C%3C%2FP%3E%3CP%3EZoltan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1791765%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ENDES%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1794499%22%20slang%3D%22en-US%22%3ERe%3A%20NDES%20certificate%20problem%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1794499%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F416550%22%20target%3D%22_blank%22%3E%40IstvanffyZ%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eplease%20use%20the%20scripts%20provided%20in%20the%20following%20article%20to%20verify%20your%20NDES%20infrastructure%20first%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Ftroubleshoot%2Fmem%2Fintune%2Fverify-ndes-configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Ftroubleshoot%2Fmem%2Fintune%2Fverify-ndes-configuration%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20scripts%20will%20provide%20helpful%20output%20when%20something%20is%20not%20configured%20correctly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20error%20you%20provided%20can%20have%20many%20causes%20and%20we%20do%20not%20know%20your%20environment%20so%20unfortunately%20helping%20will%20be%20difficult%20with%20only%20this%20error%20message.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1794613%22%20slang%3D%22en-US%22%3ERe%3A%20NDES%20certificate%20problem%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1794613%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F817672%22%20target%3D%22_blank%22%3E%40BenKrah%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eas%20you%20can%20read%2C%20I%20used%20that%20validation%20script%20(no%20error).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20detailed%20log%20option%20about%20NDES%20server%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKr%2C%3C%2FP%3E%3CP%3EZoltan%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,

 

I set up the environment used with this guide: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri...

 

Everything seems ok, NDES check tool (https://docs.microsoft.com/en-us/troubleshoot/mem/intune/verify-ndes-configuration) did not find any error.

 

However, on NDES server, C:\Program Files\Microsoft Intune\NDESPolicyModule\Logs\NDESPlugin.log shows the following errors:

 

Calling VerifyRequest ...

Sending request to certificate registration point...

Failed to retrieve client certificate. Error -2147024809

Exiting VerifyRequest with 0x80070057

 

On NDES server, Application log for NetworkDeviceEnrollmentService, doesnt show any error/warning

 

How next?

 

Thank you for your help!

KR,

Zoltan

5 Replies
Highlighted

Hi @IstvanffyZ,

 

please use the scripts provided in the following article to verify your NDES infrastructure first:
https://docs.microsoft.com/de-de/troubleshoot/mem/intune/verify-ndes-configuration

 

The scripts will provide helpful output when something is not configured correctly.

 

The error you provided can have many causes and we do not know your environment so unfortunately helping will be difficult with only this error message. :)

 

Highlighted

Hello @BenKrah 

 

as you can read, I used that validation script (no error).

 

Is there any detailed log option about NDES server?

 

Kr,

Zoltan

Highlighted
Best Response confirmed by IstvanffyZ (Occasional Contributor)
Solution

@IstvanffyZ sorry, I missed that.

 

From my point of view the NDES logs are not useful.

The error value 0x80070057 points to "Incorrect parameter". So it seems as if either the request is malformed or the certificate template is incorrectly configured. 

Highlighted

@BenKrah thank you for your suggestion, finally it works.

 

The problem was on NDES server's registry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\ GeneralPurposeTemplate was not set to the correct certificate template name.

 

After I set the cert template name and reboot NDES server, it started to work correctly. 

 

On NDESplugin.log shows:

Calling VerifyRequest ...

Sending request to certificate registration point...

Verify challenge returns true...

Exiting VerifyRequest with 0x0

 

Regards,

Zoltan

 

Highlighted

Hi Zoltan,

 

thanks for the feedback - I did expect that in some way. :)

I had this topic with a colleague some time ago and missed this configuration as well - the Microsoft KB article is complete in content, but difficult to read.. ;)