Common Network Device Enrollment Service (NDES) configuration wizard failures
Hey all! Rob Greene here. We see cases around Network Device Enrollment Service (NDES) failing to successfully complete. Please keep in mind that you can get these error messages outside of NDES installation, however we are not going to be covering those errors within this blog. This blog is going to concentrate on the assumption that everything is working fine in general with regards to issuing certificates within the environment, but the NDES configuration wizard is failing. The most often encountered errors by customers are: Access Denied RPC Communication AD CS Service Stop / Start Access Denied Message The first error message is the dreaded Access Denied error message while running through the wizard like the one below. Or if looking at the deployment operational logs: Event Viewer\Application and Services Logs\Microsoft\Windows\CertificateServices-Deployment\Operational Log Name: Microsoft-Windows-CertificateServices-Deployment/Operational Source: Microsoft-Windows-CertificateServices-Deployment Date: [Date/Time] Event ID: 104 Level: Error User: [DOMAIN\USER] Computer: [NDES Computer Name] Description: System.Exception: System.Exception: CMSCEPSetup::InitializeDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) at Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.Provider.PowerShellCommandExecutor.Execute(Command command, IPowerShellEngine powerShellEngine, IRehydrator rehydrator) at Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.Provider.PowerShellExecutablePR`2.ExecuteCommand(CommandParameter[] parameters) at Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.Provider.NDES.Operations.Initialize.Execute(PostConfigurationTaskData taskData) at Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.Provider.AsyncOperationP`1.DoWork(Object sender, DoWorkEventArgs eventArgs) There are several tasks that are happening when going through the configuration wizard, and most of these tasks require an elevated account. Due to this account elevation requirement, if Access Denied is being seen during the configuration, it will mean that the account running the wizard does not have the required permissions. Here is the list of tasks that are done: Modify the permissions on the certificate template named: IPSec(Offline request). It adds the Application Pool Identity account that was specified in the NDES configuration wizard with Enroll permissions for the template. Use the CertTmpl.msc console while logged in as the account used to run the NDES configuration wizard to try and set Enroll permissions on the template. Was it able to successfully set permissions on this Template? Modify the CertificateTemplates attribute on the CA's pKIEnrollmentService object. The object is in the Configuration partition (CN=CA NAME,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Forest Root Domain) of the CA it is targeting. The following template names are added the CertificateTemplates attribute: IPSECIntermediateOffline, CEPEncryption, and EnrollmentAgentOffline. Use the CertSrv.msc console on the CA computer while logged in as the account used to run the NDES configuration wizard and try and add these templates to the CA. Was it able to successfully add the templates to the CA? Stop and Start of the Active Directory Certificate Services service on the certification authority (CA) computer. From the NDES Server, use Services.msc console and try and restart the AD CS service while logged in as the account used to run the NDES configuration wizard. Was it able to stop and start the AD CS Service? If any of these tasks fail, you will see the error message of Access Denied. So, the first thing to check is to ensure that the account used to run the NDES configuration wizard can do each of these tasks independently of the wizard. How RPC communications works. Remote Procedure Call (RPC) has two components. Endpoint Mapper – The endpoint mapper listens on port TCP 135. The point of the endpoint mapper is to have a database of each RPC based application (via UUID) and then know what high / ephemeral port the RPC application is listening on. RPC application / DCOM application - When a DCOM or RPC based application starts up, it finds an available high port (also known as an ) typically in the range of 49152 – 65535. Once it finds a port it then registers its RPC application (also known as a UUID) with the RPC Endpoint Mapper and its UUID. When an RPC / DCOM based client application wants to connect to the RPC/DCOM application it first contacts the RPC Endpoint Mapper and asks to be given the port number for the RPC/DCOM application via the UUID information. The endpoint mapper looks this information up and then returns the high port that the RPC / DCOM application gave it. Then the RPC / DCOM client application attempts to connect to the high port given to it by the RPC endpoint mapper. For more information on RPC and how it works see this: https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/rpc-errors-troubleshooting The RPC server is unavailable (RPC_S_SERVER_UNAVAILABE) – 0x800706ba / 1722 When not an Access Denied, this is the other most often seen error, when running the configuration wizard. The RPC Server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) dialog box. The event log entry for this is going to look something like the below: Log Name: Microsoft-Windows-CertificateServices-Deployment/Operational Source: Microsoft-Windows-CertificateServices-Deployment Date: [Date/Time] Event ID: 104 Level: Error User: [DOMAIN\USER] Computer: [NDES Computer Name] Description: Microsoft.CertificateServices.Deployment.Common.NDES.NetworkDeviceEnrollmentServiceSetupException: Microsoft.CertificateServices.Deployment.Common.NDES.NetworkDeviceEnrollmentServiceSetupException: The Network Device Enrollment Service setup failed because certification authority (CA) "[CA COMPUTERNAME]\CA NAME" could not be contacted. Make sure that the CA is properly configured and available. The error is: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) at Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.Provider.PowerShellCommandExecutor.Execute(Command command, IPowerShellEngine powerShellEngine, IRehydrator rehydrator) at Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.Provider.NDES.NDESPSHProviderContext.Validate() at Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.Provider.NDES.Operations.SetCAConfiguration.Execute(CAConfigurationParameters caInformationParameter) at Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.DeploymentWizard.Common.ViewModels.CAConfigurationViewModel.Validate() This type of error will come from a few different scenarios. DCOM Permissions / Hardening Mismatch issues: Run the following command from the NDES Server and target the Certification Authority that is the specific CA the NDES server will be a proxy for. If you get back Access Denied, then you will have problems with DCOM permissions. CA Computer Name of: fab-rt-rootca01.fabrikam.com CA Name of: Fabrikam Root CA1 G2 CertUtil -Config "fab-rt-rootca01.fabrikam.com\Fabrikam Root CA1 G2" -ping See the following KB: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c This could be from the DCOM Hardening setting being mismatched between the NDES Server and the Certification Authority. Ports being blocked by Firewalls A Firewall (hardware based or software based) is preventing RPC / DCOM communications between the NDES Server and the server running the Certification Authority Service. To see if this is an issue you can run the following CertUtil.exe command. CA Computer Name of: fab-rt-rootca01.fabrikam.com CA Name of: Fabrikam Root CA1 G2 CertUtil -Config "fab-rt-rootca01.fabrikam.com\Fabrikam Root CA1 G2" -ping When things are correct you should see output like this: Connecting to fab-rt-rootca01.fabrikam.com\Fabrikam Root CA1 G2 ... Server "Fabrikam Root CA1 G2" ICertRequest2 interface is alive (437ms) CertUtil: -ping command completed successfully. If this fails with “The RPC Server is unavailable (0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE))”, then connectivity from the NDES Server to the Certification Authority needs to be investigated. While running the above CertUtil command get double-sided network traces. Double-sided network traces means you will run a network tracing tool on the NDES Server and the Certification Authority at the same time. Look in the resultant traces and see if the required ports are leaving the NDES Server and successfully getting to the Certification Authority server. Service Control Manager times out waiting for AD CS Service to Stop and Start As stated earlier, the NDES configuration wizard needs to be able to successfully stop and start the AD CS Service on the Certification Authority server. If you can stop and start the service, you can still fail to configure NDES, if the AD CS Service cannot be stopped and started within a 30-second window. NDES stops and starts the service via the Service Control Manager (SCM) APIs. If you have ever attempted to stop/start a service and noticed it does not stop/start quickly, you might see a message stating that Service Control Manager cannot tell you if it the service was successfully stopped / started, as it did not report back in a timely fashion. Well, SCM will only wait 30 seconds for the service to return the status of the stop/start command it sent to it. SCM stops worrying about the service when it takes longer than 30 seconds. NDES first sends the stop command to SCM for AD CS, then uses SCM to find out when the service is successfully stopped. the start command to SCM for AD CS and again uses SCM to find out when the service is successfully started. We typically see this fail in the following two scenarios: The AD CS Service uses a Hardware Storage Module (HSM), and AD CS service does not start quickly because it requires the use of Operator Cards or communications with the HSM is latent. The AD CS Service just takes a long time to stop and start. This happens typically because an AD CS Auditing setting was enabled on the Certification Authority. The auditing setting is: Start and stop Active Directory Certificate Services. Launch CertSrv.msc Right click on the CA’s computer object and select Properties. Click on the Auditing tab. Uncheck “Start and stop Active Directory Certificate Services” Click the OK button. In an elevated command prompt type: Net Stop CertSvc & Net Start CertSvc Depending on how long the service takes to stop and start with either or both these issues, the Service Control Manager (SCM) can be modified to wait longer than the default 30 seconds. See this WIKI content. Event ID 7011: Service Timeout - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com) Increase the service timeout period for Service Control Manager (SCM) The Service Control Manager will generate an event if a service does not respond within the defined timeout period (the default timeout period is 30000 milliseconds). To resolve this problem, use the Registry Editor to change the default timeout value for all services. To perform this procedure, you must have membership in the Administrators group, or you must have been delegated the appropriate authority. Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data. To change the service timeout period: Click the Start button, then click Run, type regedit, and click OK. In the Registry Editor, click the registry subkey HKLM\SYSTEM\CurrentControlSet\Control. In the details pane, locate the ServicesPipeTimeout entry, right-click that entry and then select Modify. Note: If the ServicesPipeTimeout entry does not exist, you must create it by selecting New on the Edit menu, followed by the DWORD Value, then typing ServicesPipeTimeout, and clicking Enter. Click Decimal, enter the new timeout value in milliseconds and then click OK. Restart the computer. If you have one of these errors I hope that this was able helpful in determining what was going on and helped in resolving the issue for you.
Teams email fwding: Access to Sharepoint is denied
I'm getting the above outlook response from fwding an email to a Team email address. Persists whether or not there is an attachment and between teams in the group. Any help is appreciated! "Could not create the email message on Microsoft Teams: Access to SharePoint site has been denied."Sharing a Sharepoint folder to Anyone (no Microsoft Sign In Required)
Hi there, I'm the admin for my Sharepoint site and I'd like to create a link to a folder for Anyone to access, without needing to sign into a Microsoft account. I have changed the settings to Anyone (see screenshot below), however Access is still being denied to those who don't have a log in. Can anyone help me figure out why that's happening? Many thanks!Tips and Tricks in using mysqldump and mysql restore to Azure Database for MySQL
While importing data into Azure Database for MySQL, errors may occur. This blog will walk through common issues that you may face and how to resolve it. Access denied; you need (at least one of) the SUPER privilege(s) for this operation: Error ERROR 1227 (42000) at line 101: Access denied; you need (at least one of) the SUPER privilege(s) for this operation Operation failed with exitcode 1 Issue Importing a dump file that contains definers will result in the above error. As all of us know, only super users can perform and create definers in other schemas. Azure Database for MySQL is a managed PaaS solution and SUPER privileges is restricted. Solution Either replace the definers with the name of the admin user that is running the import process or remove it. The admin user can grant privileges to create or execute procedures by running GRANT command as in the following examples: GRANT CREATE ROUTINE ON mydb.* TO 'someuser'@'somehost'; GRANT EXECUTE ON PROCEDURE mydb.myproc TO 'someuser'@'somehost'; Example: Before: DELIMITER ;; /*!50003 CREATE*/ /*!50017 DEFINER=`root`@`127.0.0.1`*/ /*!50003 …… DELIMITER ; After: DELIMITER ;; /*!50003 CREATE*/ /*!50017 DEFINER=`AdminUserName`@`ServerName`*/ /*!50003 …… DELIMITER ; importing triggers while binary logging is enabled: Error ERROR 1419 (HY000) at line 101: You do not have the SUPER privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable) Operation failed with exitcode 1 Issue Importing a dump file that contains triggers will result in the above error if binary logging is enabled. Solution To mitigate the issue, you need to enable the parameter “log_bin_trust_function_creators” from Azure portal parameters blade. storage engine not supported: Error ERROR 1030 (HY000) at line 114: Got error 1 from storage engine Operation failed with exitcode 1 Issue You will see the above error when you use a storage engine other than InnoDB and MEMORY. Read more on support engine types here: Storage engine support Solution Before the import process make sure that you are using a supported engine type; InnoDB and MEMORY are the only supported engine types in Azure Database for MySQL. If you dumped the data from a different engine type, edit the file and replace the storage engine. For example, exchange ENGINE=MYISAM with ENGINE=InnoDB. Note: You can always dump the schema first using the command: mysqldump --no-data option, and then dump the data using option: mysqldump --no-create-info option Example : Before: CREATE TABLE `MyTable` ( `ID` bigint(20) NOT NULL AUTO_INCREMENT, `DeviceID` varchar(50) NOT NULL, PRIMARY KEY (`ID`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; After: CREATE TABLE `MyTable` ( `ID` bigint(20) NOT NULL AUTO_INCREMENT, `DeviceID` varchar(50) NOT NULL, PRIMARY KEY (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; InnoDB storage engine row format: Error ERROR 1031 (HY000) at line 114: Table storage engine for 'mytable' doesn't have this option Operation failed with exitcode 1 Issue In Azure Database for MySQL, four row format options are supported: DYNAMIC, COMPACT and REDUNDANT, the COMPRESSED row format is supported under certain conditions. Solution We support compressed format on General Purpose or Memory Optimized. Customer needs to enable the parameter “innodb_file_per_table” from Azure portal parameters blade, and key_block_size must be 8 or greater than 8. In default, key_block_size is 8. Please visit the Performance considerations guide for best practices while migrating into Azure Database for MySQL. Thank You !
Access Denied on Document Library webpart in modern pages
Hi, We use 2 document library webparts in our modern team site landing pages - one for Shared Documents which everyone has access to, and another for Internal Documents where we restrict permissions only to internal users. Until recently, this works really well. Internal users will see contents on both webparts, while external users will see an Access Denied image in place of the Internal Documents webpart. However, since yesterday our external users are totally unable to access the page. They are thrown to the full page Access denied page. Could you please advise if this is now the expected behaviour or if there's a better way of showing the 2 libraries on the same page ? Thanks, Nick
OneDrive File Sharing - Access Denied
My company has SharePoint and employees have our OneDrives connected to it. Whenever I go to share OneDrive links through Microsoft Outlook (I use the web browser version in Google Chrome rather than the desktop app) no matter what I do, 9 times out of 10 I get a response that the person I shared with gets an access denied message. I've tried the following: Copy Link (anyone with the link can view, anyone with the link can edit, people in ::company name:: with the link) Enter a name or email (usually sharing within my company so same email domain) Upload and share option directly in Outlook email. I've never had this issue in the past using OneDrive personal prior to arriving to this company -- could it be something with our IT setup or network? I'm at a loss and it's embarrassing having this issue over and over with my colleagues.
