Windows 2019 SCEP; No mapping between account names and security IDs was done

Question

I have a Windows CA set up on Windows Server 2019. It's an Enterprise CA with NDES SCEP running as a managed service account.

Additionally, on the same server, SCEP is running with another managed service account. The account has full control of the two MSCEP private keys, and Read and Enroll permissions on the IPSec (Offline request) certificate template.

When requesting a certificate via NDES, I receive the following error:

The Network Device Enrollment Service cannot submit the certificate request (0x80070534). No mapping between account names and security IDs was done.

The NDES service account has Read and Enroll permissions on the certificate template(s) configured for device enrollment. (I'm using "UserSignature" template specified in the registry entries "SignatureTemplate", "EncryptionTemplate", and "GeneralPurposeTemplate" under the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP" on the enrollment service computer, which is also the AD Domain Controller and CA server.

However, certutil returns an error:

PS C:\Users\Administrator> certutil -ping

804.1370.0:<2023/1/27, 18:06:58>: 0x800703f0 (WIN32: 1008 ERROR_NO_TOKEN)

437.556.0:<2023/1/27, 18:06:58>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription

437.556.0:<2023/1/27, 18:06:58>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName

Connecting to dcrad.hppolylabs.com\hppolylabs-DCRAD-CA ...

Server "hppolylabs-DCRAD-CA" ICertRequest2 interface is alive (16ms)

CertUtil: -ping command completed successfully.

PS C:\Users\Administrator>

Any help would be appreciated

Answer 1

Hi, Did you ever figure this one out ?