NDES EncryptedPassword
While doing some NDES work in my lab I found that my SCEP Administrative site https://subca.contoso.corp/certsrv/mscep_admin/ was generating a HTTP 500 error.
The application event log contained the following two entries following any unsuccessful attempt to reach the SCEP admin site:
Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID: 2
Level: Error
Description:
The Network Device Enrollment Service cannot be started (0x8009000b). Key not valid for use in specified state.
Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID: 49
Level: Error
Description:
The Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password's length doesn't match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry.
I looked at a few resources like Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS) But did not find an exact set of instructions to resolve the issue. While the Event ID 49 is pretty explanitory, it does not explain exactly what to do and where to go.
The SCEP encrypted password is located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptedPassword
To resolve the issue:
- Delete the EncryptedPassword REG_BINARY subkey stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptedPassword.
- Restart Active Directory Certificate Services.
- The next connection to the https://subca.contoso.corp/certsrv/mscep_admin/ site will generate a new value with the updated EncryptedPassword.