Microsoft – NDES Site Shows ‘HTTP Error 500.0 – Internal Server Error’

KB ID 0001181

Problem

I was doing some testing for a client this week, a while ago I had deployed a three tier PKI solution for them, and as part of the rollout we deployed NDES for their network devices, (they were going to use certificates to secure site to site VPNs). The client was concerned, and wanted the auto renewal process testing. This could not be done on the live system. So myself and a colleague went to the test bench, I build a model off the three tier PKI, and then setup NDES, while my colleague did the comms/switches and routers.

When I was ready to go, he could not get any enrolments working with NDES. Troubleshooting NDES is usually a case of looking in event viewer, but the one check you can do is go to;

http://localhost/certsrv/mscep_admin

And I got this;

NDES 500.00 Internal Server Error

HTTP Error 500.0 – Internal Server Error
The page cannot be displayed because an internal server error has occurred.

The normal web enrolment site http://localhost/certsrv was up and working this was just NDES?

Solution

This took me a while, theres a ton of posts on this that suggest enabling local profiles logging in as the NDES service user, etc etc and non of them fixed the problem. 

This was happening to me because when NDES starts, the first thing it does is check its RA, (Registration Authority) certificate. It’s in the local computer certificate store if you want to look at it, (or you will find it in ‘issued certificates’ on the CA of course). 

Let’s take a look at that cert’s certificate chain;

NDES Certificate Chain

You can see my three tier PKI solution, from the top, Offline Root > Intermediate CA (Sub CA) > Issuing CA (Sub CA) > My certificate.

But if I take a look in the CRL location (General Tab > Certificate Revocation  Information). I found the following;

CRL Files

What my clients see via http

http CRL View

For the un-initiated these are CRL files, the ones with a ‘+’ on the end are ‘delta url files’, (but that’s not important here). What is important is there is no CRL for my offline root CA in there. Luckily I had it on a disk, if you don’t you will have to bring the offline root CA online (turn it on). Then get a copy of the CRL. You can normally find it in C:\Windows\System32\Certsrv. If yours is not there, open ‘Certificate Services Management’ > Revoked certificates  > Publish.

Simply copy the CRL file into the CRL location;

Offline Root CRL

Then I rebooted the NDES Server, (I could probably have restarted certsvc and IIS, but let’s be thorough). And the system burst into life.

Working NDES

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

Cisco – Automatic Re-enrollment Fails to MSCEP/NDES

Cisco ASA – Enrolling for Certificates with NDES

Cisco IOS – Enrolling for Certificates with NDES

NDES – Fails to Issue Certificates (Signature Algorithm)

Author: PeteLong

Share This Post On

2 Comments

  1. Delta CRL is also important if configured!
    –> IIS double escaping

    Post a Reply
    • What was the duration statement to the IIS escaping.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *