This week I received an e-mail from our support organization about a case regarding NDES. One of our customers (Bechir Hammami from Germany) ran into an issue where NDES stopped working after performing an upgrade on their ConfigMgr 2012 environment.
Luckily the customer managed to resolve the issue themselves and even shared the steps he took - hoping others would benefit from the information. Thanks Bechir for resolving and sharing this info - much appreciated!
After the upgrade the following error was shown in the eventlog:
NDES: Event ID 29 (The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.)
1) Check installed features
The following features are necesarry for ConfigMgr/NDES:
The highlighted ones didn’t appear as active as they got deactivated by the migration.
2) Install mising features
Executed this dism command (Attention: for installation is the ISO necessary):
dism /online /enable-feature /featurename:NetFX3 /all /Source:<d:\sources\sxs> /LimitAccess
Afterwards, for Framework 4.5, install “HTTP Activation”
Restart SMA_Site_Component_Manager Service, which sorts out the CRP issue on the ConfigMgr and NDES server.
Eventlog after these changes:
Additional information from Kevin Myrup (MSFT)
Whenever you see event id 29 on the NDES server: "NDES: Event ID 29 (The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.)"
And the policymodule for Intune/ConfigMgr is installed, this always means something is wrong on the Certificate Registration Point (CRP) site role (or in the case of Intune Standalone, the CRP web service running on the NDES server itself). The case above is one example. But there are also other reasons it can happen.
The first place to look is the CRP.log. If the server is healthy, crp.log will show the reason why the cert request was rejected (there are several reasons this could happen, such as the challenge password has expired, the subject name doesn't match what is in the ConfigMgr database, for example when someone's display name or email address has changed in AD, or there is some problem with replication between Intune and ConfigMgr).
If the server is not healthy, as was the case for Bechir above, crpctrl.log will usually have some indication of this.