SCEP/NDES IIS 401.2 Headache

Showing results for 
Search instead for 
Did you mean: 

SCEP/NDES IIS 401.2 Headache

L0 Member

As the title says, I'm frustrated with an SCEP/NDES authentication issue.


This is my first time setting up a CA and NDES, so I've been doing my research, maybe a little too much. I've learned a lot in this endeavor, but, I'm about to throw this out the window.


I am trying to set up SCEP on a Palo Alto 3220 using a user authentication cert template for GlobalProtect. I've double and triple checked security settings on the template and made sure the template I want to use is in the MSCEP registry entry on the NDES server.


I've set up my CA and NDES servers (even ripped them out and started from scratch at one point), and everything seems to be going well. My computer certs are being automatically issued by AD, and requesting/installing certs from the CA is working as it should. With NDES, I'm able to authenticate to and obtain the thumbprint and code for SCEP set up, however, whenever I complete SCEP profile set up for my Palo Alto firewall, I get an Unable to fetch SCEP profile from CA error - looking at the NDES server, it's getting a 401.2 error.


I've run Microsoft's NDES configuration validation script, as well. Everything's come back working, except for Intune specific things (such as NDESPolicy module registry entry). I've also enabled Failed Request logs, and the only thing it comes back with is Access is denied.  I have also moved "NTLM" to the top of Windows Authentication, still no go.


Has anyone here run into this before, or can just offer some insight?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!