So I’ve been working with the Windows Server 2012 NDES/SCEP installation. I’m setting this up to get a lot of Cisco networking equipment certificates from the Windows Active Directory domain. Since this also extends to iPhones and iPads it will be beneficial when I’m setting up client certificate authentication.

So with Windows Server 2012 and installing NDES (SCEP) you definitely need to give it its own service account. I recommend using service accounts vs. the default IIS App Pool permissions.

Once you have this service account added to IIS Users Group go ahead and configure the feature.

An additional thing to note is if you also install the CES/CEP features you’re going to have a problem with your handlers.

This post is more or less helping me remember to check these properties when installing the NDES role. The issue is once you get it all installed you will start getting HTTP 500 errors when browsing http://localhost/certsrv/mscep/

A workaround for this issue is to change the order of the handlers for the Microsoft Simple Certificate Enrollment Protocol (MSCEP) applications in IIS so that the ExtensionlessUrlHandler-ISAPI-4.0_64bit handler comes after the StaticFile handler. To do so, you can follow the steps below:

1) Install and configure NDES (and CEP/CES).
2) Open IIS.
3) Select “Default Web Site”.
4) Click “View Applications” in the action panel on the right.
5) Double click the mscep application.
6) Double click “Handler Mappings”.
7) Click “View Ordered List…” in the action panel.
8) Select ExtensionlessUrlHandler-ISAPI-4.0_64bit and move it down so it is below StaticFile.
9) Repeat steps 6-8 for the mscep_admin application.
10) Restart IIS.

Thanks for the comment that is related to error code 0x800700ea.