Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, March 19, 2013 1:45 AM
Hello All,
Performing an installation with a client the other day. They have created a domain account. Together, we made changes to ensure the account satisfied the following conditions from the MS SCEP implementation whitepaper (NDES, Win 2008 R2, Jan 2009):
- is a member of the local IIS_IUSRS group.
- has request permission on the configured CA
- is a domain user account and has Read AND Enroll permissions on the configured template (ipad wireless devices) - which is not configured until after installation regardless
- has HTTP SPN set in Active Directory.
However, when selecting this account during the installation wizard, we receive a WIN32 error indicating that the account does not have the correct privileges (1385 - Logon failure: The user has not been granted the requested logon type at this computer.).
Using Local Security Policy, we granted the account the 'Log On As A Service' privilege. However, when attempting installation again, we saw the same error dialog.
Does anyone know if there are a specific set of User Rights Assignments that are required for the NDES service account?
Thanks for your time,
Ryan Schipper
All replies (5)
Friday, May 31, 2013 8:39 AM âś…Answered | 5 votes
@Jeff in Carlsbad
My client raised a support issue and we received further details from Microsoft.
The required User Rights Assignments are:
- Allow log on locally
- Log on as a service
In combination with the pre-conditions documented in the Whitepaper we were able to complete the installation.
(( although the installation was not successful due to a keyset binding issue that is largely described elsewhere on MSDN and the internet ))
MSFT - Please note - I could not find these two required 'user rights assignments' anywhere in the official documentation. To be clear, I won't be updating the Community section of any documentation. Accurate documentation is your responsibility as the product vendor.
Wednesday, March 20, 2013 2:33 AM
Hi Ryan,
Thanks for posting in Microsoft TechNet forums.
We may check the "Permissions Required for the Network Device Enrollment Service" part of the article below:
Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
Regards
Kevin
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Thursday, March 21, 2013 6:00 AM
Hi Kevin,
As per the original post, we have satisfied the requirements listed in the Whitepaper (also contained in the link you provide). I've asked my client to verify the SPN exists as I notice your link states that FQDN should be used. I'm confident that it will exist as the command returned successfully at the time.
To get back to my question, what is the set of Local Security Policy User Rights Assignments required for the service account?
Thanks,
Ryan.
Wednesday, May 29, 2013 7:03 PM
Was there any resolution to this? I'm running into the exact same problem.
Monday, March 30, 2015 10:21 PM
Related:
The Post-Deployment Configuration task may fail after you install the Windows Server Essentials Experience role on Windows Server The Post-Deployment Configuration task may fail after you install the Windows Server Essentials Experience role on Windows Server 2012 R2 R2