To resolve these two issues, install hotfix 959193. This hotfix introduces the following two improvements:
Improvement 1After you apply this hotfix, passwords can be reused among devices. The new process to manage passwords is as follows:
- The SCEP server confirms the registry setting for "Single Password" mode. In this mode, a master password is created and stored in the registry by using encrypted data. The master password never expires.
- An administrator logs on to an SCEP administration Web site and requests a password. The master password is delivered.
- The administrator configures the password on the device. Because the password is the same for all devices and because it never expires, the administrator can easily write a script to deploy the password on all devices.
How to enable improvement 1Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 How to back up and restore the registry in Windows
To enable this feature, create the following registry entry:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword
Name: UseSinglePassword
Type: REG_DWORD
Value: 1
Note If you are running NDES under the Network Service account, you must grant Full Control permission to the "Network Service" account under the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP.
Improvement 2Certificates can be re-enrolled automatically after they expire. This feature is enabled automatically after the hotfix is installed.
By default, when you request a certificate renewal by using this feature, the signer certificate must have the same subject name and alternate subject name as the requested certificate. To circumvent this requirement, set the value of the
DisableRenewalSubjectNameMatch registry entry under the following subkey to 1.
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatchNote You may have to create this registry entry by using REG_DWORD type if the registry entry does not exist.
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.Prerequisites
There are no prerequisites.
Restart requirement
You have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other previously released hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.Windows Server 2008 file information notes
The .manifest files and the .mum files that are installed in each environment are
listed separately in the "Additional file information for Windows Server 2008" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.
For all supported x86-based versions of Windows Server 2008
| File name | File version | File size | Date | Time | Platform |
|---|
| Mscep.dll | 6.0.6001.22356 | 139,776 | 17-Jan-2009 | 04:50 | x86 |
For all supported x64-based versions of Windows Server 2008
| File name | File version | File size | Date | Time | Platform |
|---|
| Mscep.dll | 6.0.6001.22356 | 157,184 | 17-Jan-2009 | 06:25 | x64 |