The SCEP server returned an invalid response.

Yes, that should be set for iOS. In your case, you might want to try with single password mode in windows 2008.(see microsoft scep guide). For openCA SCEP case, I didn't experienced but that is different with windows 2008. I didn't tried that so, I don't know whether that can work with iOS.

How did you set up NDES challenge to iphone?

https://datatracker.ietf.org/doc/draft-nourse-scep/
google "Network Device Enrollment Services MSCEP" and find microsoft guide.

If you add iis log while scep enrollment, it can help to figure out what stage iphone.

We are testing in LAN and have configured our router to translate some domains to our local IPs. Could this be a problem? In payloads there are no IP addresses but these local domains.

It looks CA is issued the certificate, you might seen that from cert manger console. I don't see any obvious reason why cert got rejected by iPhone. (May be some one experts from apple can find from following dump) Anyway I suggest following option to you.
1) try with http if you are using https
2) install CA cert to phone and try again
3) check time between server and phone
4) try to change default scep issue template to issue 2048 key.
5) double check finger print(in SCEP profile) you config with ca cert.

Followings are SCEP PKI Message dump:
------------
PKCS7 Message:
CMSG_SIGNED(2)
CMSG SIGNED_DATA_PKCS_1_5VERSION(1)
Content Type: 1.2.840.113549.1.7.1 PKCS 7 Data

PKCS7 Message Content:
================ Begin Nesting Level 1 ================
PKCS7 Message:
CMSG_ENVELOPED(3)
CMSG ENVELOPED_DATA_PKCS_1_5VERSION(0)
Content Type: 1.2.840.113549.1.7.1 PKCS 7 Data

Content Encryption Algorithm:
Algorithm ObjectId: 1.3.14.3.2.7 des
Algorithm Parameters:
04 08 ed 76 05 85 cc 10 e0 71
04 08 ed 76 05 85 cc 10 e0 71

PKCS7 Message Content:
0000 30 00 6d 16 ce 8c 77 04 cd e4 e0 3d 33 9c 86 84 0.m...w....=3...
0010 36 6c 1c 4c e7 32 b1 8b ae 12 74 1d 2b bf 5a 52 6l.L.2....t.+.ZR
0020 3d e2 34 8c e7 e5 cf 98 35 a3 fa e7 47 da 7e eb =.4.....5...G.~.
0030 02 dd 68 23 de 37 92 c6 91 3a 1e b5 1b 61 5f 98 ..h#.7...:...a_.
0040 50 d3 27 de b5 bf 61 93 b7 ac 54 c9 c6 16 d0 8c P.'...a...T.....
0050 89 2e 92 ba 6d 52 d7 de 80 98 ad 2d ce b0 5e 5a ....mR.....-..^Z
0060 79 b4 e2 6f 7b c6 e6 13 4b b7 f4 81 f5 45 d8 3d y..o{...K....E.=
0070 c7 29 7c ca 78 34 ff 47 dc d1 fc 21 8c aa 43 3a .)|.x4.G...!..C:
0080 29 52 15 60 fb 37 54 46 aa a9 11 98 ef af b5 58 )R.`.7TF.......X
0090 e0 21 4d 99 10 2b 00 b3 44 df d9 fa e3 df 98 5c .!M..+..D......\
00a0 69 06 f9 92 5c d5 a3 32 97 ed 9c 1b 19 55 be 57 i...\..2.....U.W
00b0 85 53 df 71 87 f1 8b 62 0e b8 f7 7d 6b 47 d4 99 .S.q...b...}kG..
00c0 c0 47 f9 bb 7e 57 76 4f 55 a8 59 de b2 77 88 cc .G..~WvOU.Y..w..
00d0 e5 a7 02 de af 44 3c fb ab b9 0d ee 87 78 66 a4 .....D<......xf.
00e0 aa bc 5f 3b 90 56 90 2b c9 0f de 46 05 9c ed 9b .._;.V.+...F....
00f0 b4 a1 64 f5 5e 57 a0 d5 75 46 da 35 1e 79 d9 79 ..d.^W..uF.5.y.y
0100 1c a9 35 d1 12 47 7a de 99 d6 cc b8 a8 71 1c 72 ..5..Gz......q.r
0110 f3 28 a0 1f 44 62 8d 17 23 c1 8e 2c a1 19 3d 57 .(..Db..#..,..=W
0120 4b 12 ac 81 d2 14 6f da 67 47 25 32 05 1f 2b c3 K.....o.gG%2..+.
0130 1d 7d 2c 97 95 1b ee 6e f2 b5 36 7f 69 ea f4 c0 .},....n..6.i...
0140 b5 88 61 f7 26 db 44 13 6c ef da 8d 78 6c bd c3 ..a.&.D.l...xl..
0150 6e 45 41 7b 79 d3 92 c8 5e fd b0 1d 9c 0e ea ee nEA{y...^.......
0160 98 58 6b a8 5f c3 f4 90 16 87 9a 49 c6 99 9b fe .Xk._......I....
0170 0c d8 0a 45 ce 4e 28 59 cf 43 b1 f9 c4 d5 3b e2 ...E.N(Y.C....;.
0180 70 69 c8 ca 0e 16 2f ff 7a 3e 76 d6 dd 7e e9 86 pi..../.z>v..~..
0190 13 a3 8b 66 f8 92 6e f1 84 9b 2d 8c 89 ab d7 3a ...f..n...-....:
01a0 e9 ca 08 2a 68 76 ed f3 70 ac 52 e7 e6 7e b1 28 ...*hv..p.R..~.(
01b0 9e 0b 5d 8b 09 54 a7 60 9b 7c 4b 0d 94 76 55 0e ..]..T.`.|K..vU.

No Signer
Recipient Count: 1

Recipient Info[0]:
CMSG KEY_TRANSRECIPIENT(1)
CERT ID_ISSUER_SERIALNUMBER(1)
Serial Number: 61047aca000000000003
Issuer:
CN=WIN2008SCEP-CA

No Certificates
No CRLs
---------------- End Nesting Level 1 ----------------

Signer Count: 1
Signing Certificate Index: 0
dwFlags = CA VERIFY_FLAGS_CONSOLETRACE (0x20000000)
dwFlags = CA VERIFY_FLAGS_DUMPCHAIN (0x40000000)
ChainFlags = CERT CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDEROOT (0x40000000)
HCCE LOCALMACHINE
CERT CHAIN_POLICYBASE
-------- CERT CHAINCONTEXT --------
ChainContext.dwInfoStatus = CERT TRUST_HAS_PREFERREDISSUER (0x100)
ChainContext.dwErrorStatus = CERT TRUST_IS_UNTRUSTEDROOT (0x20)

SimpleChain.dwInfoStatus = CERT TRUST_HAS_PREFERREDISSUER (0x100)
SimpleChain.dwErrorStatus = CERT TRUST_IS_UNTRUSTEDROOT (0x20)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
Issuer: CN=14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC
NotBefore: 10/26/2010 1:14 AM
NotAfter: 10/26/2011 1:14 AM
Subject: CN=14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC
Serial: 01
11 b2 27 ec d3 e5 81 d7 35 f4 a2 fd 82 24 7e a4 c2 e3 3b 9c
Element.dwInfoStatus = CERT TRUST_HAS_NAME_MATCHISSUER (0x4)
Element.dwInfoStatus = CERT TRUST_IS_SELFSIGNED (0x8)
Element.dwInfoStatus = CERT TRUST_HAS_PREFERREDISSUER (0x100)
Element.dwErrorStatus = CERT TRUST_IS_UNTRUSTEDROOT (0x20)

Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
11 b2 27 ec d3 e5 81 d7 35 f4 a2 fd 82 24 7e a4 c2 e3 3b 9c
Issuer: CN=14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC
NotBefore: 10/26/2010 1:14 AM
NotAfter: 10/26/2011 1:14 AM
Subject: CN=14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC
Serial: 01
11 b2 27 ec d3 e5 81 d7 35 f4 a2 fd 82 24 7e a4 c2 e3 3b 9c
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b01
09 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root

Signer Info[0]:
Signature matches Public Key
CMSG SIGNER_INFO_PKCS_1_5VERSION(1)
CERT ID_ISSUER_SERIALNUMBER(1)
Serial Number: 01
Issuer:
CN=14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC
Subject:
CN=14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC
Hash Algorithm:
Algorithm ObjectId: 1.2.840.113549.2.5 md5 (md5NoSign)
Algorithm Parameters: NULL
Encrypted Hash Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters: NULL
Encrypted Hash:
0000 2a 49 b0 b9 6e a0 0b f3 db 14 7d 0d f9 fd 89 25
0010 b1 fe ad 44 6b 79 c5 31 1a 70 a0 71 d3 bf 22 07
0020 b5 e3 5b 37 cd ee 63 9a 5b ed 85 d5 d8 fb 44 51
0030 5c 80 a4 cf 53 78 f0 b4 b7 63 57 fa f1 f9 9d 5d
0040 fb 4f 22 c7 f4 fb 34 65 1a e2 b1 cd ea b0 45 ab
0050 af ca 09 bf da 92 ea eb 10 3f 04 e5 2c a3 ae 34
0060 9a a1 50 67 27 a0 c5 aa d5 29 45 71 40 d1 73 cb
0070 53 69 5d fa 14 1d db b8 df a2 13 20 e6 da 7a 16

Authenticated Attributes[0]:
6 attributes:

Attribute[0]: 2.16.840.1.113733.1.9.2
Value[0][0]:
Unknown Attribute type
0000 13 02 31 39 ..19
0000: 13 02 ; PRINTABLE_STRING (2 Bytes)
0002: 31 39 ; 19
; "19"

Attribute[1]: 1.2.840.113549.1.9.3 (Content Type)
Value[1][0]:
Unknown Attribute type
1.2.840.113549.1.7.1 PKCS 7 Data
0000 06 09 2a 86 48 86 f7 0d 01 07 01 ..*.H......
0000: 06 09 ; OBJECT_ID (9 Bytes)
0002: 2a 86 48 86 f7 0d 01 07 01
; 1.2.840.113549.1.7.1 PKCS 7 Data

Attribute[2]: 1.2.840.113549.1.9.5 (Signing Time)
Value[2][0]:
Unknown Attribute type
Signing Time: 10/26/2010 1:14 AM
0000 17 0d 31 30 31 30 32 36 30 38 31 34 32 39 5a ..101026081429Z
0000: 17 0d ; UTC_TIME (d Bytes)
0002: 31 30 31 30 32 36 30 38 31 34 32 39 5a ; 101026081429Z
; 10/26/2010 1:14 AM

Attribute[3]: 1.2.840.113549.1.9.4 (Message Digest)
Value[3][0]:
Unknown Attribute type
Message Digest:
c3 01 9e 56 65 b3 08 20 d4 22 f3 73 1a 3a 06 b7
0000 04 10 c3 01 9e 56 65 b3 08 20 d4 22 f3 73 1a 3a .....Ve.. .".s.:
0010 06 b7 ..
0000: 04 10 ; OCTET_STRING (10 Bytes)
0002: c3 01 9e 56 65 b3 08 20 d4 22 f3 73 1a 3a 06 b7 ; ...Ve.. .".s.:..

Attribute[4]: 2.16.840.1.113733.1.9.5
Value[4][0]:
Unknown Attribute type
0000 04 10 91 73 92 a0 d5 02 e3 89 2c 2c ab 31 dc 35 ...s......,,.1.5
0010 78 69 xi
0000: 04 10 ; OCTET_STRING (10 Bytes)
0002: 91 73 92 a0 d5 02 e3 89 2c 2c ab 31 dc 35 78 69 ; .s......,,.1.5xi

Attribute[5]: 2.16.840.1.113733.1.9.7
Value[5][0]:
Unknown Attribute type
0000 13 28 30 38 34 34 36 44 45 31 44 45 37 42 31 41 .(08446DE1DE7B1A
0010 32 45 38 36 30 33 44 36 43 33 45 42 38 44 33 43 2E8603D6C3EB8D3C
0020 38 30 44 41 36 30 31 38 31 30 80DA601810
0000: 13 28 ; PRINTABLE_STRING (28 Bytes)
0002: 30 38 34 34 36 44 45 31 44 45 37 42 31 41 32 45 ; 08446DE1DE7B1A2E
0012: 38 36 30 33 44 36 43 33 45 42 38 44 33 43 38 30 ; 8603D6C3EB8D3C80
0022: 44 41 36 30 31 38 31 30 ; DA601810
; "08446DE1DE7B1A2E8603D6C3EB8D3C80DA601810"

Unauthenticated Attributes[0]:
0 attributes:

Computed Hash: 24 92 3c f9 15 fb 4d ad f8 dc f9 08 d3 6c 7d 79
No Recipient

Certificates:
================ Begin Nesting Level 1 ================
Element 0:
X509 Certificate:
Version: 3
Serial Number: 01
01
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC
[0,0]: CERT RDN_PRINTABLESTRING, Length = 36 (36/64 Characters)
2.5.4.3 Common Name (CN)="14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC"

31 34 45 45 44 38 45 38 2d 42 44 30 43 2d 34 43 14EED8E8-BD0C-4C
44 39 2d 39 39 30 44 2d 34 34 41 39 39 42 37 44 D9-990D-44A99B7D
43 36 42 43 C6BC

31 00 34 00 45 00 45 00 44 00 38 00 45 00 38 00 1.4.E.E.D.8.E.8.
2d 00 42 00 44 00 30 00 43 00 2d 00 34 00 43 00 -.B.D.0.C.-.4.C.
44 00 39 00 2d 00 39 00 39 00 30 00 44 00 2d 00 D.9.-.9.9.0.D.-.
34 00 34 00 41 00 39 00 39 00 42 00 37 00 44 00 4.4.A.9.9.B.7.D.
43 00 36 00 42 00 43 00 C.6.B.C.


NotBefore: 10/26/2010 1:14 AM
NotAfter: 10/26/2011 1:14 AM

Subject:
CN=14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC
[0,0]: CERT RDN_PRINTABLESTRING, Length = 36 (36/64 Characters)
2.5.4.3 Common Name (CN)="14EED8E8-BD0C-4CD9-990D-44A99B7DC6BC"

31 34 45 45 44 38 45 38 2d 42 44 30 43 2d 34 43 14EED8E8-BD0C-4C
44 39 2d 39 39 30 44 2d 34 34 41 39 39 42 37 44 D9-990D-44A99B7D
43 36 42 43 C6BC

31 00 34 00 45 00 45 00 44 00 38 00 45 00 38 00 1.4.E.E.D.8.E.8.
2d 00 42 00 44 00 30 00 43 00 2d 00 34 00 43 00 -.B.D.0.C.-.4.C.
44 00 39 00 2d 00 39 00 39 00 30 00 44 00 2d 00 D.9.-.9.9.0.D.-.
34 00 34 00 41 00 39 00 39 00 42 00 37 00 44 00 4.4.A.9.9.B.7.D.
43 00 36 00 42 00 43 00 C.6.B.C.


Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 88 02 81 80 7c 9f 78 02 50 de 9c 86 88 5b
0010 9d 4e af cb 70 5e c9 a8 a9 7b 53 c6 29 7b ae 90
0020 28 92 10 9a af 03 09 da b7 01 a1 15 19 ee 22 35
0030 f4 45 5d 5a 5b 60 7c ef 98 5b 2d 47 b9 d7 78 c0
0040 cd 78 1c 63 dd 81 4a b7 d9 6e 2e e8 f4 9d 52 2c
0050 3a c5 fb c3 d8 9a 6b ef 49 5c fa 53 07 88 c0 e3
0060 98 a7 88 18 79 41 da f4 33 08 3c 57 a6 f0 5e 4e
0070 04 c6 8c e6 25 56 70 17 ae 38 49 c2 fd 37 7a 2b
0080 78 1f 7d 35 12 19 02 03 01 00 01
Certificate Extensions: 1
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)

0000 03 02 05 a0 ....
0000: 03 02 ; BIT_STRING (2 Bytes)
0002: 05
0003: a0

Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 40 c0 34 02 4c 6d 59 4d 43 21 90 d4 43 e0 69 3b
0010 83 dc e8 5d b0 9b c9 4f 50 6e 7c a3 8c fb e9 0b
0020 99 21 40 27 e8 99 f6 83 2d 6a 79 03 c5 a7 2c 0b
0030 f3 d7 5a 7c 45 2c 7d af 13 a1 02 e7 3a d4 0c 41
0040 4f b6 42 b9 c9 d3 ec f0 33 a9 92 cf 0b ba d4 46
0050 b0 04 b6 99 a4 c1 92 c2 3b 3c 1e d9 e4 ed 09 ca
0060 27 c3 74 ba 68 93 a9 65 a3 7a 1a 4e c3 a5 51 f6
0070 8e 06 94 76 b4 c3 af 55 0f 7b b5 05 36 55 fd 1e
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): 08 44 6d e1 de 7b 1a 2e 86 03 d6 c3 eb 8d 3c 80 da 60 18 10
Key Id Hash(sha1): 21 cd df fe 7c 70 f9 0d 38 cd f5 30 e9 62 3f 7d 8a 7c bf 8b
Cert Hash(md5): 6e 8e c8 90 f7 e5 a6 0d a4 e3 4c 4f 38 28 75 1b
Cert Hash(sha1): 11 b2 27 ec d3 e5 81 d7 35 f4 a2 fd 82 24 7e a4 c2 e3 3b 9c
---------------- End Nesting Level 1 ----------------
No CRLs

martin, how to activate auto enrollment on CA Server?
I use self sign cert in win2008 server. would success??

Hi Martin,

Can you contact me at avnerl@microsoft.com?
I have a few questions about what you have done.

Thanks