The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

There could be multiple reasons, and try one of below

1. While installing NDES, when you use domain account as service account, and change it to AppPoolIdentity(in AppPool settings screen), then you may face this error. For this you have either revert it to domain account or give private key Read permission for CEP Encryption(CEPEncryption) and Exchange Enrollment Agent(offline request) to SCEP app pool identity.

CA's type is Enterprise or Standalone?

use > certutil -cainfo, this dump lot of information, look for 'CA type' - some thing like below

CA type: 3 -- Stand-alone Root CA
   ENUM_STANDALONE_ROOTCA -- 3

                         or

CA type: 0 -- Enterprise Root CA
    ENUM_ENTERPRISE_ROOTCA -- 0

also command to extract CA Certificate is "certutil  -ca.cert [file name].cer"

and to change/configure expiry date for issued certificates http://support.microsoft.com/kb/254632

NTLM

Nice read here and here and here

In nutshell, Kerberos is better than NTLM. Kerberos contact Domain Controller, gets token and uses it to authenticate user. NTLM contacts Web Server which in turn contacts Domain Controller, gets token and authenticates it. Normally Web sites can be set to use only NTLM or Negotiate(Kerberos will be tried, on failure NTLM will be tried). Just refer below fiddler screen shots for some clue.