Network Access Protection Agent failed to acquire a certificate for the request
- My network policy server suddenly quit functioning and is issuing thousands of errors (see below). Previously it had been functioning fine. Fortunately I was still in reporting mode. I am using NAP for IPsec.
Event ID: 26 Source: HRA
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {3C0A1519-6C31-439E-B33E-8EE7BFE21DE8} - 2009-11-01 16:37:29.062Z from https://swopenps.swopeparkwayhc.int/domainhra/hcsrvext.dll. The request failed with the error code (500). This server will not be tried again for 10 minutes.See the HRA administrator for more information.
On the client side
Event ID: 21 Source: NAPAgent
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {2CB52616-49C5-4CD7-B090-585AE90B4ECB} - 2009-11-02 04:09:06.276Z from https://swopenps.swopeparkwayhc.int/domainhra/hcsrvext.dll.
The request failed with the error code (500). This server will not be tried again for 10 minutes.
When I issue the command "netsh nap client show configuration" from a client I get the following:
NAP client configuration:
----------------------------------------------------Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
ider, keylength = 2048Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
Admin = DisabledName = Remote Access Quarantine Enforcement Client
ID = 79618
Admin = DisabledName = IPSec Relying Party
ID = 79619
Admin = DisabledName = Wireless Eapol Quarantine Enforcement Client
ID = 79620
Admin = DisabledName = TS Gateway Quarantine Enforcement Client
ID = 79621
Admin = DisabledName = EAP Quarantine Enforcement Client
ID = 79623
Admin = DisabledClient tracing:
----------------------------------------------------
State = Disabled
Level = DisabledOk.
When I issue the command "netsh nap client show grouppolicy" from a client I get the following:
NAP client configuration (group policy):
----------------------------------------------------NAP client configuration:
----------------------------------------------------Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
ider, keylength = 2048Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
Admin = EnabledName = Remote Access Quarantine Enforcement Client
ID = 79618
Admin = DisabledName = IPSec Relying Party
ID = 79619
Admin = EnabledName = Wireless Eapol Quarantine Enforcement Client
ID = 79620
Admin = DisabledName = TS Gateway Quarantine Enforcement Client
ID = 79621
Admin = DisabledName = EAP Quarantine Enforcement Client
ID = 79623
Admin = DisabledClient tracing:
----------------------------------------------------
State = Disabled
Level = DisabledTrusted server group configuration:
----------------------------------------------------
Group = HRA Servers
Require Https = Enabled
URL = https://swopenps.swopeparkwayhc.int/domainhra/hcsrvext.dll
Processing order = 1User interface settings:
----------------------------------------------------
Title = Swope Community Enterprises
Description = Network Health Assessment
Image =Ok.
The command "netsh nap client show configuration" shows IPsec Relying Party as "disabled", whereas the command "netsh nap client show grouppolicy" shows IPsec Relying Party as enabled.
When accessing the trusted server URL from the client's browser I get the message "500 - Internal server error", which from reading other posts normally indicates the ability to connect via SSL.
The clients used to receive the"Health Cetificate", but are no longer receiving the certificates.Here is my setup:
1 windows 2008 server .DC , Root CA and DNS
1 Windows 2008 server , NPS , HRA , Stand alone SUB
450 plus Windows XP Clients - Joined to the Domain
Any and all assistance is greatly appreciated.
Answers
- Hi,
Please review the logs on the HRA/NPS under Custom Views\Server Roles\Network Policy and Access Services.
This should tell you why the HRA was unable to provide a certificate. It can be one of several reasons. If the problem is related to the CA, you will need to review messages in the CA console.
-Greg- Marked As Answer byMiles ZhangMSFT, ModeratorWednesday, November 04, 2009 6:50 AM
All Replies
- Hi,
Please review the logs on the HRA/NPS under Custom Views\Server Roles\Network Policy and Access Services.
This should tell you why the HRA was unable to provide a certificate. It can be one of several reasons. If the problem is related to the CA, you will need to review messages in the CA console.
-Greg- Marked As Answer byMiles ZhangMSFT, ModeratorWednesday, November 04, 2009 6:50 AM
