Issue with NAP setup SHA error

All replies

• 

  

  0

  Sign in to vote

  hi all,
  
  there is one more interesting update i want to share, i configured DHCP NAP with firewall on another windows xp sp3 machine and interestingly show state has this result.
  
  Id                     = 79744
  Name                   = Windows Security Health Agent
   
  Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
   
  Version                = 1.0
   
  Vendor name            = Microsoft Corporation
   
  Registration date      = 
  Initialized            = Yes
  Failure category       = None
  Remediation state      = Success
  Remediation percentage = 0
  Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating its security state.
  
  But on another client it is Initialized as NO

  ---

  sainath Windows Driver Development

  • Marked as answer by Sainath IRP_MJ_CREATE Thursday, March 5, 2009 5:14 AM
  • Unmarked as answer by Sainath IRP_MJ_CREATE Thursday, March 5, 2009 5:14 AM

  Monday, March 2, 2009 1:46 PM
• 

  

  0

  Sign in to vote

  further more tests.
  
  i have made sure "Health key and certificate manager service is started.
  
  Also i am observing event id 21 Napagent.
  
  Different between failing and passing clients is that only 2 files from DHCP rfront are missing
  
  a) dhcpmon.dll
  b) dhcpsapi.dll
  
  question :
  
  do we need above 2 files ?
  
  Also please do let me know if i am missing anything else and what are the files required
  
  from server side
  
  from client side
  
  
  

  ---

  sainath Windows Driver Development

  Monday, March 2, 2009 5:40 PM
• 

  

  0

  Sign in to vote

   Hi All,
  
  Any inputs ??
  
  please assist.
  

  ---

  sainath Windows Driver Development

  Tuesday, March 3, 2009 9:34 AM
• 

  

  0

  Sign in to vote

   

  Sainath Into Driver Development said:

  Question
  =======
  when i type gpmc and navigated to --> domain.com--> group policy object , i have configured security filtering with appropriate group , but on the same window under Links i see that my domain is listed but Enforced option is set to NO , should i need to set it to Yes ?

  No, thats not relevant in this scenario. However, if you are uncertain that the GPO is applied, you can verify this by checking GPRESULT and see that it is listed properly. That should be verification enough to say if the GPOS gets the correct scope / security filtering.
  You can also confirm if it's working by verifying the services the GPO is trying to enable (automaticly) for the client - and check that this is the case. (Ex; Network Access Protection Agent service = Automatic)
  
  Further - notice another thing - the NAP-client works in misterious ways, and we've had problems  (unreliable predictions) ourselves when we relied on the "manully enabling the enforcement client on the client".
  Thats the results you can see by doing;
  

  netsh nap client>show configuration

  NAP client configuration:
  ----------------------------------------------------

  Instead try to see what this brings up (it might be a different result);
  

  netsh nap client>show grouppolicy

  NAP client configuration (group policy):
  ----------------------------------------------------

  From your output it shows group policy doesnt have any content, while the manually configured Enforcement clients are being listed with some results  - not sure if thats a result of which command you used to ask for the config results.
  
  Now - down to a bit more conclusions from your listings.
  You say that autoremediation doesn't work - but that may be because it doesn't know wich health status it is supposed to have.
  That may be linked to the "minor issues" that you doesn't seem to get the Enforcement through group policy.
  1. So rechecking the group policy and verifying that it is really reciving the GPO is a must.
  2. That the content of the GPO is really applied, and that you dont have any GPO processing problems on one/more clients.
  
  If you confirm that the GPO's are really working;
  * GPRESULT shows the policy in the list, and applied to the correct scope.
  * Security Center is running and cant be disabled by a standard user (GPO will do that for you)
  * NAP service is set to automatic mode, and is started every time
  
  Next is; why the Enforcement Client isnt listed when you do the "show grouppolicy" in netsh. But thats for later, after you have verified the GPOS.
  Those are the minimum XP SP3 clientside requirements for it to be able to autoremediate.
  
  Hint; Keep an eye out for GPO processing problems in the Eventlog on the client to eliminate just that.
  

  ---

  Sincerly, Jon E. Carlsen

  • Marked as answer by Sainath IRP_MJ_CREATE Thursday, March 5, 2009 5:14 AM

  Thursday, March 5, 2009 12:15 AM
• 

  

  0

  Sign in to vote

  hi Jon,
  
  Thanks for the reply , i had done further more research and found that my security center was stopped.
  
  which was actually creating all the mess.
  
  your inputs are really helpful , and you actually pointed out security center service which was the culprit.
  
  i had really 2 days of tough time to analyze the cause, but it turned out to be a simple service
  
  
  as a end user i would expect NAP documentation to be bit modified and mention about the services required, because as a systems engineer/ systems administrator/ network developer , we always jump to the document which explain the steps to configure , rather than knowing about pre-requisites.
  
  Thanks for your time jon, appreciate the explanation.
  
  

  ---

  sainath Windows Driver Development

  • Marked as answer by Sainath IRP_MJ_CREATE Thursday, March 5, 2009 5:14 AM

  Thursday, March 5, 2009 5:13 AM
• 

  

  0

  Sign in to vote

  Im glad to hear you have resolved it, and that it was this "simple" - altough it can be tough to find the cause for these anamolies in a testing environment.
  
  Good luck on your testing and deployment. :-)

  ---

  Sincerly, Jon E. Carlsen

  Thursday, March 5, 2009 5:54 AM
• 

  

  0

  Sign in to vote

  Hi John,

  We have configured the NAP and working the polices, most of the system applying NAP DHCP Noncompliant policy and giving the massage as “SHA Not present”. Enclosed the screenshot and log files for your reference. Request you to help us to resolve this issue.

  

  C:\Users\subbup>Netsh nap client show csps

  Available cryptographic service providers (CSPs):

  Name

  ----------------------------------------------------

  Microsoft Base Cryptographic Provider v1.0

  Microsoft Base DSS and Diffie-Hellman Cryptographic Provider

  Microsoft Base DSS Cryptographic Provider

  Microsoft Base Smart Card Crypto Provider

  Microsoft DH SChannel Cryptographic Provider

  Microsoft Enhanced Cryptographic Provider v1.0

  Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider

  Microsoft Enhanced RSA and AES Cryptographic Provider

  Microsoft RSA SChannel Cryptographic Provider

  Microsoft Strong Cryptographic Provider

  Ok.

  C:\Users\subbup>

  C:\Users\subbup>Netsh nap client show hashes

  Available hash algorithms:

  Name                          OID

  ----------------------------------------------------

  sha1RSA                       1.2.840.113549.1.1.5

  md5RSA                        1.2.840.113549.1.1.4

  sha1DSA                       1.2.840.10040.4.3

  sha1RSA                       1.3.14.3.2.29

  shaRSA                        1.3.14.3.2.15

  md5RSA                        1.3.14.3.2.3

  md2RSA                        1.2.840.113549.1.1.2

  md4RSA                        1.2.840.113549.1.1.3

  md4RSA                        1.3.14.3.2.2

  md4RSA                        1.3.14.3.2.4

  md2RSA                        1.3.14.7.2.3.1

  sha1DSA                       1.3.14.3.2.13

  dsaSHA1                       1.3.14.3.2.27

  mosaicUpdatedSig              2.16.840.1.101.2.1.1.19

  sha1NoSign                    1.3.14.3.2.26

  md5NoSign                     1.2.840.113549.2.5

  sha256NoSign                  2.16.840.1.101.3.4.2.1

  sha384NoSign                  2.16.840.1.101.3.4.2.2

  sha512NoSign                  2.16.840.1.101.3.4.2.3

  sha256RSA                     1.2.840.113549.1.1.11

  sha384RSA                     1.2.840.113549.1.1.12

  sha512RSA                     1.2.840.113549.1.1.13

  RSASSA-PSS                    1.2.840.113549.1.1.10

  sha1ECDSA                     1.2.840.10045.4.1

  sha256ECDSA                   1.2.840.10045.4.3.2

  sha384ECDSA                   1.2.840.10045.4.3.3

  sha512ECDSA                   1.2.840.10045.4.3.4

  specifiedECDSA                1.2.840.10045.4.3

  Ok.

  C:\Users\subbup>

  C:\Users\subbup>Netsh nap client dump

  # ==========================================================

  # Network Access Protection client configuration

  # ==========================================================

  pushd nap client

  # ----------------------------------------------------------

  # Trusted server group configuration

  # ----------------------------------------------------------

  reset trustedservergroup

  # ----------------------------------------------------------

  # Cryptographic service provider (CSP) configuration

  # ----------------------------------------------------------

  set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"

  # ----------------------------------------------------------

  # Hash algorithm configuration

  # ----------------------------------------------------------

  set hash oid = "1.3.14.3.2.29"

  # ----------------------------------------------------------

  # Enforcement configuration

  # ----------------------------------------------------------

  set enforcement id = "79617" admin = "disable" id = "79619" admin = "disable" id = "79621" admin = "disable" id = "79623" admin = "disable"

  # ----------------------------------------------------------

  # Tracing configuration

  # ----------------------------------------------------------

  set tracing state = "disable" level = "basic"

  # ----------------------------------------------------------

  # User interface configuration

  # ----------------------------------------------------------

  reset userinterface

  popd

  # End of NAP client configuration

  C:\Users\subbup>

  C:\Users\subbup>Netsh nap client show state

  Client state:

  ----------------------------------------------------

  Name                   = Network Access Protection Client

  Description            = Microsoft Network Access Protection Client

  Protocol version       = 1.0

  Status                 = Enabled

  Restriction state      = Not restricted

  Troubleshooting URL    =

  Restriction start time =

  Extended state         =

  GroupPolicy            = Configured

  Enforcement client state:

  ----------------------------------------------------

  Id                     = 79617

  Name                   = DHCP Quarantine Enforcement Client

  Description            = Provides DHCP based enforcement for NAP

  Version                = 1.0

  Vendor name            = Microsoft Corporation

  Registration date      =

  Initialized            = Yes

  Id                     = 79619

  Name                   = IPsec Relying Party

  Description            = Provides IPsec based enforcement for Network Access Protection

  Version                = 1.0

  Vendor name            = Microsoft Corporation

  Registration date      =

  Initialized            = No

  Id                     = 79621

  Name                   = RD Gateway Quarantine Enforcement Client

  Description            = Provides RD Gateway enforcement for NAP

  Version                = 1.0

  Vendor name            = Microsoft Corporation

  Registration date      =

  Initialized            = No

  Id                     = 79623

  Name                   = EAP Quarantine Enforcement Client

  Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and

  VPN technologies.

  Version                = 1.0

  Vendor name            = Microsoft Corporation

  Registration date      =

  Initialized            = No

  System health agent (SHA) state:

  ----------------------------------------------------

  Id                     = 79744

  Name                   = Windows Security Health Agent

  Description            = The Windows Security Health Agent monitors security settings on your computer.

  Version                = 1.0

  Vendor name            = Microsoft Corporation

  Registration date      =

  Initialized            = No

  Failure category       = None

  Remediation state      = Success

  Remediation percentage = 0

  Fixup Message          = (0) -

  Id                     = 79745

  Name                   = Configuration Manager System Health Agent

  Description            = Configuration Manager System Health Agent facilitates enforcement of software update compliance using Network Access Protecti

  on.

  Version                = 2007

  Vendor name            = Microsoft Corporation

  Registration date      = 1/9/2012 11:20:10 AM

  Initialized            = Yes

  Failure category       = None

  Remediation state      = Success

  Remediation percentage = 100

  Fixup Message          = (90701) - The Configuration Manager System Health Agent is compliant with the required software updates.

  Compliance results     =

  Remediation results    = (0x00000000) - (null)

  Ok.

  C:\Users\subbup>

  C:\Users\subbup>Netsh nap client show configuration

  NAP client configuration:

  ----------------------------------------------------

  Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

  Hash algorithm = sha1RSA (1.3.14.3.2.29)

  Enforcement clients:

  ----------------------------------------------------

  Name            = DHCP Quarantine Enforcement Client

  ID              = 79617

  Admin           = Disabled

  Name            = IPsec Relying Party

  ID              = 79619

  Admin           = Disabled

  Name            = RD Gateway Quarantine Enforcement Client

  ID              = 79621

  Admin           = Disabled

  Name            = EAP Quarantine Enforcement Client

  ID              = 79623

  Admin           = Disabled

  Client tracing:

  ----------------------------------------------------

  State = Disabled

  Level = Disabled

  Ok.

  C:\Users\subbup>Netsh nap client show grouppolicy

  NAP client configuration (group policy):

  ----------------------------------------------------

  NAP client configuration:

  ----------------------------------------------------

  Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

  Hash algorithm = sha1RSA (1.3.14.3.2.29)

  Enforcement clients:

  ----------------------------------------------------

  Name            = DHCP Quarantine Enforcement Client

  ID              = 79617

  Admin           = Enabled

  Name            = IPsec Relying Party

  ID              = 79619

  Admin           = Disabled

  Name            = RD Gateway Quarantine Enforcement Client

  ID              = 79621

  Admin           = Disabled

  Name            = EAP Quarantine Enforcement Client

  ID              = 79623

  Admin           = Disabled

  Client tracing:

  ----------------------------------------------------

  State = Disabled

  Level = Disabled

  Ok.

  C:\Users\subbup>

  Regards

  Jijo Joseph

  Thursday, July 5, 2012 11:53 AM