locked
Issue with NAP setup SHA error RRS feed

  • Question

  • Hi all,

    I have setup NAP infrastructure in the below design ( followed the NAP DHCP guide ) 

    This test lab includes a demonstration of automatic remediation. The Enable auto-remediation of client computers setting will be enabled in the noncompliant network policy, which will cause Windows Firewall to be turned on without user intervention.


    Server Configuraton
    ===============

    a) configured windows 2008 as DC , created user and added that user to domain group, created security group for NAP clients

    b) Configured 2008 as DHCP server providing static IP address, configured NPS server and DHCP scopes,

    c) configured NPS as Network health policy server , configured SHV for windows xp sp3

    d) configured DHCP scope option by adding 015, 006 and 003 options and also configured restricted.domain.com in dhcpserver ( configured default NAP class ) also appropriate GPO are configured

    Question
    =======
    when i type gpmc and navigated to --> domain.com--> group policy object , i have configured security filtering with appropriate group , but on the same window under Links i see that my domain is listed but Enforced option is set to NO , should i need to set it to Yes ?


    e) tested the client by performin ipconfig /release / renew and my client was getting added to restricted.domain.com with subnet mask as 255.255.255.255 which is expected

    f) later i configured remediation server and joined the client to domain. And i have turned on the windows firewall on windows xp sp3 client but still i get the NAP warning.

    "Your computer is not compliant with the requirments of this network.
      SHA not present : a system health agent that may be required for full network access is not present on this computer. Please contact your administrator ID 79744"

    I am attachign the following logs


    Group Policy of client

    NAP client configuration (group policy):
    ----------------------------------------------------

    NAP client configuration:
    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Enabled

    Name            = Remote Access Quarantine Enforcement Client
    ID              = 79618
    Admin           = Disabled

    Name            = IPSec Relying Party
    ID              = 79619
    Admin           = Enabled

    Name            = Wireless Eapol Quarantine Enforcement Client
    ID              = 79620
    Admin           = Disabled

    Name            = TS Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Disabled

    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    Trusted server group configuration:
    ----------------------------------------------------
    Group            = Trusted HRA servers
    Require Https    = Enabled
    URL              = https://domain/domainhra/hcsrvext.dll
    Processing order = 1

    Ok.

    ========================================================================

    IP config of client 

    Windows IP Configuration



            Host Name . . . . . . . . . . . . : Host name

            Primary Dns Suffix  . . . . . . . : domain.com

            Node Type . . . . . . . . . . . . : Hybrid

            IP Routing Enabled. . . . . . . . : No

            WINS Proxy Enabled. . . . . . . . : No

            DNS Suffix Search List. . . . . . : domain.com

                                                restricted.domain.com



    Ethernet adapter Local Area Connection:



            Connection-specific DNS Suffix  . : restricted.domain.com

            Description . . . . . . . . . . . : Realtek RTL8169/8110 Family Gigabit Ethernet NIC

            Physical Address. . . . . . . . . :

            Dhcp Enabled. . . . . . . . . . . : Yes

            Autoconfiguration Enabled . . . . : Yes

            IP Address. . . . . . . . . . . . :  10 series ip address

            Subnet Mask . . . . . . . . . . . : 255.255.255.255

            IP Address. . . . . . . . . . . . :

            Default Gateway . . . . . . . . . :

            DHCP Server . . . . . . . . . . . : dhcp server ip address

            DNS Servers . . . . . . . . . . . : dns server ip address

     

            Lease Obtained. . . . . . . . . . : Monday, March 02, 2009 11:57:31 AM

            Lease Expires . . . . . . . . . . : Tuesday, March 10, 2009 11:57:31 AM


    =======================================================================

    Client Show State results

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Restricted
    Troubleshooting URL    = 
    Restriction start time = 
    Extended state         = 

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = Yes

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = Yes

    Id                     = 79620
    Name                   = Wireless Eapol Quarantine Enforcement Client
    Description            = Provides wireless Eapol based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      = 
    Initialized            = No
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (0) - 

    Ok.

    ==================================================================


    auto remediation is not working which means when i disable windows firewall it is not automatically turning the service on , please assist.


    sainath Windows Driver Development
    Monday, March 2, 2009 12:13 PM

Answers

  •  
    Sainath Into Driver Development said:

    Question
    =======
    when i type gpmc and navigated to --> domain.com--> group policy object , i have configured security filtering with appropriate group , but on the same window under Links i see that my domain is listed but Enforced option is set to NO , should i need to set it to Yes ?

    No, thats not relevant in this scenario. However, if you are uncertain that the GPO is applied, you can verify this by checking GPRESULT and see that it is listed properly. That should be verification enough to say if the GPOS gets the correct scope / security filtering.
    You can also confirm if it's working by verifying the services the GPO is trying to enable (automaticly) for the client - and check that this is the case. (Ex; Network Access Protection Agent service = Automatic)

    Further - notice another thing - the NAP-client works in misterious ways, and we've had problems  (unreliable predictions) ourselves when we relied on the "manully enabling the enforcement client on the client".
    Thats the results you can see by doing;

    netsh nap client>show configuration

    NAP client configuration:
    ----------------------------------------------------

    Instead try to see what this brings up (it might be a different result);

    netsh nap client>show grouppolicy

    NAP client configuration (group policy):
    ----------------------------------------------------

    From your output it shows group policy doesnt have any content, while the manually configured Enforcement clients are being listed with some results  - not sure if thats a result of which command you used to ask for the config results.

    Now - down to a bit more conclusions from your listings.
    You say that autoremediation doesn't work - but that may be because it doesn't know wich health status it is supposed to have.
    That may be linked to the "minor issues" that you doesn't seem to get the Enforcement through group policy.
    1. So rechecking the group policy and verifying that it is really reciving the GPO is a must.
    2. That the content of the GPO is really applied, and that you dont have any GPO processing problems on one/more clients.

    If you confirm that the GPO's are really working;
    * GPRESULT shows the policy in the list, and applied to the correct scope.
    * Security Center is running and cant be disabled by a standard user (GPO will do that for you)
    * NAP service is set to automatic mode, and is started every time

    Next is; why the Enforcement Client isnt listed when you do the "show grouppolicy" in netsh. But thats for later, after you have verified the GPOS.
    Those are the minimum XP SP3 clientside requirements for it to be able to autoremediate.

    Hint; Keep an eye out for GPO processing problems in the Eventlog on the client to eliminate just that.

    Sincerly, Jon E. Carlsen
    Thursday, March 5, 2009 12:15 AM
  • hi Jon,

    Thanks for the reply , i had done further more research and found that my security center was stopped.

    which was actually creating all the mess.

    your inputs are really helpful , and you actually pointed out security center service which was the culprit.

    i had really 2 days of tough time to analyze the cause, but it turned out to be a simple service


    as a end user i would expect NAP documentation to be bit modified and mention about the services required, because as a systems engineer/ systems administrator/ network developer , we always jump to the document which explain the steps to configure , rather than knowing about pre-requisites.

    Thanks for your time jon, appreciate the explanation.


    sainath Windows Driver Development
    Thursday, March 5, 2009 5:13 AM

All replies

  • hi all,

    there is one more interesting update i want to share, i configured DHCP NAP with firewall on another windows xp sp3 machine and interestingly show state has this result.

    Id                     = 79744
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      = 
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating its security state.

    But on another client it is Initialized as NO
    sainath Windows Driver Development
    Monday, March 2, 2009 1:46 PM
  • further more tests.

    i have made sure "Health key and certificate manager service is started.

    Also i am observing event id 21 Napagent.

    Different between failing and passing clients is that only 2 files from DHCP rfront are missing

    a) dhcpmon.dll
    b) dhcpsapi.dll

    question :

    do we need above 2 files ?

    Also please do let me know if i am missing anything else and what are the files required

    from server side

    from client side



    sainath Windows Driver Development
    Monday, March 2, 2009 5:40 PM
  •  Hi All,

    Any inputs ??

    please assist.

    sainath Windows Driver Development
    Tuesday, March 3, 2009 9:34 AM
  •  
    Sainath Into Driver Development said:

    Question
    =======
    when i type gpmc and navigated to --> domain.com--> group policy object , i have configured security filtering with appropriate group , but on the same window under Links i see that my domain is listed but Enforced option is set to NO , should i need to set it to Yes ?

    No, thats not relevant in this scenario. However, if you are uncertain that the GPO is applied, you can verify this by checking GPRESULT and see that it is listed properly. That should be verification enough to say if the GPOS gets the correct scope / security filtering.
    You can also confirm if it's working by verifying the services the GPO is trying to enable (automaticly) for the client - and check that this is the case. (Ex; Network Access Protection Agent service = Automatic)

    Further - notice another thing - the NAP-client works in misterious ways, and we've had problems  (unreliable predictions) ourselves when we relied on the "manully enabling the enforcement client on the client".
    Thats the results you can see by doing;

    netsh nap client>show configuration

    NAP client configuration:
    ----------------------------------------------------

    Instead try to see what this brings up (it might be a different result);

    netsh nap client>show grouppolicy

    NAP client configuration (group policy):
    ----------------------------------------------------

    From your output it shows group policy doesnt have any content, while the manually configured Enforcement clients are being listed with some results  - not sure if thats a result of which command you used to ask for the config results.

    Now - down to a bit more conclusions from your listings.
    You say that autoremediation doesn't work - but that may be because it doesn't know wich health status it is supposed to have.
    That may be linked to the "minor issues" that you doesn't seem to get the Enforcement through group policy.
    1. So rechecking the group policy and verifying that it is really reciving the GPO is a must.
    2. That the content of the GPO is really applied, and that you dont have any GPO processing problems on one/more clients.

    If you confirm that the GPO's are really working;
    * GPRESULT shows the policy in the list, and applied to the correct scope.
    * Security Center is running and cant be disabled by a standard user (GPO will do that for you)
    * NAP service is set to automatic mode, and is started every time

    Next is; why the Enforcement Client isnt listed when you do the "show grouppolicy" in netsh. But thats for later, after you have verified the GPOS.
    Those are the minimum XP SP3 clientside requirements for it to be able to autoremediate.

    Hint; Keep an eye out for GPO processing problems in the Eventlog on the client to eliminate just that.

    Sincerly, Jon E. Carlsen
    Thursday, March 5, 2009 12:15 AM
  • hi Jon,

    Thanks for the reply , i had done further more research and found that my security center was stopped.

    which was actually creating all the mess.

    your inputs are really helpful , and you actually pointed out security center service which was the culprit.

    i had really 2 days of tough time to analyze the cause, but it turned out to be a simple service


    as a end user i would expect NAP documentation to be bit modified and mention about the services required, because as a systems engineer/ systems administrator/ network developer , we always jump to the document which explain the steps to configure , rather than knowing about pre-requisites.

    Thanks for your time jon, appreciate the explanation.


    sainath Windows Driver Development
    Thursday, March 5, 2009 5:13 AM
  • Im glad to hear you have resolved it, and that it was this "simple" - altough it can be tough to find the cause for these anamolies in a testing environment.

    Good luck on your testing and deployment. :-)
    Sincerly, Jon E. Carlsen
    Thursday, March 5, 2009 5:54 AM
  • Hi John,

    We have configured the NAP and working the polices, most of the system applying NAP DHCP Noncompliant policy and giving the massage as “SHA Not present”. Enclosed the screenshot and log files for your reference. Request you to help us to resolve this issue.

    C:\Users\subbup>Netsh nap client show csps

    Available cryptographic service providers (CSPs):

    Name

    ----------------------------------------------------

    Microsoft Base Cryptographic Provider v1.0

    Microsoft Base DSS and Diffie-Hellman Cryptographic Provider

    Microsoft Base DSS Cryptographic Provider

    Microsoft Base Smart Card Crypto Provider

    Microsoft DH SChannel Cryptographic Provider

    Microsoft Enhanced Cryptographic Provider v1.0

    Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider

    Microsoft Enhanced RSA and AES Cryptographic Provider

    Microsoft RSA SChannel Cryptographic Provider

    Microsoft Strong Cryptographic Provider

    Ok.

    C:\Users\subbup>

    C:\Users\subbup>Netsh nap client show hashes

    Available hash algorithms:

    Name                          OID

    ----------------------------------------------------

    sha1RSA                       1.2.840.113549.1.1.5

    md5RSA                        1.2.840.113549.1.1.4

    sha1DSA                       1.2.840.10040.4.3

    sha1RSA                       1.3.14.3.2.29

    shaRSA                        1.3.14.3.2.15

    md5RSA                        1.3.14.3.2.3

    md2RSA                        1.2.840.113549.1.1.2

    md4RSA                        1.2.840.113549.1.1.3

    md4RSA                        1.3.14.3.2.2

    md4RSA                        1.3.14.3.2.4

    md2RSA                        1.3.14.7.2.3.1

    sha1DSA                       1.3.14.3.2.13

    dsaSHA1                       1.3.14.3.2.27

    mosaicUpdatedSig              2.16.840.1.101.2.1.1.19

    sha1NoSign                    1.3.14.3.2.26

    md5NoSign                     1.2.840.113549.2.5

    sha256NoSign                  2.16.840.1.101.3.4.2.1

    sha384NoSign                  2.16.840.1.101.3.4.2.2

    sha512NoSign                  2.16.840.1.101.3.4.2.3

    sha256RSA                     1.2.840.113549.1.1.11

    sha384RSA                     1.2.840.113549.1.1.12

    sha512RSA                     1.2.840.113549.1.1.13

    RSASSA-PSS                    1.2.840.113549.1.1.10

    sha1ECDSA                     1.2.840.10045.4.1

    sha256ECDSA                   1.2.840.10045.4.3.2

    sha384ECDSA                   1.2.840.10045.4.3.3

    sha512ECDSA                   1.2.840.10045.4.3.4

    specifiedECDSA                1.2.840.10045.4.3

    Ok.

    C:\Users\subbup>

    C:\Users\subbup>Netsh nap client dump

    # ==========================================================

    # Network Access Protection client configuration

    # ==========================================================

    pushd nap client

    # ----------------------------------------------------------

    # Trusted server group configuration

    # ----------------------------------------------------------

    reset trustedservergroup

    # ----------------------------------------------------------

    # Cryptographic service provider (CSP) configuration

    # ----------------------------------------------------------

    set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"

    # ----------------------------------------------------------

    # Hash algorithm configuration

    # ----------------------------------------------------------

    set hash oid = "1.3.14.3.2.29"

    # ----------------------------------------------------------

    # Enforcement configuration

    # ----------------------------------------------------------

    set enforcement id = "79617" admin = "disable" id = "79619" admin = "disable" id = "79621" admin = "disable" id = "79623" admin = "disable"

    # ----------------------------------------------------------

    # Tracing configuration

    # ----------------------------------------------------------

    set tracing state = "disable" level = "basic"

    # ----------------------------------------------------------

    # User interface configuration

    # ----------------------------------------------------------

    reset userinterface

    popd

    # End of NAP client configuration

    C:\Users\subbup>

    C:\Users\subbup>Netsh nap client show state

    Client state:

    ----------------------------------------------------

    Name                   = Network Access Protection Client

    Description            = Microsoft Network Access Protection Client

    Protocol version       = 1.0

    Status                 = Enabled

    Restriction state      = Not restricted

    Troubleshooting URL    =

    Restriction start time =

    Extended state         =

    GroupPolicy            = Configured

    Enforcement client state:

    ----------------------------------------------------

    Id                     = 79617

    Name                   = DHCP Quarantine Enforcement Client

    Description            = Provides DHCP based enforcement for NAP

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =

    Initialized            = Yes

    Id                     = 79619

    Name                   = IPsec Relying Party

    Description            = Provides IPsec based enforcement for Network Access Protection

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =

    Initialized            = No

    Id                     = 79621

    Name                   = RD Gateway Quarantine Enforcement Client

    Description            = Provides RD Gateway enforcement for NAP

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =

    Initialized            = No

    Id                     = 79623

    Name                   = EAP Quarantine Enforcement Client

    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and

    VPN technologies.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =

    Initialized            = No

    System health agent (SHA) state:

    ----------------------------------------------------

    Id                     = 79744

    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent monitors security settings on your computer.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =

    Initialized            = No

    Failure category       = None

    Remediation state      = Success

    Remediation percentage = 0

    Fixup Message          = (0) -

    Id                     = 79745

    Name                   = Configuration Manager System Health Agent

    Description            = Configuration Manager System Health Agent facilitates enforcement of software update compliance using Network Access Protecti

    on.

    Version                = 2007

    Vendor name            = Microsoft Corporation

    Registration date      = 1/9/2012 11:20:10 AM

    Initialized            = Yes

    Failure category       = None

    Remediation state      = Success

    Remediation percentage = 100

    Fixup Message          = (90701) - The Configuration Manager System Health Agent is compliant with the required software updates.

    Compliance results     =

    Remediation results    = (0x00000000) - (null)

    Ok.

    C:\Users\subbup>

    C:\Users\subbup>Netsh nap client show configuration

    NAP client configuration:

    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:

    ----------------------------------------------------

    Name            = DHCP Quarantine Enforcement Client

    ID              = 79617

    Admin           = Disabled

    Name            = IPsec Relying Party

    ID              = 79619

    Admin           = Disabled

    Name            = RD Gateway Quarantine Enforcement Client

    ID              = 79621

    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client

    ID              = 79623

    Admin           = Disabled

    Client tracing:

    ----------------------------------------------------

    State = Disabled

    Level = Disabled

    Ok.

    C:\Users\subbup>Netsh nap client show grouppolicy

    NAP client configuration (group policy):

    ----------------------------------------------------

    NAP client configuration:

    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:

    ----------------------------------------------------

    Name            = DHCP Quarantine Enforcement Client

    ID              = 79617

    Admin           = Enabled

    Name            = IPsec Relying Party

    ID              = 79619

    Admin           = Disabled

    Name            = RD Gateway Quarantine Enforcement Client

    ID              = 79621

    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client

    ID              = 79623

    Admin           = Disabled

    Client tracing:

    ----------------------------------------------------

    State = Disabled

    Level = Disabled

    Ok.

    C:\Users\subbup>

    Regards

    Jijo Joseph

    Thursday, July 5, 2012 11:53 AM