locked
Trusted Server Groups: Local config vs. GPO RRS feed

  • Question

  • Hello,
     
    I've configured IPsec NAP in a test environment.
    The setup is simple:
    Server1.krva.local = DC, DNS, Root Ent CA
    Server2.krva.local = Sub Standalone CA, NAP, HRA
    Vista.krva.local = test client

    I've gone through the configuration of the certificates, NAP and the GPO settings.

    When I connect with the client and enter the command: netsh nap client group grouppolicy, I see that IPsec NAP is enabled and the URL of the trusted HRA is https://server2.krva.local
    No problem.

    However, when I try disabling the firewall, it will not be automatically re-enabled (although that's configured).

    When I check the event log I see these errors (the common ones):

    Error EventID: 21
    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {350F14E0-DA99-4429-B1D8-06B9C9FFEFDA} - 2008-12-11 15:13:07.517Z from
    https://server2.krva.local/domainhra/hcsrvext.dll.
     The request failed with the error code (2147954444). This server will not be tried again for 240 minutes.
     See the HRA administrator for more information.

    -------

    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {B4C57D02-1F2C-4597-9FCF-BF2505546EDB} - 2008-12-12 15:12:03.824Z from https://server2.krva.local/domainhra/hcsrvext.dll.
     The request failed with the error code (2147954575). This server will not be tried again for 240 minutes.
     See the HRA administrator for more information.

    -------

    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {12737516-1D20-427D-B07D-351D9D0E75E3} - 2008-12-15 10:43:27.276Z from https://server2.krva.local/domainhra/hcsrvext.dll.
     The request failed with the error code (2147954407). This server will not be tried again for 240 minutes.
     See the HRA administrator for more information.

    -------
    -------

    Error EventID: 1028
    The Windows Security Health Agent failed to notify the Windows Network Access Protection Service of a change in the security health state of the computer.
    Failure Code: 0x80070005.

    Fine, so I have a certificate error somewhere.  Unfortunately not.

    Now I've configured the exact same settings (enable IPsec NAP & the trusted HRA server group) locally on the Vista client via the napclcfg.msc module.  Instantly works like a charm and my eventviewer fills up nicely with status changes, certificates, ... whenever I test some of the settings.
    However, there are still 2 errors (21) every time saying failed to acquire a certificate ... This is the setting that comes from the GPO.

    So my obvious question: why is it that locally configured IPsec NAP settings work perfectly while the exact same NAP settings (that are indeed applied) via the GPO don't work?

    Thanks for all your help.

    Tuesday, December 16, 2008 3:30 PM

Answers

  • Hi,

    NAP will work before you activate, so no worries there. The only way this would come into play is if you were using a SHA that enforced activation.

    There are two problems that I see. First, the IPsec Relying party isn't initialized. However, this isn't consistent with the client computer requesting a certificate. So, I'm thinking you might be using Vista with no service packs installed. There was a bug that was fixed in SP1 where the IPsec enforcement client would not display correctly as initialized. Let's not worry about this one for the moment.

    The other error code (500) indicates a configuration problem on HRA or NPS. Can you please check the event log on this server again?

    Review the events here: Custom Views\Server Roles\Network Policy and Access Services

    Thanks,
    -Greg
    Thursday, December 18, 2008 5:36 PM

All replies

  • Hi,

    First, the codes in your error messages correspond to the following status:

    2147954444 = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED 
    2147954575 = ERROR_WINHTTP_SECURE_FAILURE
    2147954407 = ERROR_WINHTTP_NAME_NOT_RESOLVED 

    These codes are listed here.

    I noticed that you got the errors on different days, so I'm not sure of what problem you have currently. The last error seems to be a DNS issue. The other ones are SSL problems.

    If you could provide the actual output of netsh nap client show group it will help to troubleshoot. One thing you should know, however, is that you cannot use settings from Group Policy and napclcfg.msc at the same time. If you have any settings configured in Group Policy, such as trusted server groups or enforcement clients enabled, then the local settings you configured with napclcfg.msc will be ignored. The only way to use local settings is to remove the client computer from whatever security group you are using to deploy Group Policy NAP settings.

    If you are getting error event 21, then IPsec NAP is not working correctly, even if the firewall is correctly being turned back on when you turn it off.

    It sounds like your goal is to get it working with Group Policy. Please configure the Group Policy settings and provide the following:

    1. Output of netsh nap client show group.
      --> we are checking that Group Policy settings are configured as expected.
    2. Output of netsh nap client show state
      --> we are checking that the Group Policy settings are being used as expected.
    3. Details from events on the client (event 21 and any other error events).
      --> we are checking which events are displayed and what error codes are present.
    4. Details from events on the server (NPS events 6272, 6273, 6274, or 6276 and any HRA events).
      --> we are checking how the client was evaluated by NPS and whether HRA has any problems.

    Thanks,
    -Greg
    Thursday, December 18, 2008 5:49 AM
  • Hello,

    Yeah, I thought I cleared the eventlog but I must not have ...
    Anyway, below are the entries in the eventviewer of the server and client after clearing the log and restarting both servers and client.

    I was pretty sure that the locally configured NAP settings wouldn't take precedence over the GPO, but I thought I'd try it (just to see what happens).  And after that it started working.
    I've now removed the local settings though.

    I just remember something vaguely I read about IPsec NAP when it was first coming out: do all involved systems have to be activated?  At the moment my test setup is not.  I don't see anything on the internet now about this.

    The answers to your questions:
    1. result of netsh nap client show

    NAP client configuration (group policy):
    ----------------------------------------------------

    NAP client configuration:
    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Disabled

    Name            = Remote Access Quarantine Enforcement Client
    ID              = 79618
    Admin           = Disabled

    Name            = IPSec Relying Party
    ID              = 79619
    Admin           = Enabled

    Name            = TS Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Disabled

    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    Trusted server group configuration:
    ----------------------------------------------------
    Group            = Trusted HRA Servers
    Require Https    = Disabled
    URL              =
    http://server1.krva2.local/domainhra/hcsrvext.dll
    Processing order = 1

    Ok.

    2. result of netsh nap client show state

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    = 
    Restriction start time = 

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      = 
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating its security state.
     
    Compliance results     =
    Remediation results    =

    Ok.


    3. All Error event on the client:
    Error 21:
    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {E45DEEA4-23D6-4123-AA19-F739790D9F86} - 2008-12-18 11:53:22.759Z from
    http://server2.krva.local/domainhra/hcsrvext.dll.
     The request failed with the error code (2147954402). This server will not be tried again for 240 minutes.
     See the HRA administrator for more information.

    Error 21:
    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {E45DEEA4-23D6-4123-AA19-F739790D9F86} - 2008-12-18 11:53:22.759Z from
    http://server2.krva.local/domainhra/hcsrvext.dll.
     The request failed with the error code (500). This server will not be tried again for 240 minutes.
     See the HRA administrator for more information.

    Error 21:
    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {E45DEEA4-23D6-4123-AA19-F739790D9F86} - 2008-12-18 11:53:22.759Z from
    http://server2.krva.local/domainhra/hcsrvext.dll.
     The request failed with the error code (500). This server will not be tried again for 240 minutes.
     See the HRA administrator for more information.

    Error 1028:
    The Windows Security Health Agent failed to notify the Windows Network Access Protection Service of a change in the security health state of the computer.
    Failure Code: 0x80070005.

    4. All Error event on the server:
    Error 13:
    The Windows Security Health Agent failed to notify the Windows Network Access Protection Service of a change in the security health state of the computer.
    Failure Code: 0x80070005.

    Error 17:
    The Statement of Health Response received configuration for the following SHAs that are not installed on this computer: 79744
      --> this is OK, I'm not trying to have the NPS server as a NAP client

    Thanks for your help.

    Thursday, December 18, 2008 12:52 PM
  • Update: After a new reboot of the Vista client, I receive only the following error (3 times)

    error 21:
    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {E45DEEA4-23D6-4123-AA19-F739790D9F86} - 2008-12-18 11:53:22.759Z from http://server2.krva.local/domainhra/hcsrvext.dll.
     The request failed with the error code (500). This server will not be tried again for 240 minutes.
     See the HRA administrator for more information.

    However, before those errors I see these information events:
    Information: 27
    A Statement of Health with correlation ID {8DBAF28D-593B-40BC-9735-10DCE0BBB960} - 2008-12-18 13:27:56.606Z was received from the System Health Agent 79744.
     The duration to check the client's health was 15 ms.


    Don't know if that helps.

    Thanks
    Thursday, December 18, 2008 1:37 PM
  • Hi,

    NAP will work before you activate, so no worries there. The only way this would come into play is if you were using a SHA that enforced activation.

    There are two problems that I see. First, the IPsec Relying party isn't initialized. However, this isn't consistent with the client computer requesting a certificate. So, I'm thinking you might be using Vista with no service packs installed. There was a bug that was fixed in SP1 where the IPsec enforcement client would not display correctly as initialized. Let's not worry about this one for the moment.

    The other error code (500) indicates a configuration problem on HRA or NPS. Can you please check the event log on this server again?

    Review the events here: Custom Views\Server Roles\Network Policy and Access Services

    Thanks,
    -Greg
    Thursday, December 18, 2008 5:36 PM
  • Hi,

    Let me know if the events I mentioned in my last post help you to determine what is wrong. It is likely just a slight configuration problem.

    -Greg
    Sunday, January 4, 2009 5:52 AM
  • Hello Greg,

    Sorry it took a while, but I was on vacation and didn't touch a computer for 3 weeks ... :)

    Anyway, it works ...

    I recreated a new NAP client configuration and applied it and created a new HRA.  In the Security Health Validator I tried both with auto-remediation enabled and disabled.  It goes without a problem.

    Unfortunately (for me), I don't see what I did different now than I did the first time.  Just to know what I did wrong.
    But there must have been something, because I restarted after my previous success from scratch with new servers and clients, same settings and it worked from the first time.

    Like you said, I must have made a small mistake somewhere the first time.  And although I don't know exactly what I think I've got enough testing to get a little bit of feeling for it.

    Thanks for your help! :)
    Monday, January 12, 2009 3:43 PM