locked
Client not receiving health certificate (NAP agent failed to acquire a certificate for the request) RRS feed

  • Question

  • Configured a Enterprise CA which issues certificates for Direct Access client and health certificates. The enterprise CA, HRA and NPS roles are configured on one server (Server  2008 R2 standard ), Direct Access is configured on a separate 2012 server.

    Sidenote : certificates for Direct Access are being issued by the same CA, no issues accessing the network using Direct Access.

    According to the Network Policy and Access server the client is granted full access because it met the configured health policies

    I searched and tried several solutions, but i'm confused, in the client eventlog a HRA error appears, in the Network Policy and Access services on the server itself there's no HRA error. 

    NPS configuration

    1 connection request policy named : - NAP IPsec with HRA

    2 network policies named : - NPA IPsec with HRA compliant 
                                            - NAP IPsec with HRA Noncompliant

    Connection and network policies are configured as (Type of network access server) : Healt registration authority

    CA configuration

    Added the network service account to the security of the CA, permissions are : Issue and Manage Certificates / Request Certificates / Read / Manage CA (Gave it all the permissions for testing purposes)

    certificate template configuration

    Issued a template named Health authentication Direct Access Clients. The network service has Read/Enroll/Autoenroll permissions for this template. Application policy extensions : Client Authentication and System Health Authentication

    HRA configuration

    Added the CA to the HRA

    Server eventlog

    Network Policy Server granted full access to a user because the host met the defined health policy.

    User:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Fully Qualified Account Name: -

    Client Machine:
    Security ID: Domain\computername
    Account Name: computername.domain.local
    Fully Qualified Account Name: Domain\computername$
    OS-Version: 6.1.7601 1.0 x64 Workstation
    Called Station Identifier: -
    Calling Station Identifier: -

    NAS:
    NAS IPv4 Address: Ipadres
    NAS IPv6 Address: -
    NAS Identifier: server.domain.local
    NAS Port-Type: Ethernet
    NAS Port: -

    RADIUS Client:
    Client Friendly Name: -
    Client IP Address: -

    Authentication Details:
    Connection Request Policy Name: NAP IPsec with HRA
    Network Policy Name: NAP IPsec with HRA Compliant
    Authentication Provider: Windows
    Authentication Server: server.domain.local
    Authentication Type: Unauthenticated
    EAP Type: -
    Account Session Identifier: SESSION IDENTIFIER

    Quarantine Information:
    Result: Full Access
    Extended-Result: -
    Session Identifier: SESSION IDENTIFIER
    Help URL: -
    System Health Validator Result(s):
    Windows Security Health Validator

    Client eventlog

    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {AD43EFEA-A663-4EE8-BCF7-28699DFC9AAC} - 2013-10-23 12:21:01.726Z from https://CASERVER.DOMAIN.LOCAL/DomainHRA/HCSRVEXT.DLL.<o:p></o:p>

    The request failed with the error code (500). This server will not be tried again for 10 minutes.<o:p></o:p>

    Contact the HRA administrator for more information.

    The strange thing is, i don't see any failed request on the CA or any failed request with the same correlation-id appear in the Network Policy and Access Services event log which tells me that the client didn't connect to the HRA. If i try to open the url https://CASERVER.DOMAIN.LOCAL/DomainHRA/HCSRVEXT.DLL. a popup appears asking me for a username and password. If i enter the password another page opens with internal error 500. No SSL errors. 
    (Auditing is enabled, checked it with the auditpol command)

    Show config output


    NAP client configuration (group policy): 
    ---------------------------------------------------- 

    NAP client configuration: 
    ---------------------------------------------------- 

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

    Hash algorithm = sha1RSA (1.3.14.3.2.29) 

    Enforcement clients: 
    ---------------------------------------------------- 
    Name            = DHCP Quarantine Enforcement Client 
    ID              = 79617 
    Admin           = Disabled 

    Name            = IPsec Relying Party 
    ID              = 79619 
    Admin           = Enabled 

    Name            = RD Gateway Quarantine Enforcement Client 
    ID              = 79621 
    Admin           = Disabled 

    Name            = EAP Quarantine Enforcement Client 
    ID              = 79623 
    Admin           = Disabled 

    Client tracing: 
    ---------------------------------------------------- 
    State = Disabled 
    Level = Disabled 

    Trusted server group configuration: 
    ---------------------------------------------------- 
    Group            = HRA 
    Require Https    = Disabled 
    URL              = http://CA.DOMAIN.LOCAL/DomainHRA/HCSRVEXT.DLL 
    Processing order = 1 
    Group            = HRA 
    Require Https    = Disabled 
    URL              = https://CA.DOMAIN.LOCAL/DomainHRA/HCSRVEXT.DLL 
    Processing order = 2 

    Ok.

    Show state output


    Client state: 
    ---------------------------------------------------- 
    Name                   = Network Access Protection Client 
    Description            = Microsoft Network Access Protection Client 
    Protocol version       = 1.0 
    Status                 = Enabled 
    Restriction state      = Not restricted 
    Troubleshooting URL    =  
    Restriction start time =  
    Extended state         =  
    GroupPolicy            = Configured 

    Enforcement client state: 
    ---------------------------------------------------- 
    Id                     = 79617 
    Name                   = DHCP Quarantine Enforcement Client 
    Description            = Provides DHCP based enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 

    Id                     = 79619 
    Name                   = IPsec Relying Party 
    Description            = Provides IPsec based enforcement for Network Access Protection 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = Yes 

    Id                     = 79621 
    Name                   = RD Gateway Quarantine Enforcement Client 
    Description            = Provides RD Gateway enforcement for NAP 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 

    Id                     = 79623 
    Name                   = EAP Quarantine Enforcement Client 
    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies. 
    Version                = 1.0 
    Vendor name            = Microsoft Corporation 
    Registration date      =  
    Initialized            = No 

    System health agent (SHA) state: 
    ---------------------------------------------------- 
    Id                     = 79744 
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent monitors security settings on your computer.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      =  
    Initialized            = Yes 
    Failure category       = None 
    Remediation state      = Success 
    Remediation percentage = 0 
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
     
    Compliance results     = 
    Remediation results    = 

    Ok.




    • Edited by Marc-1983 Wednesday, October 23, 2013 1:15 PM
    Wednesday, October 23, 2013 1:02 PM

Answers

  • SOLVED : Forgot one step, adding the certificate template to the HRA, so it knows which template to issue which explains everything

    Steps 

    1. Open the HRA

    2. Right click Certification Authority and select Properties

    3. Under Use enterprise certification authority , select the template for :
    -Authenticated compliant certificate template
    -Anonymous compliant certificate template

    http://technet.microsoft.com/nl-nl/library/dd314161(v=ws.10).aspx


    • Edited by Marc-1983 Wednesday, October 23, 2013 1:32 PM
    • Marked as answer by Marc-1983 Wednesday, October 23, 2013 1:32 PM
    Wednesday, October 23, 2013 1:31 PM

All replies

  • SOLVED : Forgot one step, adding the certificate template to the HRA, so it knows which template to issue which explains everything

    Steps 

    1. Open the HRA

    2. Right click Certification Authority and select Properties

    3. Under Use enterprise certification authority , select the template for :
    -Authenticated compliant certificate template
    -Anonymous compliant certificate template

    http://technet.microsoft.com/nl-nl/library/dd314161(v=ws.10).aspx


    • Edited by Marc-1983 Wednesday, October 23, 2013 1:32 PM
    • Marked as answer by Marc-1983 Wednesday, October 23, 2013 1:32 PM
    Wednesday, October 23, 2013 1:31 PM
  • Hi,

    Good to hear that.

    Thanks for your share at the same time since it would be greatly helpful to anyone who has similar issues.

    Have a good time!

    Best regards,

    Susie

    Thursday, October 24, 2013 1:29 AM
  • Thank you for posting this question and answer, I've been looking for this for over an hour. To clarify,

    1. Open the HRA ( run hcscfg.msc on the HRA server)

    2. Right click Certification Authority and select Properties

    3. Under Use enterprise certification authority , select the template for :
    -Authenticated compliant certificate template

    -Anonymous compliant certificate template

    Cheers!

    Friday, January 31, 2014 1:46 AM