locked
The NAP agent failed to get health certificate on XP SP3 RRS feed

  • Question

  • My NAP IPsec setup works great on win 7 but fails on XP SP3, giving the following event

    Event Type: Error
    Event Source: NapAgent
    Event Category: None
    Event ID: 21
    Date:  2010-08-27
    Time:  16:24:02
    User:  N/A
    Computer: XPSP3
    Description:
    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {80B7C337-5F37-40A3-B3F9-EB4ECD77C5FE} - 2010-08-27 20:23:47.656Z from https://192.168.2.2/domainhra/hcsrvext.dll.
     The request failed with the error code (-2147012721). This server will not be tried again for 10 minutes.
     See the HRA administrator for more information.

    I used VMs for my servers and clients.

    Friday, August 27, 2010 8:37 PM

Answers

All replies

  • Hi,

    You cannot use an IP address for HTTPS. You must use the FQDN of your HRA server (https://myhraservername.domain.com/domainhra/hcsrvext.dll).

    SSL fails if the certificate subject name doesn't match the name of the server.

    -Greg

    • Marked as answer by midam50 Monday, August 30, 2010 6:26 PM
    Sunday, August 29, 2010 2:00 AM
  • Hi Greg,

    For this error code I had to reinstall XP with SP3 and no other updates before he gave me an error 401. I then used the FQDN as prescribed and finally received a certificate from my HRA.

    My win 7 VMs had no trouble with the previous config. Is this just an issue under XP?

    Thanks for the help.

    Monday, August 30, 2010 6:34 PM
  • Hi,

    I wrote up a list of descriptions associated with the HTTP codes in the NAP troubleshooting guide here: Client Computer Failed to Acquire a Certificate.

    Unfortunately, your code was -2147012721 which isn't listed. It seems like I recall another instance of these codes not matching to XP clients. Still, I'm reasonably sure that 2147012721 is an SSL certificate error. There is no client-side SSL certificate in this case, so it is the server certificate that has a problem.

    Are you sure you didn't use HTTP on Win7, or configure the HRA URL differently? I have never seen SSL work correctly unless the certificate subject name exactly matches the FQDN of the HRA. If the client is directed to an IP address and tries HTTPS, then it will look for an IP address in the subject name of the certificate in order to verify authenticity of the host - however the certificate should not contain an IP address here. It will have the FQDN of the HRA and therefore the URL and the SSL certificate won't match and SSL fails. You can double-check this by viewing SSL certificates in the IIS console. Look for the certificate associated with port 443. 

    It is vaguely possible that Win7 allows an IP address here for SSL if the reverse DNS corresponds to the certificate subject name, but I doubt it.

    -Greg

    Tuesday, August 31, 2010 3:32 AM