locked
Event 11 NAP operational RRS feed

  • Question

  • Hello,

    I've configured a Win 2008R2 Server as NPS Server for DHCP.
    All network policies are set to "access granted"

    When I boot my Win 7 Clients, I get error 11 NAP

    Error 2147483658 calling INapSystemHealthAgentCallback::ProcessSoHResponse SystemIntegrityAgent 79747.

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-NetworkAccessProtection" Guid="{4EF850D8-BF30-4E64-A917-EE21B9BE1F0A}" />
        <EventID>11</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2011-07-20T17:39:45.769121900Z" />
        <EventRecordID>2695</EventRecordID>
        <Correlation />
        <Execution ProcessID="572" ThreadID="3760" />
        <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
        <Computer>ab.de.com</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <NapEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="myNs">
          <ComponentId>79747</ComponentId>
          <FunctionName>INapSystemHealthAgentCallback::ProcessSoHResponse</FunctionName>
          <HResult>2147483658</HResult>
        </NapEvent>
      </UserData>
    </Event>

    At first, it would help to identify the SHV/SHA that throws the error. I've the default SHV and the MS Forefront SHV. Is there a list that maps the SHA ID to the name?

    My first test will be to remove the forefront SHV from the policy to see whether the error still occurs. What can I do to resolve this issue. The problem is that after the error event occurs, the NAP enforcement clients uses the restricted mode and auto remediate for ca 1 min, after that, it sets the state to normal. (full access)


    Another more general question: As I already pointed out, I've set network policy NAP DHCP not nap capable to grant access. When I set it to deny access, domain computers cannot logon or process group policy. Is this a normal behavior? I thought that the clients are NAP capable and that they would only use the 2 other policies NAP DHCP compatible and NAP DHCP not compatible.

     

    KR

    Chris

    Wednesday, July 20, 2011 6:09 PM

All replies

  • Hi Chris,

    Thank you for your post.

    At first, it would help to identify the SHV/SHA that throws the error.
    Event ID 11 means NAP Agent Communication with the SHA error. Please check your setting with Forefront Client Security SHA-SHV Deployment Guide.

    When I set it to deny access, domain computers cannot logon or process group policy. Is this a normal behavior?
    Please use DHCP NAP wizard to configure your NPS policy. If computers detect noncompliant or non NAP-Capable, clients just granted allow limited access: only access to remediation server (like DC/DHCP/DNS/FCS server). So you need not to set policy to deny access. More details please check DHCP NAP step-by-step guide.

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan

    Thursday, July 21, 2011 9:03 AM
  • Hi Rick,

     

    i've run a few tests and determined that the error is caused by the Forefront Client Sec SHA. I've unchecked all settings of the SHV within the NPS mmc. However, the error still occurs. Therefore, i think that ther error is a general communication problem and has nothing to do with the settings.

     

    I've read the FFS SHA/SHV Deployment guide but it does not contain this specific error. Is there a way to fix that problem or should I pose this question in the forefront group?

     

    Thanks and kind regards

     

    Chris

    Tuesday, July 26, 2011 7:04 PM
  • Hi Chris,
     
    I suggest you first test DHCP NAP with only WSHV, uninstall FCS SHV & SHA on server and clients.

    If DHCP NAP with WSHV works with no error, install the latest FCS SHV & SHA on your server and clients.


    Regards,
    Rick Tan

    Wednesday, July 27, 2011 5:46 AM
  • I'm having the exact same error and am using the latest NAP Integration kit.

    I'm in the testing phases of implementing IPSec NAP using the built in WSHV as well as the FCS SHV. I'm very frequently (50 times a day) receiving:

    Log Name: Microsoft-Windows-NetworkAccessProtection/Operational
    Source: Microsoft-Windows-NetworkAccessProtection
    Date: 28.7.2011 10:10:53
    Event ID: 11
    Task Category: None
    Level: Error
    Keywords:
    User: NETWORK SERVICE
    Computer: computer1.interexport.local
    Description:
    Call to INapSystemHealthAgentCallback::ProcessSoHResponse on System Health Agent 79747 failed with error 2147483658.
    Contact the administrator for more information.

    SHA 79747 is related to the FCS SHV, but I have no idea what error 2147483658 is. Searching didn't help.

    While I usually don't get disconnected from the network because of this, it does happen once or twice a day since my NAP status is not compliant. This happens on WinXP SP3 and Win7 SP1 Enterprise.

    Could anyone help me out in figuring out what this error is and how to resolve this issue. Please let me know which additional details are required.

    Friday, July 29, 2011 7:16 AM
  • The error code from the event:  2147483658 corresponds to

      E_PENDING                                                      winerror.h
    # The data necessary to complete this operation is not yet
    # available.

    It appears that the processing of the SoH is not being completed in a timely fashion.  My suggestion is that the server processing the SoH be examined instead of the client.


    Ketan Thakkar | Microsoft Online Community Support
    Wednesday, August 3, 2011 9:41 AM