locked
NAP - can not make it work. RRS feed

Answers

  • Hi,

     

    Before requesting some detailed configuration information about your setup, I'd like you to check for the most common problem that causes error code 500.

     

    On your HRA machine, open the HRA console, right-click Certificate Authority, and then click Properties.

     

    A common cause of error code 500 is that "Use standalone certification authority" is selected here, but you are using an enterprise certification authority. It sounds from your description of the problem that you may have chosen to install an enterprise CA. If you use an enterprise CA, then you must configure HRA to "Use enterprise certifcation authority" and also choose an authenticated and anonymous certificate template.

     

    The System Health Authentication template should be an available choice for both authenticated and anonymous, assuming that you published this template (right-click certificate templates, point to New, and click certificate template to issue). Please select System Health Authentication for both the authenticated and anonymous template.

     

    It isn't necessary to select a different template for authenticated and anonymous access, particularly if you didn't choose to enable anonymous access when you installed HRA. You still need to choose an anonymous template, but this won't ever be accessed if you didn't enable anonymous requests (i.e. health certificates for workgroup computers).

     

    After selecting the enterprise CA and the two templates, you should be able to restart NAP agent and get a health certificate. Please let me know if this solves your problem.

     

    To answer your question about enabling anonymous requests without reinstalling HRA, I'm not sure if this can be done. You may be able to configure IIS manually to create this Web site with the ISAPI extension, but I wouldn't recommend it. It would be better to simply reinstall HRA if you must enable anonymous requests. Again, you don't need to enable anonymous requests unless you want to issue health certificates to workgroup computers.

     

    The event you described about waiting for other services to start can happen the first time you boot up. This is because NAP depends on several other services that are just starting up. This problem shouldn't continue to happen after the computer is booted. If it does, then there may be a problem with one of the services in security center, or with the security center service itself.

     

    Please let me know if the problem you were having is resolved by configuring HRA as I described.

     

    -Greg

    Thursday, August 16, 2007 6:28 PM
  • Hi,

     

    I'll check to see if there is a simple way to create the anonymous Web site if you want to add it later, and look into the client messaging also.

     

    The recommendation is to use a dedicated subordinate standalone CA. The standalone CA has fewer capabilities than enterprise because you can't configure templates, but since it is dedicated to just issuing health certificates, you shouldn't need additional capabilities of an enterprise CA. A standalone CA that is just issuing health certificates performs best.

     

    -Greg

     

    Friday, August 17, 2007 3:42 PM
  • Hi,

     

    In reply to your question about adding the anonymous Web site, I confirmed that reinstallation of HRA is the recommended way to do this. There is a vbs script in the system32/hcs directory that will add web sites and application pools to IIS, but it isn't recommended to use this.

     

    -Greg

    Thursday, August 23, 2007 8:55 PM

All replies

  •  

    i have done some research and it seams that vista NAP agent is faulting:

    - if i resart nap agent service, it show the message that client do not meet requirements (fireewall off)

    - then it turns firewall on and... hangs. there is non-disappearing message 'this computer is being updated...' when i rised the info box i can see that it is still trying to turn on firewall ["Updating..."]

    - then if i turn firewall off it does nothing. need to restart napagent service once more.

     

    SHA version 1.o ID 79744 - if it does metter

     

    ***FEW MORE CHECKS

    my client computer never receives a helath certificate. maybe that's why agent hangs? no idea WTF

    Tuesday, August 14, 2007 4:12 PM
  • Hi,

     

    The client should not get a health certificate unless it is 100% compliant with the health requirements in your SHV. If you turn the firewall on yourself, does the client receive a health certificate, or does it remain noncompliant?

     

    Please post the results of these commands issued from an elevated command prompt:

    • netsh nap client show state
    • netsh advfirewall show allprofiles

    Let me know if you are only having a problem with auto-remediation, or if you cannot get the client to acquire a health certificate even when you turn the firewall on manually. Also please verify that your SHV is only requiring that the firewall is enabled.

     

    -Greg

    Wednesday, August 15, 2007 2:45 AM
  •  

    1. after restarting napagent the windows firewall shitched on automaticly by the service (thats ok)

    2. i have checked with netsh nap client show state and it seems to be ok [i can see URL path to HRA, NPS server etc]. sadly i have yet deleted lab - give it a last try and am doin it once more. so i it still will behave as desribed - i will publish those informations

    3. the problem is not only with autoremediation. if i changed it to manual, and manually switched the fw on - nothing happend.

    Thursday, August 16, 2007 12:56 PM
  • i have made lab once more and effect is similar:

    - i found the event 21 source NAP stating that:

    NAPagent failed to acquire a certificate [...] from http://nps.contoso.com/domainhra/hcsrvext.dll with error code 500

    than same event with error from address /nondomain/ with error code 404

     

    there i have quite a few questions:

    - during installation i did not enabled anonymous request for certificates - thats why the second event occured i guess. the question is - how to enable this? i could not find it in configuration and option is available just during installation

    - what is error code 500 and why the client didn't receive a certificate?

     

    and last and imho quite important is behaviour of an interface:

    - i found those event in event log. but simple user don't event know about existance of such thing (; and the interface shows: "your computer is not compliant [...]" and in description one can read:

    Windows SHA Unsuccessful

    Remediation results:

    windows cannot determine security state of this computer because the windows SHA is waiting for other services to start. [...]

    if i press 'try again' i need to wait few secs and nothing happend.

     

    comapring this information to real situation [all services started long time ago] and to event log description - it looks ridiculous. telling straight - the interface totaly lies and suggest some stupid solution.

     

    please help

     

    Thursday, August 16, 2007 3:10 PM
  • Hi,

     

    Before requesting some detailed configuration information about your setup, I'd like you to check for the most common problem that causes error code 500.

     

    On your HRA machine, open the HRA console, right-click Certificate Authority, and then click Properties.

     

    A common cause of error code 500 is that "Use standalone certification authority" is selected here, but you are using an enterprise certification authority. It sounds from your description of the problem that you may have chosen to install an enterprise CA. If you use an enterprise CA, then you must configure HRA to "Use enterprise certifcation authority" and also choose an authenticated and anonymous certificate template.

     

    The System Health Authentication template should be an available choice for both authenticated and anonymous, assuming that you published this template (right-click certificate templates, point to New, and click certificate template to issue). Please select System Health Authentication for both the authenticated and anonymous template.

     

    It isn't necessary to select a different template for authenticated and anonymous access, particularly if you didn't choose to enable anonymous access when you installed HRA. You still need to choose an anonymous template, but this won't ever be accessed if you didn't enable anonymous requests (i.e. health certificates for workgroup computers).

     

    After selecting the enterprise CA and the two templates, you should be able to restart NAP agent and get a health certificate. Please let me know if this solves your problem.

     

    To answer your question about enabling anonymous requests without reinstalling HRA, I'm not sure if this can be done. You may be able to configure IIS manually to create this Web site with the ISAPI extension, but I wouldn't recommend it. It would be better to simply reinstall HRA if you must enable anonymous requests. Again, you don't need to enable anonymous requests unless you want to issue health certificates to workgroup computers.

     

    The event you described about waiting for other services to start can happen the first time you boot up. This is because NAP depends on several other services that are just starting up. This problem shouldn't continue to happen after the computer is booted. If it does, then there may be a problem with one of the services in security center, or with the security center service itself.

     

    Please let me know if the problem you were having is resolved by configuring HRA as I described.

     

    -Greg

    Thursday, August 16, 2007 6:28 PM
  • yeah. it was the issue - i did install the enterprise subordinate. i configured hsc as you described [changed to enterprise and choosed same template for auth and anon, it didn't change the client behaviour though (the SHA hanged up with information 'updating'). then i checked logs on server and found 'denied because server does not allow requested certificate template'. as you wrote - i've added this template and it started to work. i have done it before, but on rootCA instead of subordinate - possibly this is the difference if one installs the enterprise instead of standalone, because am pretty sure i could issue templates only on rootCA and had no such option in subordinate in previous lab.

     

    thanks for answer! i have a one more question though:

    what is the recomendation/difference/idea to use standalone vs enterprise subordinate?

     

    and the client component - i still think it should be changed to display proper informations instead of hanging up or showing some totally made up events.

    ..hope there will be different way in final version than reinstalling if one desides to add possibility to handle anonymous computers ): maybe some script with addcmd creating and confguring a site?

     

    Friday, August 17, 2007 10:46 AM
  • Hi,

     

    I'll check to see if there is a simple way to create the anonymous Web site if you want to add it later, and look into the client messaging also.

     

    The recommendation is to use a dedicated subordinate standalone CA. The standalone CA has fewer capabilities than enterprise because you can't configure templates, but since it is dedicated to just issuing health certificates, you shouldn't need additional capabilities of an enterprise CA. A standalone CA that is just issuing health certificates performs best.

     

    -Greg

     

    Friday, August 17, 2007 3:42 PM
  • Hi,

     

    In reply to your question about adding the anonymous Web site, I confirmed that reinstallation of HRA is the recommended way to do this. There is a vbs script in the system32/hcs directory that will add web sites and application pools to IIS, but it isn't recommended to use this.

     

    -Greg

    Thursday, August 23, 2007 8:55 PM