locked
NAP clients are evaluated as non NAP-capable RRS feed

  • Question

  • Hi all,

    our setup consists of a AD domain, Remote Desktop Gateway server, NPS/NAP server and a few Windows 7 clients.

    The RDG and NPS are set up and running with all Connection Request & Network policies and everything is well, except for NAP health checks. Whatever I do on client it is evaluated as non NAP-capable.

    I start NAP Agent (napagent) service, enable Remote Desktop Gateway quarantine client in NAP Client config MMC (napclcfg.msc) and add my RDG URL https://rdg.company.com to Trusted Gateways list to no avail, the client Windows 7 machine ends up as "non NAP-capable".

    netsh nap client show state command's output is fine too, everything looks ok as it should be according to NAP Quick Fixes: https://msdn.microsoft.com/en-us/library/dd348494(v=ws.10).aspx

    In event viewer of client machine I see NAP events from which I can guess that everything's ok from client's perspective too, client 79621 is successfully initialized and SystemHealthAgent seems to scan and (supposedly) succesfully build a SoH.

    Still, obviously NAP server does not get a SoH from a client and thus classifies it as non NAP-capable for some weird reason.

    Since I haven't found any further means to investigate and troubleshoot it, I would be grateful for any ideas and/or suggestions.

    Thanks a lot,

    Tuesday, March 22, 2016 8:55 AM

Answers

  • In case this isn't clear, you need to view the certificate store on the client computer.

    Open MMC

    File.. Add/Remove Snap-in

    Certificates, Add..

    Computer account, local computer (or a remote client computer if desired)

    OK

    Open Trusted Root Certification Authorities \ Certificates

    Verify that your TS Gateway certificate is there.

    Thanks,

    -Greg

    • Proposed as answer by Hello_2018 Wednesday, April 6, 2016 3:43 AM
    • Marked as answer by Hello_2018 Thursday, April 7, 2016 7:51 AM
    Thursday, March 31, 2016 7:46 PM

All replies

  • Some additional diag info below.

    NAP client state:

    PS C:\> netsh nap client show state
    
    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =
    GroupPolicy            = Not Configured
    
    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No
    
    Id                     = 79619
    Name                   = IPsec Relying Party
    Description            = Provides IPsec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No
    
    Id                     = 79621
    Name                   = RD Gateway Quarantine Enforcement Client
    Description            = Provides RD Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes
    
    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such
    as those used with 802.1X and VPN technologies.
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No
    
    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent
    
    Description            = The Windows Security Health Agent monitors security settings on your computer.
    
    Version                = 1.0
    
    Vendor name            = Microsoft Corporation
    
    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of th
    is computer.
    
    Compliance results     =
    Remediation results    =
    
    Ok.

    Network Access Protection\Operational event log on client:

    Id      : 1027
    Message : The Windows Security Health Agent notified the Windows Network Access Protection Service of a change in the security health state of the computer.
    
    Id      : 1007
    Message : The Windows Security Health Agent completed an offline scan.
    
    Id      : 9
    Message : The enforcement client 79621 successfully initialized.
    
    Id      : 1002
    Message : The Windows Security Health Agent was initialized successfully.
              Scan Interval: 1320 minutes.
              Time delay before first scan: 45 seconds.
              Time interval between manual remediation state change: 15 seconds.
              Manual remediation timeout interval: 150 seconds.
    
    Id      : 4
    Message : The System Health Agent 79744 successfully initialized.
    
    Id      : 100
    Message : Sending Health Information to WHC: NapAgent is Active(1)
    
    Id      : 1001
    Message : The Windows Security Health Agent detected a change in the status of Automatic Updates.
    
    
    Id      : 1000
    Message : The Windows Security Health Agent detected a change in the status of Antispyware.
    
    
    Id      : 1000
    Message : The Windows Security Health Agent detected a change in the status of Antivirus.
    
    
    Id      : 1000
    Message : The Windows Security Health Agent detected a change in the status of Firewall.
    
    
    Id      : 9
    Message : The enforcement client 79871 successfully initialized.
    
    Id      : 26
    Message : The NAP service has started.
              NAP has the following information for this computer:
               Computer name is HOSTNAME.CORP.COMPANY.COM.
              Domain status is: Domain Joined.
              The build number is: 7601.
              The OS SKU is: CLIENT.
              The service pack version is: 1.0.
              The processor type is: x64 (AMD or Intel).


    Tuesday, March 22, 2016 2:01 PM
  • Hi Arseniy V,

    Thanks for posting here.

    From the diag info of the NAP client state to see, everything is ok.

    By the way, did this issue only happened on win7 clients?

    If so, please re-config the NAP on the NPS server and check if this issue still persists.

    Please check if the following link is helpful:

    https://msdn.microsoft.com/en-us/library/dd348450(v=ws.10).aspx

    Additional resource about troubleshooting NAP issues:

    https://msdn.microsoft.com/en-us/library/dd348461(v=ws.10).aspx

    Best regards,


    Andy_Pan

    Thursday, March 24, 2016 7:04 AM
  • Hi,

    See https://technet.microsoft.com/en-us/library/7bb881bb-4985-44a0-9185-7b1838aa06c9(v=ws.10)#napclientcomputersareevaluatedasnonnapcapable

    This problem has also been identified when the client computer is using the NAP with Terminal Services Gateway (TS Gateway) enforcement method and does not have the TS Gateway certificate in Trusted Root Certification Authorities of the local computer certificate store

    Thanks,

    -Greg


    P.S. This is almost certainly your issue.
    Wednesday, March 30, 2016 7:25 PM
  • Hi Andy_Pan,

    thank you for your reply.

    We've got only Windows 7 clients, so I have only tried evaluating Windows 7 clients.
    Thanks for the documentation links, and yes, reconfiguring the NPS server from scratch looks like an idea here, I'll post a reply later if I end up reconfiguring it.

    Thanks,

    Thursday, March 31, 2016 9:44 AM
  • Your welcome Arseniy.

    Hope to get more information from you.

    Best regards,


    Andy_Pan

    Thursday, March 31, 2016 9:53 AM
  • Hi Greg,

    Thank you for the link, I've already checked it.

    As for the certificate - I've installed our Company's Geotrust wildcard certificate on RDG server, AFAIR such configuration is officially supported: https://technet.microsoft.com/ru-ru/library/dd320345(v=ws.10).aspx

    The wildcard cert is like *.company.com, and RDG external FQDN is rdg.company.com so I guess there should be no trouble with this.

    This wildcard certificate is used on a few of our web servers and it appears OK on lots of clients since Windows clients have Geotrust Root/Intermediate certificates installed.

    Is there a way to diagnose it? Server logs do not reveal anything significant, just plain "client is not NAP-compatible".

    Thanks,


    • Edited by Arseny V Thursday, March 31, 2016 10:00 AM
    Thursday, March 31, 2016 9:59 AM
  • Verify that you have the certificate installed in the local computer store, not the user store.

    It is almost certainly the certificate.


    Thursday, March 31, 2016 3:34 PM
  • In case this isn't clear, you need to view the certificate store on the client computer.

    Open MMC

    File.. Add/Remove Snap-in

    Certificates, Add..

    Computer account, local computer (or a remote client computer if desired)

    OK

    Open Trusted Root Certification Authorities \ Certificates

    Verify that your TS Gateway certificate is there.

    Thanks,

    -Greg

    • Proposed as answer by Hello_2018 Wednesday, April 6, 2016 3:43 AM
    • Marked as answer by Hello_2018 Thursday, April 7, 2016 7:51 AM
    Thursday, March 31, 2016 7:46 PM