Problems when trying to configure NAP using IPsec

All replies

• 

  

  0

  Sign in to vote

  HI AcmSoft,
    Thanks for informing us about this. This strange that SVCHOST is crashing.  Can you tell us the following information ?
  (1) Which OS you are using ? Does have all the update & patches applied from http://windowsupdate.microsoft.com ?
  (2) DO you have any 3rd party SHA/SHV installed ?
  
   Generally, SVCHOST is a process that will be hosting lots of services in a single process. If any one of the service in the SVCHOST process crashes, then the all other serives will also get killed along with this. We need to find which service is crashing. Do you see the same behaviour in both the PC ?  There are lot of ways you can find which service is crashing.
  (1) Using WinDBG, if you have used WinDBG before it would be pretty easy to find which service is crashing by attaching the debugger to the SVCHOST process. or,
  (2) By functional elemintation, Does the NAPAgent service starts properly if IPSEC QEC is disable ? If yes, try enabling the IPSec QEC manually and see whether it is crashing or not ?
  
  
  
  Thanks
  -RamaSubbu SK

  ---

  Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.

  Saturday, April 18, 2009 12:42 AM
• 

  

  0

  Sign in to vote

  Ok NAP Agent service is now started and keeping started after reconfiguring NAP on server from the start. The problem I have is that I cannot establish communication between to client pcs by using NAP IPsec with HRA. All pcs are Win 2008 server standard. I have run the Ipsec Diag Tool on one of the client just before trying to browse the other pc and I will paste them here....
  
   
  -----------Local Mode Diagnosis:Start - 2006/02/21(19hr:27min:37sec)-----------
  Log Location: C:\Users\toshall\AppData\Roaming\IPSecureLogs\LocalMode2006-02-21(19hr-27min-37sec)
  Local IP: 192.168.0.98, Remote Machine: celeronpc
   
  SystemInfo:
  --Passed: System information(software, hardware,active processes, active network connections) collected. View Output Logs for details
   
  Network Interface Diagnosis:
  --Passed : Network Interface configured correctly
   
  Ping (Remote Reachability) Diagnosis:
  Passed: Remote machine,"celeronpc", is reachable from host
   
  NAP Client Diagnosis:
  --Information : NAP client is running
  ---- NAP logs collected
   
  IPsec Service Diagnosis:
  --Passed : IPsec services are up and running
  ----BFE up and running
  ----IKEext/Policyagent up and running
   
  Live Debugging: Start
  --Information: Enabling RRAS Trace
   
  WFPUtil Diagnosis:
  (If you did not repro the issue while the tool was running, ignore WFPUtil Diagnosis)
  
  This Diagnosis report is for negotiation between host and 192.168.0.88
  Failed: No IKE negotiaton found between Host machine and 192.168.0.88. This could be because:
  --1.Wrong value was entered for the Desitnation IP Address(Client2 IP)
  --2.Wrong log was provided
  --3.IPSec is not monitoring traffic between Host machine and 192.168.0.88
  
  Live Debugging: End
   
  RRAS Diagnosis:
  --Passed : RRAS is switched off, implying no external policies
  --Information: Disabling RRAS trace that was enabled during live debugging.RRAS logs copied.
   
  Registry and Events Diagnosis:
  --Passed: System, Application and Security event logs collected
   
  Windows Firewall Diagnosis:
  --Information : Firewall is active
   
  IPsec SA, Filter Diagnosis:
  --Passed : Main mode SA exists between 192.168.0.98 and 192.168.0.88.
  --Passed : Quick Mode SA exists between 192.168.0.98 and 192.168.0.88
  --Information : No Legacy MM policies applied on this system
  
  --Information : Found Rules on this system
  --Passed : One or more rules are active on this system
  --Information : No Policy assigned on the system
  --Information : No Legacy QM policies assigned on the system
  --Information : No legacy MM outbound filters between exist between 192.168.0.98 and 192.168.0.88
  --Information : No Legacy MM inbound filters between exist between 192.168.0.98 and 192.168.0.88
   
  -----------Local Mode Diagnosis:End - 2006/02/21(19hr:31min:54sec)-----------
  
  
  ANy help how can I troubleshoot properly

  Saturday, April 18, 2009 3:35 AM
• 

  

  0

  Sign in to vote

  Hi,
  
  Have you checked to see if the client machines have health certificates using the certificates snap-in? This is required for communication.
  
  Did you say that all PCs are running Server 2008, including clients? If so, then you can't use the WSHV to configure health requirements. How have you configured your health policies?
  
  -Greg

  Saturday, April 18, 2009 4:40 AM
• 

  

  0

  Sign in to vote

  No they have computer account certificate that says Client Authentication, Server Authentication under Personal Certificate. I have setup the communication between the 2 pcs to work for a limited period even if they are not healthy from the NAP IPsec with HRA non compliant policy but I am not obtaining the health certificate from the CA which is needed for communication between the 2 domain joined pcs. The event logs gives these errors....
  
  The Health Registration Authority has approved the request with the Correlation ID {5ADEBA8E-5165-47E9-8291-6B8BC54767F5}-2006-02-22 15:32:58Z at IP address 192.168.0.98 (Principal: NWTRADERS\TOSHIBALAP$). The Network Policy Server has indicated that the client should be given full network access for a limited time.
  
  The Health Registration Authority was unable to acquire a certificate for request with the correlation-id {5ADEBA8E-5165-47E9-8291-6B8BC54767F5}-2006-02-22 15:32:58Z at 192.168.0.98 (principal: NWTRADERS\TOSHIBALAP$). Discarding the request. The Certification Authority \\dcsrv1.nwtraders.msft\nwtraders-DCSRV1-CA denied the request with the following error: Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
   (0x80004005). Contact the Certification Authority administrator for more information.
  
  I know that the time is incorrect but I have setup the policy to permit communication for 1 hour even if the pcs are not healthy.
  

  Saturday, April 18, 2009 3:45 PM
• 

  

  0

  Sign in to vote

  Hi,
  
  I think that error occurs if you configure HRA to use an Enterprise CA, but the CA is actually standalone. There may be a few other things that cause this. What type of CA are you using?
  
  I'm a little confused about your setup. How many servers and clients do you have, and what services are installed on each? Which computers have the certificates you mentioned and which are not able to obtain a certificate?
  
  Thanks,
  -Greg

  Saturday, April 18, 2009 4:50 PM
• 

  

  0

  Sign in to vote

  I have 1 server 2008 standard which has all required roles installed DC, CA, NPS, HRA, NAP and 2 clients which also have Win 2008 standard installed. the event log was taken from the server when one of the client tried to obtain a health certificate from the HRA through the CA but it failed. This is the main problem since the 2 machines are not getting the health certificate even if I have set the Network Policy to allow clients that does not meet the health requirements for a limited period of time for the reason I gave above it is not obtaining the health certificate

  Saturday, April 18, 2009 9:37 PM
• 

  

  0

  Sign in to vote

  Hi,
  
  The problem is that you cannot use 2008 standard as your Root CA. You must have 2008 Enterprise because you need to publish the health certificate template.
  
  This is the required procedure that you are unable to perform on Server 2008 standard:
  
  

  Publish certificate templates

  Use the following procedure to allow the CA to issue the new health certificate template.

  To publish certificate templates

  1.   Click Start, click Run, type certsrv.msc, and then press ENTER. 2.   Open Root CA, and in the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. 3.   Click System Health Authentication, and then click OK. 4.   In the console tree, click Certificate Templates, and in the details pane under Name, verify that System Health Authentication is displayed. 5.   Close the Certification Authority console.

  • Proposed as answer by Greg LindsayMicrosoft employee Saturday, April 18, 2009 10:09 PM

  Saturday, April 18, 2009 10:09 PM
• 

  

  0

  Sign in to vote

  I have setup the same network but with DHCP enforcement and it seems to be working, all I am not certian is regarding the pop up I am gettung SHA not Present. An SHA that maybe required for thei computer is not present on this computer
  
  is it normal ?
  
  C:\Users\toshall>netsh nap client show state
  
  Client state:
  ----------------------------------------------------
  Name                   = Network Access Protection Client
  Description            = Microsoft Network Access Protection Client
  Protocol version       = 1.0
  Status                 = Enabled
  Restriction state      = Not restricted, deferred enforcement
  Troubleshooting URL    =
  Restriction start time = 2/22/2006 2:59:43 PM
  Extended state         =
  
  Enforcement client state:
  ----------------------------------------------------
  Id                     = 79617
  Name                   = DHCP Quarantine Enforcement Client
  Description            = Provides DHCP based enforcement for NAP
  Version                = 1.0
  Vendor name            = Microsoft Corporation
  Registration date      =
  Initialized            = Yes
  
  Id                     = 79618
  Name                   = Remote Access Quarantine Enforcement Client
  Description            = Provides the quarantine enforcement for RAS Clie
  Version                = 1.0
  Vendor name            = Microsoft Corporation
  Registration date      =
  Initialized            = No
  
  Id                     = 79619
  Name                   = IPSec Relying Party
  Description            = Provides IPSec based enforcement for Network Acc
  tection
  Version                = 1.0
  Vendor name            = Microsoft Corporation
  Registration date      =
  Initialized            = No
  
  Id                     = 79621
  Name                   = TS Gateway Quarantine Enforcement Client
  Description            = Provides TS Gateway enforcement for NAP
  Version                = 1.0
  Vendor name            = Microsoft Corporation
  Registration date      =
  Initialized            = No
  
  Id                     = 79623
  Name                   = EAP Quarantine Enforcement Client
  Description            = Provides EAP based enforcement for NAP
  Version                = 1.0
  Vendor name            = Microsoft Corporation
  Registration date      =
  Initialized            = No
  
  Ok.
  
  Thank you

  Saturday, April 18, 2009 10:45 PM
• 

  

  0

  Sign in to vote

  As Greg said already, it is expected that Windows System Health Agent will not work on Server SKUs. I assume all your client also Server SKUs.
  
  Thanks
  -RamaSubbu SK

  ---

  Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.

  • Marked as answer by Greg LindsayMicrosoft employee Tuesday, April 21, 2009 12:16 AM

  Sunday, April 19, 2009 2:28 AM