locked
Problems when trying to configure NAP using IPsec RRS feed

  • Question

  • Hello when I try to start either manually or automatically through GPO the Network Access Protection Agent service it stops immediately after a few seconds giving me this problem details...

    Problem signature:
      Problem Event Name:    APPCRASH
      Application Name:    svchost.exe_napagent
      Application Version:    6.0.6001.18000
      Application Timestamp:    47918b89
      Fault Module Name:    StackHash_4576
      Fault Module Version:    6.0.6001.18000
      Fault Module Timestamp:    4791a7a6
      Exception Code:    c0000374
      Exception Offset:    000b015d
      OS Version:    6.0.6001.2.1.0.272.7
      Locale ID:    1033
      Additional Information 1:    4576
      Additional Information 2:    3038785d191ff8bb8a6fca1f0816a4d1
      Additional Information 3:    d41f
      Additional Information 4:    f765bd38cd94051715f4268e30235598

    Read our privacy statement:
      http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
     
    I have setup the DC, NPS, NAP, HRA, all on one server since this is a test setup I have also enabled an IPsec Rule on the server to enable 2 domain joined client pcs to communicate
    only using health certificates.

    The problem is that NAP Agent is not keeping started and stops and I do not have a clue of hat is the reason since it is doing the same on both pcs and even when I try to start the same service on the server.
    Friday, April 17, 2009 6:06 PM

Answers

  • As Greg said already, it is expected that Windows System Health Agent will not work on Server SKUs. I assume all your client also Server SKUs.

    Thanks
    -RamaSubbu SK


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Sunday, April 19, 2009 2:28 AM

All replies

  • HI AcmSoft,
      Thanks for informing us about this. This strange that SVCHOST is crashing.  Can you tell us the following information ?
    (1) Which OS you are using ? Does have all the update & patches applied from http://windowsupdate.microsoft.com ?
    (2) DO you have any 3rd party SHA/SHV installed ?

     Generally, SVCHOST is a process that will be hosting lots of services in a single process. If any one of the service in the SVCHOST process crashes, then the all other serives will also get killed along with this. We need to find which service is crashing. Do you see the same behaviour in both the PC ?  There are lot of ways you can find which service is crashing.
    (1) Using WinDBG, if you have used WinDBG before it would be pretty easy to find which service is crashing by attaching the debugger to the SVCHOST process. or,
    (2) By functional elemintation, Does the NAPAgent service starts properly if IPSEC QEC is disable ? If yes, try enabling the IPSec QEC manually and see whether it is crashing or not ?



    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Saturday, April 18, 2009 12:42 AM
  • Ok NAP Agent service is now started and keeping started after reconfiguring NAP on server from the start. The problem I have is that I cannot establish communication between to client pcs by using NAP IPsec with HRA. All pcs are Win 2008 server standard. I have run the Ipsec Diag Tool on one of the client just before trying to browse the other pc and I will paste them here....

     
    -----------Local Mode Diagnosis:Start - 2006/02/21(19hr:27min:37sec)-----------
    Log Location: C:\Users\toshall\AppData\Roaming\IPSecureLogs\LocalMode2006-02-21(19hr-27min-37sec)
    Local IP: 192.168.0.98, Remote Machine: celeronpc
     
    SystemInfo:
    --Passed: System information(software, hardware,active processes, active network connections) collected. View Output Logs for details
     
    Network Interface Diagnosis:
    --Passed : Network Interface configured correctly
     
    Ping (Remote Reachability) Diagnosis:
    Passed: Remote machine,"celeronpc", is reachable from host
     
    NAP Client Diagnosis:
    --Information : NAP client is running
    ---- NAP logs collected
     
    IPsec Service Diagnosis:
    --Passed : IPsec services are up and running
    ----BFE up and running
    ----IKEext/Policyagent up and running
     
    Live Debugging: Start
    --Information: Enabling RRAS Trace
     
    WFPUtil Diagnosis:
    (If you did not repro the issue while the tool was running, ignore WFPUtil Diagnosis)

    This Diagnosis report is for negotiation between host and 192.168.0.88
    Failed: No IKE negotiaton found between Host machine and 192.168.0.88. This could be because:
    --1.Wrong value was entered for the Desitnation IP Address(Client2 IP)
    --2.Wrong log was provided
    --3.IPSec is not monitoring traffic between Host machine and 192.168.0.88

    Live Debugging: End
     
    RRAS Diagnosis:
    --Passed : RRAS is switched off, implying no external policies
    --Information: Disabling RRAS trace that was enabled during live debugging.RRAS logs copied.
     
    Registry and Events Diagnosis:
    --Passed: System, Application and Security event logs collected
     
    Windows Firewall Diagnosis:
    --Information : Firewall is active
     
    IPsec SA, Filter Diagnosis:
    --Passed : Main mode SA exists between 192.168.0.98 and 192.168.0.88.
    --Passed : Quick Mode SA exists between 192.168.0.98 and 192.168.0.88
    --Information : No Legacy MM policies applied on this system

    --Information : Found Rules on this system
    --Passed : One or more rules are active on this system
    --Information : No Policy assigned on the system
    --Information : No Legacy QM policies assigned on the system
    --Information : No legacy MM outbound filters between exist between 192.168.0.98 and 192.168.0.88
    --Information : No Legacy MM inbound filters between exist between 192.168.0.98 and 192.168.0.88
     
    -----------Local Mode Diagnosis:End - 2006/02/21(19hr:31min:54sec)-----------


    ANy help how can I troubleshoot properly
    Saturday, April 18, 2009 3:35 AM
  • Hi,

    Have you checked to see if the client machines have health certificates using the certificates snap-in? This is required for communication.

    Did you say that all PCs are running Server 2008, including clients? If so, then you can't use the WSHV to configure health requirements. How have you configured your health policies?

    -Greg
    Saturday, April 18, 2009 4:40 AM
  • No they have computer account certificate that says Client Authentication, Server Authentication under Personal Certificate. I have setup the communication between the 2 pcs to work for a limited period even if they are not healthy from the NAP IPsec with HRA non compliant policy but I am not obtaining the health certificate from the CA which is needed for communication between the 2 domain joined pcs. The event logs gives these errors....

    The Health Registration Authority has approved the request with the Correlation ID {5ADEBA8E-5165-47E9-8291-6B8BC54767F5}-2006-02-22 15:32:58Z at IP address 192.168.0.98 (Principal: NWTRADERS\TOSHIBALAP$). The Network Policy Server has indicated that the client should be given full network access for a limited time.

    The Health Registration Authority was unable to acquire a certificate for request with the correlation-id {5ADEBA8E-5165-47E9-8291-6B8BC54767F5}-2006-02-22 15:32:58Z at 192.168.0.98 (principal: NWTRADERS\TOSHIBALAP$). Discarding the request. The Certification Authority \\dcsrv1.nwtraders.msft\nwtraders-DCSRV1-CA denied the request with the following error: Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
     (0x80004005). Contact the Certification Authority administrator for more information.

    I know that the time is incorrect but I have setup the policy to permit communication for 1 hour even if the pcs are not healthy.
    Saturday, April 18, 2009 3:45 PM
  • Hi,

    I think that error occurs if you configure HRA to use an Enterprise CA, but the CA is actually standalone. There may be a few other things that cause this. What type of CA are you using?

    I'm a little confused about your setup. How many servers and clients do you have, and what services are installed on each? Which computers have the certificates you mentioned and which are not able to obtain a certificate?

    Thanks,
    -Greg
    Saturday, April 18, 2009 4:50 PM
  • I have 1 server 2008 standard which has all required roles installed DC, CA, NPS, HRA, NAP and 2 clients which also have Win 2008 standard installed. the event log was taken from the server when one of the client tried to obtain a health certificate from the HRA through the CA but it failed. This is the main problem since the 2 machines are not getting the health certificate even if I have set the Network Policy to allow clients that does not meet the health requirements for a limited period of time for the reason I gave above it is not obtaining the health certificate
    Saturday, April 18, 2009 9:37 PM
  • Hi,

    The problem is that you cannot use 2008 standard as your Root CA. You must have 2008 Enterprise because you need to publish the health certificate template.

    This is the required procedure that you are unable to perform on Server 2008 standard:

    Publish certificate templates

    Use the following procedure to allow the CA to issue the new health certificate template.

    To publish certificate templates

    1.   Click Start, click Run, type certsrv.msc, and then press ENTER.

    2.   Open Root CA, and in the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

    3.   Click System Health Authentication, and then click OK.

    4.   In the console tree, click Certificate Templates, and in the details pane under Name, verify that System Health Authentication is displayed.

    5.   Close the Certification Authority console.

    Saturday, April 18, 2009 10:09 PM
  • I have setup the same network but with DHCP enforcement and it seems to be working, all I am not certian is regarding the pop up I am gettung SHA not Present. An SHA that maybe required for thei computer is not present on this computer

    is it normal ?

    C:\Users\toshall>netsh nap client show state

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted, deferred enforcement
    Troubleshooting URL    =
    Restriction start time = 2/22/2006 2:59:43 PM
    Extended state         =

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Clie
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Acc
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Ok.

    Thank you
    Saturday, April 18, 2009 10:45 PM
  • As Greg said already, it is expected that Windows System Health Agent will not work on Server SKUs. I assume all your client also Server SKUs.

    Thanks
    -RamaSubbu SK


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Sunday, April 19, 2009 2:28 AM