• Question

  • Hi,

    I am in the middle of deploying UAG NAP and I want to use my existing Enterprise CA to deploy the health certificate. Can someone please let me know if this is possible?

    Most of the research I have done seems to suggest you need a separate dedicate CA for NAP integration with UAG. What I want to do is install the NPS and HRA roles on the UAG server and use the existing enterprise CA as the NAP CA.

    Our current environment currently have

    1. 1 X enterprise CA - this Ca is currently in used to deploy Direct Access Computer certificate. It is also use as the CRL distribution point for our IPHTTPS certificate.

    1. 1 X UAG server - this server will be installed with NPS and HRA roles.

    I create the health certificate using the workstation template in my enterprise CA and I select this health certificate under the section "Select the authenticate compliant certificate template" "If you have specified an Enterprise CA, you must select a certificate template.

    I am not sure what I am doing wrong because it doesn't look like the client are picking up the health certificate...

    Can anyone help?

    Tuesday, October 11, 2011 1:30 AM


All replies

  • Hi Mr. Pham,

    i don't know the exact reason why Microsoft has decided to use a dedicated CA but here are my guesses:

    1.) Scalability Reason: NAP enabled CAs will issue a lot of certificates, since the HRA has to issue short lifetime to your clients. This may have certain impact on the existing PKI infrastructure.

    2.) Security Reasons: IPSec tunnels are getting authenticated when both peers are using certs from the same CA. When both IPSec tunnels (Infrastructure, Intranet Tunnel) share the same CA, then this may cause some security issues since the intranet certs may also be used for infrastructure access. In addition you can't control which cert should be used for which tunnel, since you could only specify the issuing CA within the IPSec rules...

    BTW: I wouldn't recommend to install the HRA and NPS on UAG, since UAG requires/preconfigures its own NPS for SSTP VPN.

    Hope someone at Microsoft can shed some lights on this question to get the real reasons...


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Tuesday, October 11, 2011 7:53 AM
  • Thanks Kai for your post and excellent explanation!

    So is that confirm? We will need a dedicated CA for NAP?

    I cannot use my existing enterprise CA to provide health certificate?

    Tuesday, October 11, 2011 8:47 AM
  • Hi Mr. Pham,

    its possible to use your existing root CA for NAP. Although the question remains if this setup is recommended or not :)

    Here are the official words on the UAG/DA certificate authority requirements...


    Certificate requirements are as follows:

    4.) A Windows-based CA must be used if you are deploying NAP. We recommend that a dedicated CA is used.


    The following limitations apply:

    5.) The CA used to issue NAP health certificates must be a Windows-based CA. We recommended that in a large deployed a dedicated CA is used for performance purposes.


    As you can see, the dedicated CA thing is "just" a recommendation but not a real requirement^^


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Tuesday, October 11, 2011 10:34 AM
  • Hi Pham,

    You don't need a dedicated CA for NAP, but it was often recommended as the issuance of a large number of short lifetime certificates was a good case to use something different/dedicated so that you don't impact the load and database size on your existing CA. With large sized deployments, I believe a dedicated CA is still recommended from a load/performance perspective and a "good thing to do and design for".

    With the advent of AD CS in Windows Server 2008 R2 however, you now have the ability to configure a certificate template with the Do not store certificate and requets in the CA database... and Do not include revocations information... options as discussed here: http://technet.microsoft.com/en-us/library/ff934598(WS.10).aspx The main reason for this approach was for improved support for high-volume CAs
    as discussed here: http://technet.microsoft.com/en-us/library/dd448537(WS.10).aspx and this specifically applies to NAP scenarios.

    With the advent of UAG SP1, MS added support for running the NAP components "on UAG box" as discussed here: http://technet.microsoft.com/en-us/library/gg315299.aspx and see here: http://www.windowsecurity.com/articles/Integrated-NAP-Functionality-UAG-2010-Service-Pack1-DirectAccess.html for a working example. Installing the NAP components locally is part of the SP1 DA wizard on UAG.

    The general NAP info here is a good starting place if you plan to use NAP "off UAG box": http://technet.microsoft.com/en-us/library/dd125391(WS.10).aspx and then integrate with UAG DA.

    Can you provide an idea on the scale of your environment and the intended number of DA users? Given the fact that you are talking about a single UAG server and have a single CA server, I would guess that deploying additional servers for a dedicated NAP CA and dedicated NPS/HRA servers is not necessary. More elegant, yes, but probably not strictly necessary...

    The NAP featues in the SP1 DA wizard were specifically created for guys like you who don't already have NAP, but want to enable it specifically for UAG NAP.

    This is also very worthwhile reading:

    http://blogs.technet.com/b/tomshinder/archive/2010/11/01/test-lab-guide-demonstrate-uag-sp1-rc-directaccess-with-nap-blog-version.aspx and

    I would sugest this is the best link I can give you and suggest you maybe start here: http://technet.microsoft.com/en-us/library/gg295309.aspx




    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, October 12, 2011 10:05 AM
  • Many Thanks Jason for the excellent post.

    I just need a confirmation that this is a supported scenario and you have answered my question.

    Our environment is quite small (100 users), that's the reason why we want to use the same CA server to issue DA certificate and NAP certificate on the same box.

    Would you be able to confirm the following setup configuration and let me know if there's any steps I might have missed out?

    1. I configure a health certificate template on CA

    2. Assign the UAG server the approriate permission to issue and manage certificates on the CA server.

    2. Configure UAG server to point to the Enterprise CA and use the health certificate template created in step 1 in the DA Wizard.

    Do I need to do anything else? My DA client does not appears to be picking up the health certificate. I set the NAP access to both monitoring and enforcement mode but it does not seem to work.

    On the DA client I seem to be getting error relating to the DA client unable to find the CA server. Do I need to publish the CRL or CA server? From what I understand the UAG server (HRA) is responsible for requesting and issue the certificate on behalf of the DA client.


    Many thanks in advance.

    Wednesday, October 12, 2011 12:12 PM
  • Which guide(s) did you follow (so I can align my thoughts)?

    What errors (be specific) do you get in the Event Viewer|Application and Services Logs|Microsoft|Windows|Network Access Protection|Operational log?

    Can you obtain a health certificate when on the internal network?



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, October 12, 2011 12:35 PM
  • Hi Jason,


    I followed a combination of references.

    1. http://technet.microsoft.com/en-us/forefront/ff793469 - in section directaccess under virtual lab. I followed the settings for configurign the directaccess health certificate in the virtual lab.

    2.http://www.windowsecurity.com/articles/Integrated-NAP-Functionality-UAG-2010-Service-Pack1-DirectAccess.html - I followed this part to configure UAG

    This is the error I am getting on the DA client.

    The Network Access Protection agent failed to initialize the following enrollment configuration.


    HRA Group : UAGDA

    CSP Name : Microsoft RSA SChannel Cryptographic Provider

    Key Specification : AT_KEYEXCHANGE

    Key Length : 2048

    Signature Algorithm :

    The intialization failed with the error code (2147549448).

    Contact the HRA administrator for more information.


    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {BEEF2562-9CD8-4C9B-830D-E86EE2B1BD2A} - 2011-09-30 03:31:34.421Z from https://da.domain.com/domainhra/hcsrvext.dll.

    The request failed with the error code (0). This server will not be tried again for 10 minutes.

    Contact the HRA administrator for more information.


    Thursday, October 13, 2011 12:36 AM
  • Thursday, October 13, 2011 12:43 AM
  • Hi Jason,


    I followed the guide above the double check my configuration and everything appears to be correct. This is what I found on the

    1. DA Client - the health of the computer appears to be sent to the HRA server as I can see the following event 27/28 in my Network Access Protection --> Operational.

    A Statement of Health with correlation ID {5813AD63-3482-4EAA-BAFA-9F168CFB131B} - 2011-10-14 01:49:53.061Z was sent to the enforcment client 79871.

    Looks like the infrastructure tunnel is working as I can still apply gpupdate but I cannot access my fileshare which indicate I do not have the valid health certificate.

    I am not seeing any error regarding connectivity https://da.domain.com/domainhra/hcsrvext.dll therefore the DA client should have any issue contacting the HRA server (ie. UAG server in mycase).


    2. On the HRA/NPS/UAG server I expected to see some information with HRA such as event id 22 approving the request of the client but I am not seeing that. In fact, I am not seeing anything on the UAG server with regards to HRA...

    I have tried to automatically enrolled the health certificate on the UAG server and I can do this fine which suggests I do not have any network connectivity issue to the Enterprise CA server...

    From what I can see there is some issue with the HRA server not being able to verify the health certificate... My knowledge with NAP and UAG is quite limited so I don't know what to troubleshoot next.


    Can someone please help?

    Friday, October 14, 2011 2:14 AM