locked
IIS 7.0 Settings for NAP with IPSEC RRS feed

  • Question

  • Hi All,
            I am having AD with ROOT CA on 2008. NAP server with SUB CA.
     I am not able to open the url https:// NPSSERVER.doamin/domainhra/HCSRVEXT.dll and  Error Code 0x00000000
    Is there any settings in IIS7.0 , 

    Client geeitng all Group policy and IPsec Relay is Enable.

    Client Event ID is 21
    Description is as
    The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id {6589BDC3-E272-4873-879B-6042B85810E3} - 2009-08-13 07:12:44.080Z from https://NPS.crop.com/domainhra/hcsrvext.dll.
     The request failed with the error code (-2147012852). This server will not be tried again for 10 minutes.
     See the HRA administrator for more information.



    Mahesh Kumar-MCTS Microsoft Management services
    Monday, August 17, 2009 6:09 AM

Answers

  • Now that you have got HTTP error 500, then you have configured the HRA properly.
    Now you have to check HRA & NPS Event logs, for why HRA is not able to distribute the Certificate.

    What do you want to access in the URL from the domain ?

    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, August 18, 2009 6:35 PM
  • Hi,

    If you click the URL from a client it''s normal to get error 500. From http://technet.microsoft.com/en-us/library/cc735487(WS.10).aspx : "When you browse to the HRA Web site, Internet Explorer will display a "500 - Internal server error" message. This is normal, and indicates that the client computer can connect to the HRA server."

    There are also some steps in the link above to help you view certificates on client computers, which is one way of verifying that  HRA is working. On a client computer, you'll see event 22 if it was able to acquire a certificate, and event 21 if it fails. There is more information about troubleshooting event 21 here: http://technet.microsoft.com/en-us/library/dd348508(WS.10).aspx

    The best way to monitor success and failure of your NAP servers is to review NAP events. On the server, see Custom Views\Server Roles\Network Policy and Access Services.

    -Greg

    Wednesday, August 19, 2009 8:45 PM

All replies

  • Hi Mahesh,
      I see two URLs here, which one is the right value
         https:// NPSSERVER.doamin/domainhra/HCSRVEXT.dll
         https://NPS.crop.com/domainhra/hcsrvext.dll

     Also, in the first URL there might be spelling mistake in NPSSERVER.doamin, it could be NPSSERVER.domain and for second url NPS.crop.com could be NPS.corp.com

    Client is configured to https://NPS.crop.com/domainhra/hcssrvext.dll , when you try to open this URL in IE what is the HTTP error are you getting ? You should get HTTP error 500.

    Here is the link for IPSec NAP Step-by-step document link
    http://www.microsoft.com/downloads/details.aspx?FamilyID=298ff956-1e6c-4d97-a3ed-7e7ffc4bed32&displaylang=en


    Thanks
    -RamaSubbu SK


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Monday, August 17, 2009 6:23 PM
  • Hi,
       Sorry for Spelling Mistake.

    My domain is Crop.com not corp.com
     and the url is https://NPS.crop.com/domainhra/hcsrvext.dll

    when i am trying to access this url from client, it ask me domain user name and password(domain admin user) .
    After giving the domain credential it give the http error  500 Internal server Error. I have already configure the NAP environment as per same link as you provided.

    How can i check my HRA server is working fine?

    In IIS we have to change some settings so, we can access the same url form doamin ?


    Mahesh Kumar-MCTS Microsoft Management services
    Tuesday, August 18, 2009 4:39 AM
  • Now that you have got HTTP error 500, then you have configured the HRA properly.
    Now you have to check HRA & NPS Event logs, for why HRA is not able to distribute the Certificate.

    What do you want to access in the URL from the domain ?

    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, August 18, 2009 6:35 PM
  • Hi,

    If you click the URL from a client it''s normal to get error 500. From http://technet.microsoft.com/en-us/library/cc735487(WS.10).aspx : "When you browse to the HRA Web site, Internet Explorer will display a "500 - Internal server error" message. This is normal, and indicates that the client computer can connect to the HRA server."

    There are also some steps in the link above to help you view certificates on client computers, which is one way of verifying that  HRA is working. On a client computer, you'll see event 22 if it was able to acquire a certificate, and event 21 if it fails. There is more information about troubleshooting event 21 here: http://technet.microsoft.com/en-us/library/dd348508(WS.10).aspx

    The best way to monitor success and failure of your NAP servers is to review NAP events. On the server, see Custom Views\Server Roles\Network Policy and Access Services.

    -Greg

    Wednesday, August 19, 2009 8:45 PM