Answered by:
Windows Security Health Validator result contains no information
-
Hello,
We are implementing NAP in Reporting mode with 802.1x enforcement in a controlled environment with a limited number of production clients. We configured a Cisco Catalyst switch and a NPS server according to the step-by-step guide from Microsoft ('NAP_802.1X_StepByStep.doc'). Network access is granted to each supplicant according to configured network policy as it supposed to be.
During development of NAP reporting tool we faced a problem with retrieving Windows System Health Validator Results. Both events 6276 and 6278 in NPS Event Log contain empty string in WSHV details section. There is also no information on this in local log files or SQL database. However it was stated in the post “Debugging NAP Errors (part 1)” (http://blogs.technet.com/nap/archive/2008/02/19/debugging-nap-errors-part-1.aspx) that WSHV section should contain information about nap client validation results either for full or quarantine access.
Here is the content of event ID 6278 we have in the NPS event log. A policy for non-compliant clients was applied (Client's antivirus software was mannualy disabled). Since NPS is configured to run in Reporting mode the client get full network access:
“User:
Security ID: DVGD\IVC-VCL-MOBIL1$
Account Name: host/IVC-VCL-mobil1.dvgd.oao.rzd
Account Domain: DVGD
Fully Qualified Account Name: DVGD\IVC-VCL-MOBIL1$Client Machine:
Security ID: NULL SID
Account Name: IVC-VCL-mobil1.dvgd.oao.rzd
Fully Qualified Account Name: DVGD\IVC-VCL-MOBIL1$
OS-Version: 5.1.2600 3.0 x86
Called Station Identifier: -
Calling Station Identifier: 00-16-36-5e-d1-62NAS:
NAS IPv4 Address: 10.103.254.29
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: -
NAS Port: 203RADIUS Client:
Client Friendly Name: ivc-225-c4003
Client IP Address: 10.103.254.29Authentication Details:
Proxy Policy Name: NAP 802.1X (Wired)
Network Policy Name: Stage1 IVC NAP 802.1X (Wired) Noncompliant
Authentication Provider: -
Authentication Server: DVGD-NAP-01.dvgd.oao.rzd
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -Quarantine Information:
Result: -
Extended-Result: -
Session Identifier: {049C2428-A212-4D14-9E9F-B15041F29071} - 2010-02-09 03:40:51.828Z
Help URL: -
System Health Validator Result(s):
Windows Security Health Validator
“However nap client on the supplicant returns a detailed report for the system’s state of health (netsh nap client show state):
System health agent (SHA) state:
“----------------------------------------------------
Id = 79744
Name = Windows Security Health AgentDescription = The Windows Security Health Agent monitors security set
tings on your computer.Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Could not update
Remediation percentage = 0
Fixup Message = (3237937215) - The Windows Security Health Agent cannot update the security state of this computer.Compliance results = (0x00000000) -
(0xC0FF0047) - A third-party system health component is not enabled.
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -Remediation results = (0xC0FF004A) - A third-party antivirus product is not enabled. Windows cannot enable the antivirus product automatically. An administrator must enable the antivirus product manually.”
Below is the trace log on the NPS server (IASNAP.LOG) for that request:
[6472] 02-08 10:53:35:331: The request comes from NAS type 0
[6472] 02-08 10:53:35:332: Applying CRP policy:NAP 802.1X (Wired)
[7500] 02-08 10:53:40:434: The request comes from NAS type 0
[7500] 02-08 10:53:40:434: Applying CRP policy:NAP 802.1X (Wired)
[6472] 02-08 10:53:41:071: The request comes from NAS type 0
[6472] 02-08 10:53:41:071: Applying CRP policy:NAP 802.1X (Wired)
[7500] 02-08 10:53:41:723: The request comes from NAS type 0
[7500] 02-08 10:53:41:723: Applying CRP policy:NAP 802.1X (Wired)
[6472] 02-08 10:53:42:675: The request comes from NAS type 0
[6472] 02-08 10:53:42:675: Applying CRP policy:NAP 802.1X (Wired)
[7500] 02-08 10:53:43:632: The request comes from NAS type 0
[7500] 02-08 10:53:43:632: Applying CRP policy:NAP 802.1X (Wired)
[6472] 02-08 10:53:44:273: The request comes from NAS type 0
[6472] 02-08 10:53:44:317: Applying CRP policy:NAP 802.1X (Wired)
[7500] 02-08 10:53:45:213: The request comes from NAS type 0
[7500] 02-08 10:53:45:213: Applying CRP policy:NAP 802.1X (Wired)
[6472] 02-08 10:53:46:172: The request comes from NAS type 0
[6472] 02-08 10:53:46:172: Applying CRP policy:NAP 802.1X (Wired)
[7500] 02-08 10:53:47:775: The request comes from NAS type 0
[7500] 02-08 10:53:47:776: Applying CRP policy:NAP 802.1X (Wired)
[6472] 02-08 10:53:48:407: The request comes from NAS type 0
[6472] 02-08 10:53:48:407: Applying CRP policy:NAP 802.1X (Wired)
[7500] 02-08 10:53:49:356: The request comes from NAS type 0
[7500] 02-08 10:53:49:356: Applying CRP policy:NAP 802.1X (Wired)
[7500] 02-08 10:53:49:359: The SoH will be evaluated against the following Shvs
[7500] 02-08 10:53:49:359: SHV Id : 79744
[7500] 02-08 10:53:49:359: Quarantine evaluation will complete asynchronously
[7112] 02-08 10:53:49:365: Total SHV results = 1
[7112] 02-08 10:53:49:366: SHV Id = 79744,Compliance = 0,Extended State = 0,FailureCategory = 0,ResponseTimeInMsec = 4,ComplianceResultCount = 6
[7112] 02-08 10:53:49:366: Quarantine evaluation async call succeeded
[7112] 02-08 10:53:49:366: The request comes from NAS type 0
[7112] 02-08 10:53:49:366: Applying RAP policy:Stage1 IVC NAP 802.1X (Wired) Noncompliant
[7112] 02-08 10:53:49:366: Auto-generation of Session-Timeout is disabled.
[7112] 02-08 10:53:49:366: The request is given quarantine state 0
[7112] 02-08 10:53:49:366: Setting isolationStateNotRestricted on Shv
[7112] 02-08 10:53:49:366: The SoHR will be calculated based on the following Shvs
[7112] 02-08 10:53:49:366: SHV Id : 79744
[7112] 02-08 10:53:49:366: Using MS_ATTRIBUTE_QUARANTINE_SOH for soh response (MS_ATTRIBUTE_EAP_TLV usage for SoH is discontinued)
[7112] 02-08 10:53:49:366: Inserted SOH response attribute of length = 206
[7112] 02-08 10:53:49:366: Insert Machine-Name attribute
[6472] 02-08 10:53:50:303: The request comes from NAS type 0
[6472] 02-08 10:53:50:303: Applying CRP policy:NAP 802.1X (Wired)
[7860] 02-08 10:53:50:872: The request comes from NAS type 0
[7860] 02-08 10:53:50:872: Applying CRP policy:NAP 802.1X (Wired)NPS OS version: Windows Server 2008 Standard 6.0.6002 Service Pack 2 Build 6002. Client OS Version: Window XP SP3, Windows 7.
I have searched all over the Internet and MS NAP forum and couldn’t find any helpful information on this problem.
Could you please help us with troubleshooting this issue?
Kind regards,
Dmitry
Question
Answers
-
Hi Dmitry,
I found out that this is a bug when the locale on NPS is not English. There is a workaround - you must set the locale to English. I will continue to investigate if this bug will be fixed for NPS 2008 SP2. I think another possible solution is to upgrade NPS to 2008 R2.
-Greg
- Marked as answer by Dmitry Patrin Friday, April 30, 2010 4:02 AM
All replies
-
Hi,
I apologize for the delay in answering this question. I only discovered it today when searching for unanswered questions.
You said you are developing a reporting tool. Are you using NPS events, or NPS logging files for this? Also please let me know if there are any updates to the issue.
Thanks,
-Greg
-
Hi Greg,
Thank you for your response.
NPS logs are written both in logging files and local SQL server database. SQL logs are gathered in a central SQL database. Our reporting tool uses that central database to parse NPS event entries.
I have checked NPS messages in logging files and in database records and in NPS events on the NPS Server. There is no information on nap client state.
Also we managed to reproduce the issue in a lab environment. We used for that a single Windows Server 2008 SP2 with roles AD+DHCP+NPS installed and a Windows XP SP3 nap client.
We requested our official Microsoft representative to post this issue to the Partner Online Technical Community on 19 February 2010. There was an answer that this is a product issue with NPS event and a fix had been being developed. There haven't been any updates for the issue till now.
Kind regards,
Dmitry
-
Hi Dmitry,
It sounds like you have found a bug with XP SP3, but that certainly isn't good news. I assume this doesn't occur if the client is Vista or Windows 7.
One thing that doesn't make sense to me is that there seems to be the incorrect number of compliance values listed for an XP computer. There are eight when there should be six.
Compliance results =
(0x00000000) -
(0xC0FF0047) - A third-party system health component is not enabled.
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -This is the correct number for a client that has antimalware (one for the application being on and one for it being up to date). XP does not have Windows Defender or the antimalware check, so it should only have six compliance values.
-Greg
-
Hi Dmitry,
It sounds like you have found a bug with XP SP3, but that certainly isn't good news. I assume this doesn't occur if the client is Vista or Windows 7.
One thing that doesn't make sense to me is that there seems to be the incorrect number of compliance values listed for an XP computer. There are eight when there should be six.
Compliance results =
(0x00000000) -
(0xC0FF0047) - A third-party system health component is not enabled.
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -This is the correct number for a client that has antimalware (one for the application being on and one for it being up to date). XP does not have Windows Defender or the antimalware check, so it should only have six compliance values.
-Greg
-
Hi Dmitry,
It sounds like you have found a bug with XP SP3, but that certainly isn't good news. I assume this doesn't occur if the client is Vista or Windows 7.
One thing that doesn't make sense to me is that there seems to be the incorrect number of compliance values listed for an XP computer. There are eight when there should be six.
Compliance results =
(0x00000000) -
(0xC0FF0047) - A third-party system health component is not enabled.
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -This is the correct number for a client that has antimalware (one for the application being on and one for it being up to date). XP does not have Windows Defender or the antimalware check, so it should only have six compliance values.
-Greg
-
Hi Greg,
We have tried it with Vista and Windows 7 client too. You are right WinXP has 6 complience values. Instead of WinXP log I put a Windows 7. Yesturday I experimented with Windows 7 and Windows XP and results are below.
Here is the a nap client state for Windows 7 with disabled antivirus
System health agent (SHA) state:
----------------------------------------------------
Id = 79744
Name = Windows Security Health AgentDescription = The Windows Security Health Agent monitors security settings on your computer.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Could not update
Remediation percentage = 0
Fixup Message = (3237937215) - The Windows Security Health Agent cannot update the security state of this computer.Compliance results = (0x00000000) -
(0xC0FF0047) - A third-party system health component is not enabled.
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -Remediation results = (0xC0FF004A) - A third-party antivirus product is not enabled. Windows cannot enable the antivirus product automatically. An administrator must enable the antivirus product manually.
And this is a corresponding event on the NPS server for that client
"Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: DVGD\IVC-PatrinDA$
Account Name: host/IVC-PatrinDA.dvgd.oao.rzd
Account Domain: DVGD
Fully Qualified Account Name: DVGD\IVC-PatrinDA$
Client Machine:
Security ID: NULL SID
Account Name: IVC-PatrinDA.dvgd.oao.rzd
Fully Qualified Account Name: DVGD\IVC-PatrinDA$
OS-Version: 6.1.7600 0.0 x86
Called Station Identifier: 00-0F-34-15-06-16
Calling Station Identifier: 00-30-05-AB-9C-38
NAS:
NAS IPv4 Address: 10.103.255.11
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: -
NAS Port: 50307
RADIUS Client:
Client Friendly Name: ivc-225-c6506
Client IP Address: 10.103.255.11
Authentication Details:
Proxy Policy Name: NAP 802.1X (Wired)
Network Policy Name: Stage1 IVC NAP 802.1X (Wired) Noncompliant
Authentication Provider: -
Authentication Server: DVGD-NAP-01.dvgd.oao.rzd
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Quarantine Information:
Result: -
Extended-Result: -
Session Identifier: {267DFC68-0D33-48B0-93B7-AED4B8054FE0} - 2010-04-21 22:40:56.784Z
Help URL: -
System Health Validator Result(s):Windows Security Health Validator
"And this is a nap client state for Windows XP SP3 with disabled antivirus:
System health agent (SHA) state:
----------------------------------------------------
Id = 79744
Nae = Windows Security Health AgentDescription = The Windows Security Health Agent monitors security settings on your computer
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Да
Failure category = Отсутствует
Remediation state = Не удалось выполнить обновление
Remediation percentage = 0
Fixup Message = (3237937215) - The Windows Security Health Agent cannot update the security state of this computer.Compliance results = (0x00000000) -
(0xC0FF0047) - A third-party system health component is not enabled.
(0xC0FF0048) - The signatures for a particular third-party system health component are not up to date.
(0x00000000) -
(0x00000000) -
(0x00000000) -Remediation results = (0xC0FF004A) - A third-party antivirus product is not enabled. Windows cannot enable the antivirus product automatically. An administrator must enable the antivirus product manually.
(0xC0FF004C) - The signatures for a particular third-party antivirus product are not up to date. An administrator must update the antiv
NPS Event log for Windows XP SP3:"Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: DVGD\IVC-VCL-MOBIL1$
Account Name: host/IVC-VCL-mobil1.dvgd.oao.rzd
Account Domain: DVGD
Fully Qualified Account Name: DVGD\IVC-VCL-MOBIL1$Client Machine:
Security ID: NULL SID
Account Name: IVC-VCL-mobil1.dvgd.oao.rzd
Fully Qualified Account Name: DVGD\IVC-VCL-MOBIL1$
OS-Version: 5.1.2600 3.0 x86
Called Station Identifier: 00-0F-34-15-06-14
Calling Station Identifier: 00-16-36-5E-D1-62NAS:
NAS IPv4 Address: 10.103.255.11
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: -
NAS Port: 50305RADIUS Client:
Client Friendly Name: ivc-225-c6506
Client IP Address: 10.103.255.11Authentication Details:
Proxy Policy Name: NAP 802.1X (Wired)
Network Policy Name: Stage1 IVC NAP 802.1X (Wired) Noncompliant
Authentication Provider: -
Authentication Server: DVGD-NAP-01.dvgd.oao.rzd
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -Quarantine Information:
Result: -
Extended-Result: -
Session Identifier: {049C2428-A212-4D14-9E9F-B15041F29071} - 2010-04-21 23:42:16.458Z
Help URL: -
System Health Validator Result(s):
Windows Security Health Validator
"Is it possible to trace on the NPS server which Compliance Results are returned from nap agent in EAP session?
Regards, Dmitry.
-
Hi Dmitry,
I found out that this is a bug when the locale on NPS is not English. There is a workaround - you must set the locale to English. I will continue to investigate if this bug will be fixed for NPS 2008 SP2. I think another possible solution is to upgrade NPS to 2008 R2.
-Greg
- Marked as answer by Dmitry Patrin Friday, April 30, 2010 4:02 AM
-
Hi Greg,
Thank you so much. I'm afraid we will not be able to upgrade to 2008 R2 this year. Changing the system locale on Windows Server 2008 SP2 resolved the issue. Now we can finish our reporting tool and continue on implementing NAP in our enterprise.
Thanks again for your support
Kind regards,
Dmitry

