Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums

none
Windows Security Health Validator result contains no information

 > 

    Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    We are implementing NAP in Reporting mode with 802.1x enforcement in a controlled environment with a limited number of production clients. We configured a Cisco Catalyst switch and a NPS server according to the step-by-step guide from Microsoft ('NAP_802.1X_StepByStep.doc'). Network access is granted to each supplicant according to configured network policy as it supposed to be.

    During development of NAP reporting tool we faced a problem with retrieving Windows System Health Validator Results. Both events 6276 and 6278 in NPS Event Log contain empty string in WSHV details section. There is also no information on this in local log files or SQL database. However it was stated in the post “Debugging NAP Errors (part 1)” (http://blogs.technet.com/nap/archive/2008/02/19/debugging-nap-errors-part-1.aspx) that WSHV section should contain information about nap client validation results either for full or quarantine access.

    Here is the content of event ID 6278 we have in the NPS event log. A policy for non-compliant clients was applied (Client's antivirus software was mannualy disabled). Since NPS is configured to run in Reporting mode the client get full network access:
     “User:
     Security ID:   DVGD\IVC-VCL-MOBIL1$
     Account Name:   host/IVC-VCL-mobil1.dvgd.oao.rzd
     Account Domain:   DVGD
     Fully Qualified Account Name: DVGD\IVC-VCL-MOBIL1$

    Client Machine:
     Security ID:   NULL SID
     Account Name:   IVC-VCL-mobil1.dvgd.oao.rzd
     Fully Qualified Account Name: DVGD\IVC-VCL-MOBIL1$
     OS-Version:   5.1.2600 3.0 x86
     Called Station Identifier:  -
     Calling Station Identifier:  00-16-36-5e-d1-62

    NAS:
     NAS IPv4 Address:  10.103.254.29
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   -
     NAS Port:   203

    RADIUS Client:
     Client Friendly Name:  ivc-225-c4003
     Client IP Address:   10.103.254.29

    Authentication Details:
     Proxy Policy Name:  NAP 802.1X (Wired)
     Network Policy Name:  Stage1 IVC NAP 802.1X (Wired) Noncompliant
     Authentication Provider:  -
     Authentication Server:  DVGD-NAP-01.dvgd.oao.rzd
     Authentication Type:  PEAP
     EAP Type:   Microsoft: Secured password (EAP-MSCHAP v2)
     Account Session Identifier:  -

    Quarantine Information:
     Result:    -
     Extended-Result:   -
     Session Identifier:   {049C2428-A212-4D14-9E9F-B15041F29071} - 2010-02-09 03:40:51.828Z
     Help URL:   -
     System Health Validator Result(s): 
    Windows Security Health Validator

     

    However nap client on the supplicant returns a detailed report for the system’s state of health (netsh nap client show state):
    System health agent (SHA) state:
    “----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent monitors security set
    tings on your computer.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Could not update
    Remediation percentage = 0
    Fixup Message          = (3237937215) - The Windows Security Health Agent cannot update the security state of this computer.

    Compliance results     = (0x00000000) -
                             (0xC0FF0047) - A third-party system health component is not enabled.
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -

    Remediation results    = (0xC0FF004A) - A third-party antivirus product is not enabled. Windows cannot enable the antivirus product automatically. An administrator must enable the antivirus product manually.”

    Below is the trace log on the NPS server (IASNAP.LOG) for that request:
    [6472] 02-08 10:53:35:331: The request comes from NAS type 0
    [6472] 02-08 10:53:35:332: Applying CRP policy:NAP 802.1X (Wired)
    [7500] 02-08 10:53:40:434: The request comes from NAS type 0
    [7500] 02-08 10:53:40:434: Applying CRP policy:NAP 802.1X (Wired)
    [6472] 02-08 10:53:41:071: The request comes from NAS type 0
    [6472] 02-08 10:53:41:071: Applying CRP policy:NAP 802.1X (Wired)
    [7500] 02-08 10:53:41:723: The request comes from NAS type 0
    [7500] 02-08 10:53:41:723: Applying CRP policy:NAP 802.1X (Wired)
    [6472] 02-08 10:53:42:675: The request comes from NAS type 0
    [6472] 02-08 10:53:42:675: Applying CRP policy:NAP 802.1X (Wired)
    [7500] 02-08 10:53:43:632: The request comes from NAS type 0
    [7500] 02-08 10:53:43:632: Applying CRP policy:NAP 802.1X (Wired)
    [6472] 02-08 10:53:44:273: The request comes from NAS type 0
    [6472] 02-08 10:53:44:317: Applying CRP policy:NAP 802.1X (Wired)
    [7500] 02-08 10:53:45:213: The request comes from NAS type 0
    [7500] 02-08 10:53:45:213: Applying CRP policy:NAP 802.1X (Wired)
    [6472] 02-08 10:53:46:172: The request comes from NAS type 0
    [6472] 02-08 10:53:46:172: Applying CRP policy:NAP 802.1X (Wired)
    [7500] 02-08 10:53:47:775: The request comes from NAS type 0
    [7500] 02-08 10:53:47:776: Applying CRP policy:NAP 802.1X (Wired)
    [6472] 02-08 10:53:48:407: The request comes from NAS type 0
    [6472] 02-08 10:53:48:407: Applying CRP policy:NAP 802.1X (Wired)
    [7500] 02-08 10:53:49:356: The request comes from NAS type 0
    [7500] 02-08 10:53:49:356: Applying CRP policy:NAP 802.1X (Wired)
    [7500] 02-08 10:53:49:359: The SoH will be evaluated against the following Shvs
    [7500] 02-08 10:53:49:359: SHV Id : 79744
    [7500] 02-08 10:53:49:359: Quarantine evaluation will complete asynchronously
    [7112] 02-08 10:53:49:365: Total SHV results = 1
    [7112] 02-08 10:53:49:366: SHV Id = 79744,Compliance = 0,Extended State = 0,FailureCategory = 0,ResponseTimeInMsec = 4,ComplianceResultCount = 6
    [7112] 02-08 10:53:49:366: Quarantine evaluation async call succeeded
    [7112] 02-08 10:53:49:366: The request comes from NAS type 0
    [7112] 02-08 10:53:49:366: Applying RAP policy:Stage1 IVC NAP 802.1X (Wired) Noncompliant
    [7112] 02-08 10:53:49:366: Auto-generation of Session-Timeout is disabled.
    [7112] 02-08 10:53:49:366: The request is given quarantine state 0
    [7112] 02-08 10:53:49:366: Setting isolationStateNotRestricted on Shv
    [7112] 02-08 10:53:49:366: The SoHR will be calculated based on the following Shvs
    [7112] 02-08 10:53:49:366: SHV Id : 79744
    [7112] 02-08 10:53:49:366: Using MS_ATTRIBUTE_QUARANTINE_SOH for soh response (MS_ATTRIBUTE_EAP_TLV usage for SoH is discontinued)
    [7112] 02-08 10:53:49:366: Inserted SOH response attribute of length = 206
    [7112] 02-08 10:53:49:366: Insert Machine-Name attribute
    [6472] 02-08 10:53:50:303: The request comes from NAS type 0
    [6472] 02-08 10:53:50:303: Applying CRP policy:NAP 802.1X (Wired)
    [7860] 02-08 10:53:50:872: The request comes from NAS type 0
    [7860] 02-08 10:53:50:872: Applying CRP policy:NAP 802.1X (Wired)

    NPS OS version: Windows Server 2008 Standard 6.0.6002 Service Pack 2 Build 6002. Client OS Version: Window XP SP3, Windows 7.

    I have searched all over the Internet and MS NAP forum and couldn’t find any helpful information on this problem.

    Could you please help us with troubleshooting this issue?

    Kind regards,
    Dmitry

    Wednesday, February 10, 2010 7:18 AM
    |

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Dmitry,

    I found out that this is a bug when the locale on NPS is not English. There is a workaround - you must set the locale to English. I will continue to investigate if this bug will be fixed for NPS 2008 SP2. I think another possible solution is to upgrade NPS to 2008 R2.

    -Greg

    • Marked as answer by Dmitry Patrin Friday, April 30, 2010 4:02 AM
    Wednesday, April 28, 2010 8:55 PM
    |
    Owner

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I apologize for the delay in answering this question. I only discovered it today when searching for unanswered questions.

    You said you are developing a reporting tool. Are you using NPS events, or NPS logging files for this? Also please let me know if there are any updates to the issue.

    Thanks,

    -Greg 

    Friday, March 19, 2010 10:12 PM
    |
    Owner
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Greg,

    Thank you for your response.

    NPS logs are written both in logging files and local SQL server database. SQL logs are gathered in a central SQL database. Our reporting tool uses that central database to parse NPS event entries.

    I have checked NPS messages in logging files and in database records and in NPS events on the NPS Server. There is no information on nap client state.

    Also we managed to reproduce the issue in a lab environment. We used for that a single Windows Server 2008 SP2 with roles AD+DHCP+NPS installed and a Windows XP SP3 nap client.

    We requested our official Microsoft representative to post this issue to the Partner Online Technical Community on 19 February 2010. There was an answer that this is a product issue with NPS event and a fix had been being developed. There haven't been any updates for the issue till now.

    Kind regards,

    Dmitry

    Thursday, March 25, 2010 8:03 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Dmitry,

    It sounds like you have found a bug with XP SP3, but that certainly isn't good news. I assume this doesn't occur if the client is Vista or Windows 7.

    One thing that doesn't make sense to me is that there seems to be the incorrect number of compliance values listed for an XP computer. There are eight when there should be six.

    Compliance results     =

    (0x00000000) -
    (0xC0FF0047) - A third-party system health component is not enabled.
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -

    This is the correct number for a client that has antimalware (one for the application being on and one for it being up to date). XP does not have Windows Defender or the antimalware check, so it should only have six compliance values.

    -Greg 

     

    Saturday, April 10, 2010 7:05 AM
    |
    Owner
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Dmitry,

    It sounds like you have found a bug with XP SP3, but that certainly isn't good news. I assume this doesn't occur if the client is Vista or Windows 7.

    One thing that doesn't make sense to me is that there seems to be the incorrect number of compliance values listed for an XP computer. There are eight when there should be six.

    Compliance results     =

    (0x00000000) -
    (0xC0FF0047) - A third-party system health component is not enabled.
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -

    This is the correct number for a client that has antimalware (one for the application being on and one for it being up to date). XP does not have Windows Defender or the antimalware check, so it should only have six compliance values.

    -Greg 

     

    Saturday, April 10, 2010 7:05 AM
    |
    Owner
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Dmitry,

    It sounds like you have found a bug with XP SP3, but that certainly isn't good news. I assume this doesn't occur if the client is Vista or Windows 7.

    One thing that doesn't make sense to me is that there seems to be the incorrect number of compliance values listed for an XP computer. There are eight when there should be six.

    Compliance results     =

    (0x00000000) -
    (0xC0FF0047) - A third-party system health component is not enabled.
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -
    (0x00000000) -

    This is the correct number for a client that has antimalware (one for the application being on and one for it being up to date). XP does not have Windows Defender or the antimalware check, so it should only have six compliance values.

    -Greg 

    Saturday, April 10, 2010 7:06 AM
    |
    Owner
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Greg,

    We have tried it with Vista and Windows 7 client too. You are right WinXP has 6 complience values. Instead of WinXP log I put a Windows 7. Yesturday I experimented with Windows 7 and Windows XP and results are below.

    Here is the a nap client state for Windows 7 with disabled antivirus

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent monitors security settings on your computer.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Could not update
    Remediation percentage = 0
    Fixup Message          = (3237937215) - The Windows Security Health Agent cannot update the security state of this computer.

    Compliance results     = (0x00000000) -
                             (0xC0FF0047) - A third-party system health component is not enabled.
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -

    Remediation results    = (0xC0FF004A) - A third-party antivirus product is not enabled. Windows cannot enable the antivirus product automatically. An administrator must enable the antivirus product manually.

    And this is a corresponding event on the NPS server for that client

    "Network Policy Server granted full access to a user because the host met the defined health policy.

    User:
    Security ID: DVGD\IVC-PatrinDA$
    Account Name: host/IVC-PatrinDA.dvgd.oao.rzd
    Account Domain: DVGD
    Fully Qualified Account Name: DVGD\IVC-PatrinDA$
    Client Machine:
    Security ID: NULL SID
    Account Name: IVC-PatrinDA.dvgd.oao.rzd
    Fully Qualified Account Name: DVGD\IVC-PatrinDA$
    OS-Version: 6.1.7600 0.0 x86
    Called Station Identifier: 00-0F-34-15-06-16
    Calling Station Identifier: 00-30-05-AB-9C-38
    NAS:
    NAS IPv4 Address: 10.103.255.11
    NAS IPv6 Address: -
    NAS Identifier: -
    NAS Port-Type: -
    NAS Port: 50307
    RADIUS Client:
    Client Friendly Name: ivc-225-c6506
    Client IP Address: 10.103.255.11
    Authentication Details:
    Proxy Policy Name: NAP 802.1X (Wired)
    Network Policy Name: Stage1 IVC NAP 802.1X (Wired) Noncompliant
    Authentication Provider: -
    Authentication Server: DVGD-NAP-01.dvgd.oao.rzd
    Authentication Type: PEAP
    EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
    Account Session Identifier: -
    Quarantine Information:
    Result: -
    Extended-Result: -
    Session Identifier: {267DFC68-0D33-48B0-93B7-AED4B8054FE0} - 2010-04-21 22:40:56.784Z
    Help URL: -
    System Health Validator Result(s):

    Windows Security Health Validator


    "

    And this is a nap client state for Windows XP SP3 with disabled antivirus:

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Nae                    = Windows Security Health Agent

    Description            = The Windows Security Health Agent monitors security settings on your computer

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Да
    Failure category       = Отсутствует
    Remediation state      = Не удалось выполнить обновление
    Remediation percentage = 0
    Fixup Message          = (3237937215) - The Windows Security Health Agent cannot update the security state of this computer.

    Compliance results     = (0x00000000) -
                             (0xC0FF0047) - A third-party system health component is not enabled.
                             (0xC0FF0048) - The signatures for a particular third-party system health component are not up to date.
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -

    Remediation results    = (0xC0FF004A) - A third-party antivirus product is not enabled. Windows cannot enable the antivirus product automatically. An administrator must enable the antivirus product manually.
                             (0xC0FF004C) - The signatures for a particular third-party antivirus product are not up to date. An administrator must update the antiv


    NPS Event log for Windows XP SP3:

    "Network Policy Server granted full access to a user because the host met the defined health policy.

    User:
     Security ID:   DVGD\IVC-VCL-MOBIL1$
     Account Name:   host/IVC-VCL-mobil1.dvgd.oao.rzd
     Account Domain:   DVGD
     Fully Qualified Account Name: DVGD\IVC-VCL-MOBIL1$

    Client Machine:
     Security ID:   NULL SID
     Account Name:   IVC-VCL-mobil1.dvgd.oao.rzd
     Fully Qualified Account Name: DVGD\IVC-VCL-MOBIL1$
     OS-Version:   5.1.2600 3.0 x86
     Called Station Identifier:  00-0F-34-15-06-14
     Calling Station Identifier:  00-16-36-5E-D1-62

    NAS:
     NAS IPv4 Address:  10.103.255.11
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   -
     NAS Port:   50305

    RADIUS Client:
     Client Friendly Name:  ivc-225-c6506
     Client IP Address:   10.103.255.11

    Authentication Details:
     Proxy Policy Name:  NAP 802.1X (Wired)
     Network Policy Name:  Stage1 IVC NAP 802.1X (Wired) Noncompliant
     Authentication Provider:  -
     Authentication Server:  DVGD-NAP-01.dvgd.oao.rzd
     Authentication Type:  PEAP
     EAP Type:   Microsoft: Secured password (EAP-MSCHAP v2)
     Account Session Identifier:  -

    Quarantine Information:
     Result:    -
     Extended-Result:   -
     Session Identifier:   {049C2428-A212-4D14-9E9F-B15041F29071} - 2010-04-21 23:42:16.458Z
     Help URL:   -
     System Health Validator Result(s): 
    Windows Security Health Validator

     
    "

    Is it possible to trace on the NPS server which Compliance Results are returned from nap agent in EAP session?

    Regards, Dmitry.

    Wednesday, April 21, 2010 11:54 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Dmitry,

    I found out that this is a bug when the locale on NPS is not English. There is a workaround - you must set the locale to English. I will continue to investigate if this bug will be fixed for NPS 2008 SP2. I think another possible solution is to upgrade NPS to 2008 R2.

    -Greg

    • Marked as answer by Dmitry Patrin Friday, April 30, 2010 4:02 AM
    Wednesday, April 28, 2010 8:55 PM
    |
    Owner
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Greg,

    Thank you so much. I'm afraid we will not be able to upgrade to 2008 R2 this year. Changing the system locale on Windows Server 2008 SP2 resolved the issue. Now we can finish our reporting tool and continue on implementing NAP in our enterprise.

    Thanks again for your support

    Kind regards,

    Dmitry

    Friday, April 30, 2010 3:58 AM
    |