Configure NAP CA Properties
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Use the following procedures on your NAP certification authorities (CAs) to verify that these servers are correctly configured for use with Health Registration Authority (HRA) and the NAP IPsec enforcement method.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Configure CA security settings and certificate issuance requirements
Use the following procedure to verify that HRA has been granted sufficient permissions on the NAP CA and that the issuing of certificates does not require administrator approval.
Configure CA security settings
CA security settings determine whether HRA has sufficient permissions to issue health certificates. Use the following procedure to verify these permissions on your NAP CAs. This procedure applies to both enterprise and standalone CA servers.
To configure certificate security settings
On the NAP CA, click Start, click Run, type certsrv.msc, and then press ENTER.
Right-click the common name for your CA, and then click Properties.
Click the Security tab.
If your HRA and NAP CA are running on the same computer, click Add, under Enter the object names to select, type NETWORK SERVICE, click OK, and then select Allow permissions for Issue and Manage Certificates, Manage CA, and Request Certificates.
If your HRA and NAP CA are running on different computers, click Add, click Object Types, select Computers, click OK, under Enter the object names to select, type the DNS name of your HRA server, and then select Allow permissions for Issue and Manage Certificates, Manage CA, and Request Certificates.
Click OK, and then close the Certification Authority console.
Configure certificate issuance requirements
In order for NAP client computers to acquire health certificates immediately when they are determined to be compliant with network health requirements, NAP CAs must be configured to issue health certificates automatically. Use the following procedure to verify that certificates are issued automatically. This procedure applies to both enterprise and standalone CA servers.
To configure certificate issuance requirements
Click Start, click Run, type certsrv.msc, and then press ENTER.
Right-click the common name of your CA, and then click Properties.
Click the Policy Module tab, and then click Properties.
Verify that Follow the settings in the certificate template is selected.
Click OK twice, and then close the Certification Authority console.