HRA: The Health Registration Authority (HRA) server should have all required Internet Information Services (IIS) components installed

Updated: March 29, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Issue

Required Internet Information Services (IIS) components are not installed on the Health Registration Authority (HRA) server.

Impact

The Health Registration Authority (HRA) server cannot process health certificate requests. Network Access Protection (NAP) client computers are denied network access.

Resolution

Reinstall the Health Registration Authority (HRA) role service and all dependent roles and role features.

HRA is a component of a NAP infrastructure that plays a central role in NAP Internet Protocol security (IPsec) enforcement. HRA obtains health certificates on behalf of NAP clients when they are determined to be compliant with network health requirements. IIS Web sites are used by HRA to process client health certificate requests.

Two Web sites can be created on your HRA server, depending on the choices you make during the installation of HRA. These sites are used by HRA to process domain-authenticated or anonymous health certificate requests. After installation, no additional configuration of these Web sites is required. However, if IIS is not running or is not correctly configured, HRA might not be able to issue health certificates.

You can use the following procedure to verify that IIS is running and configured correctly on your HRA server.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To verify availability of DomainHRA and NonDomainHRA Web sites

1. Click Start, click Administrative Tools, and then click Services.

2. In the Services window, verify that the World Wide Web Publishing Service is Started and that its Startup Type is set to Automatic.

3. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

4. In the Internet Information Services (IIS) Manager window, double-click the computer name of your HRA server.

5. Double-click Web Sites, and then double-click Default Web Site.

6. Verify that both the DomainHRA and NonDomainHRA Web sites are displayed if you chose to allow anonymous requests for health certificates during the installation of HRA.

7. If you chose to require requestors to be authenticated as members of a domain during the installation of HRA, verify that only the DomainHRA Web site is displayed.

8. Click DomainHRA, and then double-click Authentication. Verify that only Windows Authentication is enabled.

9. If the NonDomainHRA Web site is installed, click NonDomainHRA, and then double-click Authentication. Verify that only Anonymous Authentication is enabled.

10. Click the computer name of your HRA server, and then double-click ISAPI and CGI Restrictions. Verify that the hcsrvext.dll extension is set to Allowed.

Additional references

For more information about IIS, see https://go.microsoft.com/fwlink/?LinkId=94386.

For more information about HRA authentication requirements, see Understanding HRA Authentication Requirements (https://go.microsoft.com/fwlink/?LinkID=171032).