Event ID 20 — Local Request Processing

  • Article

Applies To: Windows Server 2008

Health Registration Authority (HRA) uses a HTTP/HTTPS interface to read and process Network Access Protection (NAP) client health certificate requests. This interface can be configured with custom settings, called request policy, that require NAP client computers to use specified security methods when communicating with HRA.

By default, HRA is configured to allow client computers to use any of the available request policy methods. You can also specify custom settings. If you configure a custom request policy on HRA, you must ensure that NAP clients use these security methods to request health certificates.

Event Details

Product: Windows Operating System
ID: 20
Source: HRA
Version: 6.0
Symbolic Name: HRA_ERROR_BAD_CERT_REQUEST
Message: Microsoft The Health Registration Authority failed to validate the cert request against the configuration. The Health Registration Authority denied the request with the correlation-id %1 at %2 (principal: %3) because it did not satisfy the cryptographic policy (%4). Discarding the request.

Resolve

Configure cryptographic policy settings

This error condition indicates that HRA is configured to require cryptographic settings that are not in use by NAP client computers. Review cryptographic settings on the HRA server and NAP client computers, and check that NAP clients comply with cryptographic policies on HRA.

You can modify client settings to match requirements on HRA, or configure HRA to require settings in use on NAP client computers. To allow NAP clients to use any available cryptographic method, reset cryptographic policy on HRA to the default settings. To configure NAP clients to use the default cryptographic methods, reset the client settings.

Important: NAP client cryptographic settings can be configured in both local computer policy and Group Policy. If NAP client Group Policy settings are configured, these settings will override the local computer policy settings.

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Review cryptographic policy on client computers

To review cryptographic policy settings on NAP client computers:

  1. On a NAP client computer, click Start.
  2. Point to All Programs, click Accessories, and then click Command Prompt.
  3. If NAP client configuration is determined by local computer policy, type netsh nap client show configuration, and then press ENTER.
  4. If NAP client configuration is determined by Group Policy, type netsh nap client show grouppolicy, and then press ENTER.
  5. Under NAP client configuration, record the values next to Cryptographic service provider (CSP) and Hash algorithm.

Configure cryptographic policy on client computers

To configure cryptographic policy settings on NAP client computers using local computer policy:

  1. On a NAP client computer, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. In the command window, type netsh nap client show csp, and then press ENTER.
  3. In the command output, under Available cryptographic service providers (CSPs), record the names of the allowed CSPs.
  4. In the command window, type netsh nap client set csp = "cspname" keylength = "number", and then press ENTER. The values of cspname and number correspond to the CSP name and length of the asymmetric key, respectively. Keylength is optional and, by default, set to 2048.
  5. In the command window, type netsh nap client show hash, and then press ENTER.
  6. In the command output, under Available hash algorithms, record the values in the OID column.
  7. In the command window, type netsh nap client set hash oid = "hashoid", and then press ENTER. The value of hashoid corresponds to one of the available OID values.

To reset NAP clients to the default local computer cryptographic policy settings:

  1. On a NAP client computer, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. In the command window, type netsh nap client reset csp, and then press ENTER.
  3. In the command window, type netsh nap client reset hash, and then press ENTER.
  4. Confirm that each command completed successfully.

To configure cryptographic policy settings on NAP client computers using Group Policy:

  1. On a computer with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and then press ENTER.
  2. In the Group Policy Management console tree, right-click Default Domain Policy, or the Group Policy object you want to configure, and then click Edit.
  3. In the Group Policy Management Editor console tree, navigate to Computer Configuration\Windows Settings\Network Access Protection\NAP Client Configuration\Health Registration Settings\Request Policy.
  4. In the details pane, right-click Hash Algorithm, and then click Properties.
  5. In the Hash Algorithm Properties window, choose a hash algorithm from the drop-down list, and then click OK. The default hash algorithm is sha1RSA (1.3.14.3.2.29).
  6. In the details pane, right-click Cryptographic Service Provider, and then click Properties.
  7. In the Cryptographic Service Provider Properties window, choose the CSP from the drop-down list.
  8. Under Key Length, enter the desired key length for this CSP, and then click OK. The default CSP is Microsoft RSA SChannel Cryptographic Provider with a key length of 2048.
  9. Close the Group Policy Management Editor console.
  10. When you are prompted to apply the new settings, click Yes.

Review cryptographic policy on HRA

To review cryptographic policy on HRA:

  1. On the computer where HRA is installed, click Start.
  2. Right-click Command Prompt, and then click Run as Administrator.
  3. In the command window, type netsh nap hra show configuration, and then press ENTER.
  4. Record the output under Allowed cryptographic service providers (CSPs), Allowed hash algorithms, and Allowed asymmetric key algorithms.
  5. If a section listed in the previous step is not present in the configuration output, then HRA is using the default settings, which allow any available cryptographic method.

Configure cryptographic policy on HRA

To configure cryptographic policy settings on HRA:

  1. On the computer where HRA is installed, click Start.
  2. Right-click Command Prompt, and then click Run as Administrator.
  3. To configure asymmetric keys, type netsh nap hra add asymmetrickey oid = "oid1" minkeylength = "min1" maxkeylength = "max1", and then press ENTER. The values of oid1, min1, and max1 correspond to the desired asymmetric key object identifier, minimum key length, and maximum key length, respectively.
  4. To configure cryptographic service providers, type netsh nap hra add csp name = "cspname", and then press ENTER. The value of cspname corresponds to the cryptographic service provider.
  5. To configure hash key algorithms, type netsh nap hra add hash oid = "oid1", and then press ENTER. The value of oid1 corresponds to the hash key object identifier.
  6. Confirm that each command completed successfully.

To reset HRA to use the default cryptographic policy settings:

  1. On the computer where HRA is installed, click Start.
  2. Right-click Command Prompt, and then click Run as Administrator.
  3. In the command window, type netsh nap hra reset asymmetrickey, and then press ENTER.
  4. In the command window, type netsh nap hra reset csp, and then press ENTER.
  5. In the command window, type netsh nap hra reset hash, and then press ENTER.
  6. Confirm that each command completed successfully.

Verify

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To verify that the HRA service is configured to process client certificate requests:

  1. On a NAP client computer that is configured to use the current HRA, open a command prompt.
  2. In the command window, type netsh nap client show configuration, and then press ENTER.
  3. In the command output, under NAP client configuration, record the values next to Cryptographic service provider (CSP) and Hash algorithm.
  4. On the computer where HRA is installed, click Start, and then click Command Prompt.
  5. In the command window, type netsh nap hra show configuration, and then press ENTER.
  6. In the command output, verify that the following sections are not displayed, or that their values are compatible with the client settings recorded in step 3:
    • Allowed cryptographic service providers (CSPs)
    • Allowed hash algorithms
    • Allowed asymmetric key algorithms
    • Allowed HTTP client user agents
  7. If these sections are not displayed in the command output, then HRA is configured to allow the use of any available client cryptographic and transport policy settings.

Local Request Processing

NAP Infrastructure