Client Computer Failed to Acquire a Certificate

Updated: December 10, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

This problem occurs in a deployment of Network Access Protection (NAP) with Internet Protocol security (IPsec) enforcement and can be caused by a variety of issues, including:

There is a configuration problem on Network Policy Server (NPS).
There is a configuration problem on Health Registration Authority (HRA).
There is a configuration problem on the NAP certification authority (CA).
There is a configuration problem on the NAP client computer.

Description of system behavior

The network access of IPsec-enabled NAP client computers that are unable to acquire a health certificate will be restricted if NAP IPsec policies are enforced.

Associated operating system events

NAP client event ID 21: The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The request failed with the error code (%3). This server will not be tried again for %4 minutes. See the HRA administrator for more information.

Root cause diagnosis and resolution

Due to the number of problems that can cause this issue, isolation can be difficult. To troubleshoot this problem, use the events that you observe on the HRA server and the HRA events table provided in the Tools for Troubleshooting NAP topic. In addition, you can use the error code that is provided with event ID 21 to help determine the root cause. For example, an error code of 500 indicates that there is a server-side configuration problem; an error code of 2147954575 indicates a Secure Sockets Layer (SSL) problem. These codes are derived from WinHttp status codes and error codes.

The following table lists the error codes and their associated status or error value.

Error code	Status or Value
100	HTTP_STATUS_CONTINUE
101	HTTP_STATUS_SWITCH_PROTOCOLS
200	HTTP_STATUS_OK
201	HTTP_STATUS_CREATED
202	HTTP_STATUS_ACCEPTED
203	HTTP_STATUS_PARTIAL
204	HTTP_STATUS_NO_CONTENT
205	HTTP_STATUS_RESET_CONTENT
206	HTTP_STATUS_PARTIAL_CONTENT
207	HTTP_STATUS_WEBDAV_MULTI_STATUS
300	HTTP_STATUS_AMBIGUOUS
301	HTTP_STATUS_MOVED
302	HTTP_STATUS_REDIRECT
303	HTTP_STATUS_REDIRECT_METHOD
304	HTTP_STATUS_NOT_MODIFIED
305	HTTP_STATUS_USE_PROXY
307	HTTP_STATUS_REDIRECT_KEEP_VERB
400	HTTP_STATUS_BAD_REQUEST
401	HTTP_STATUS_DENIED
402	HTTP_STATUS_PAYMENT_REQ
403	HTTP_STATUS_FORBIDDEN
404	HTTP_STATUS_NOT_FOUND
405	HTTP_STATUS_BAD_METHOD
406	HTTP_STATUS_NONE_ACCEPTABLE
407	HTTP_STATUS_PROXY_AUTH_REQ
408	HTTP_STATUS_REQUEST_TIMEOUT
409	HTTP_STATUS_CONFLICT
410	HTTP_STATUS_GONE
411	HTTP_STATUS_LENGTH_REQUIRED
412	HTTP_STATUS_PRECOND_FAILED
413	HTTP_STATUS_REQUEST_TOO_LARGE
414	HTTP_STATUS_URI_TOO_LONG
415	HTTP_STATUS_UNSUPPORTED_MEDIA
449	HTTP_STATUS_RETRY_WITH
500	HTTP_STATUS_SERVER_ERROR
501	HTTP_STATUS_NOT_SUPPORTED
502	HTTP_STATUS_BAD_GATEWAY
503	HTTP_STATUS_SERVICE_UNAVAIL
504	HTTP_STATUS_GATEWAY_TIMEOUT
505	HTTP_STATUS_VERSION_NOT_SUP
2147954401	ERROR_WINHTTP_OUT_OF_HANDLES
2147954402	ERROR_WINHTTP_TIMEOUT
2147954404	ERROR_WINHTTP_INTERNAL_ERROR
2147954405	ERROR_WINHTTP_INVALID_URL
2147954406	ERROR_WINHTTP_UNRECOGNIZED_SCHEME
2147954407	ERROR_WINHTTP_NAME_NOT_RESOLVED
2147954409	ERROR_WINHTTP_INVALID_OPTION
2147954411	ERROR_WINHTTP_OPTION_NOT_SETTABLE
2147954412	ERROR_WINHTTP_SHUTDOWN
2147954415	ERROR_WINHTTP_LOGIN_FAILURE
2147954417	ERROR_WINHTTP_OPERATION_CANCELLED
2147954418	ERROR_WINHTTP_INCORRECT_HANDLE_TYPE
2147954419	ERROR_WINHTTP_INCORRECT_HANDLE_STATE
2147954429	ERROR_WINHTTP_CANNOT_CONNECT
2147954430	ERROR_WINHTTP_CONNECTION_ERROR
2147954432	ERROR_WINHTTP_RESEND_REQUEST
2147954437	ERROR_WINHTTP_SECURE_CERT_DATE_INVALID
2147954438	ERROR_WINHTTP_SECURE_CERT_CN_INVALID
2147954444	ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
2147954445	ERROR_WINHTTP_SECURE_INVALID_CA
2147954457	ERROR_WINHTTP_SECURE_CERT_REV_FAILED
2147954500	ERROR_WINHTTP_CANNOT_CALL_BEFORE_OPEN
2147954501	ERROR_WINHTTP_CANNOT_CALL_BEFORE_SEND
2147954502	ERROR_WINHTTP_CANNOT_CALL_AFTER_SEND
2147954503	ERROR_WINHTTP_CANNOT_CALL_AFTER_OPEN
2147954550	ERROR_WINHTTP_HEADER_NOT_FOUND
2147954552	ERROR_WINHTTP_INVALID_SERVER_RESPONSE
2147954553	ERROR_WINHTTP_INVALID_HEADER
2147954554	ERROR_WINHTTP_INVALID_QUERY_REQUEST
2147954555	ERROR_WINHTTP_HEADER_ALREADY_EXISTS
2147954556	ERROR_WINHTTP_REDIRECT_FAILED
2147954557	ERROR_WINHTTP_SECURE_CHANNEL_ERROR
2147954566	ERROR_WINHTTP_BAD_AUTO_PROXY_SCRIPT
2147954567	ERROR_WINHTTP_UNABLE_TO_DOWNLOAD_SCRIPT
2147954569	ERROR_WINHTTP_SECURE_INVALID_CERT
2147954570	ERROR_WINHTTP_SECURE_CERT_REVOKED
2147954572	ERROR_WINHTTP_NOT_INITIALIZED
2147954575	ERROR_WINHTTP_SECURE_FAILURE
2147954578	ERROR_WINHTTP_AUTO_PROXY_SERVICE_ERROR
2147954579	ERROR_WINHTTP_SECURE_CERT_WRONG_USAGE
2147954580	ERROR_WINHTTP_AUTODETECTION_FAILED
2147954581	ERROR_WINHTTP_HEADER_COUNT_EXCEEDED
2147954582	ERROR_WINHTTP_HEADER_SIZE_OVERFLOW
2147954583	ERROR_WINHTTP_CHUNKED_ENCODING_HEADER_SIZE_OVERFLOW
2147954584	ERROR_WINHTTP_RESPONSE_DRAIN_OVERFLOW
2147954585	ERROR_WINHTTP_CLIENT_CERT_NO_PRIVATE_KEY
2147954586	ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY
2147954586	WINHTTP_ERROR_LAST