Fixing Health Certificate Problems
Updated: March 29, 2012
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
This section describes and provides solutions for problems that might occur with health certificates when you use Network Access Protection (NAP) with the Internet Protocol security (IPsec) enforcement method.
When you use NAP with IPsec enforcement, health certificates are issued to compliant NAP client computers. NAP client computers request health certificates from a Health Registration Authority (HRA) server, which will acquire a health certificate from a NAP certification authority (CA) on behalf of the NAP client computer if it is determined to be compliant with health requirements. Configuration of HRA and the NAP CA differs slightly, depending on whether the NAP CA is an enterprise CA or a standalone CA.
The following is a list of known problems and solutions associated with health certificates in a NAP deployment. Problems and solutions that might be inter-related are noted and linked if needed. Problems that have more than one possible root cause are noted and have more than one proposed solution. Choose the problem that best describes your situation, and then complete the procedures for the suggested fix. This list will be continuously updated as new problems and solutions are found.
Client Computer Failed to Acquire a Certificate
Client Computer Failed to Locate an HRA
NAP CA Denied the Request
Health Certificate Validity Period Is Not Enforced
HRA Was Unable to Remove Expired Records from the NAP CA