HRA: The Health Registration Authority (HRA) server should be configured with at least one valid certification authority (CA)

  • Article

Updated: March 29, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2

Product/Feature

Health Registration Authority (HRA)

Severity

Warning

Category

Configuration

Issue

The Health Registration Authority (HRA) server is not configured with a valid certification authority (CA).

Impact

The Health Registration Authority (HRA) server cannot acquire health certificates on behalf of Network Access Protection (NAP) clients. NAP client computers are denied network access.

Resolution

Configure the Health Registration Authority (HRA) server with at least one valid certification authority (CA).

HRA is a component of a NAP infrastructure that plays a central role in NAP Internet Protocol security (IPsec) enforcement. HRA obtains health certificates on behalf of NAP clients when they are determined to be compliant with network health requirements.

You must configure Health Registration Authority (HRA) with at least one certification authority (CA) from which to request health certificates on behalf of client computers. Certificates are requested when new clients connect to the network or when the health certificate validity period is about to expire on a compliant client computer. Certificates can also be removed and reissued to client computers if their health state changes while they are connected to the network. HRA only requests health certificates from the CA that is configured first in the order, unless that server is unavailable or has been identified as unresponsive.

You can use the following procedure to configure CAs for use with HRA.

Note

Before you perform these procedures, you must install and configure a NAP CA. For more information about installing a NAP CA for use with HRA, see Checklist: Deploy a NAP CA (https://go.microsoft.com/fwlink/?LinkID=177786).

Use this procedure to configure CAs in HRA. You can add or delete CAs, and you can modify their order. You can also specify the number of minutes to wait between requests before identifying a CA as unavailable. If you are using an enterprise CA, you can select the authenticated and anonymous certificate templates to use.

To associate a NAP CA to HRA

  1. On the HRA server, click Start, and then click Run. In the Open box, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins dialog box, click Health Registration Authority, and then click Add. Select Local computer (the computer on which this console is running), click OK, and then click OK again.

  4. In the Health Registration Authority snap-in, right-click Certification Authority, and then click Add Certification Authority. The Add Certification Authority dialog box opens.

  5. Click Browse. The Select Certification Authority dialog box opens.

  6. Under CA, click the name of the CA that is used to issue NAP health certificates, and then click OK twice.

  7. In the HRA console tree, click Certification Authority, and verify the name and order of configured CAs.

Note

You cannot browse to a CA from a workgroup environment.

  1. Leave the HRA snap-in open for the following procedure.

Use this procedure to configure CA properties in HRA. You can configure the CA wait time, certificate validity period, and CA type.

To configure NAP CA properties and settings in HRA

  1. In the Health Registration Authority snap-in, right-click Certification Authority, and then click Properties. The Certification Authorities Properties dialog box opens.

  2. To configure the CA wait time, type a number under Number of minutes to wait between requests when a server is identified as unavailable. The default value is 5 minutes.

  3. To configure the validity time for health certificates, type a number under The certificates approved by this Health Registration Authority will be valid for, and use the drop-down list to select the unit of time. You can select Minutes, Hours, Days, or Weeks.

Note

If you are using an enterprise NAP CA, you must enable HRA to override the template validity period. For more information, see Configure Template Validity Period Override (https://go.microsoft.com/fwlink/?LinkID=177787).

  1. Next, configure the CA type by selecting Use standalone certification authority or Use enterprise certification authority.

    • If all CAs associated with HRA are stand-alone CAs, choose Use standalone certification authority.

    • If one or more CAs that are associated with HRA are enterprise CAs, select Use enterprise certification authority. Use the drop-down lists next to Authenticated compliant certificate template and Anonymous compliant certificate template to select the templates for domain-authenticated and non-domain-authenticated certificate requests.

Note

To use an enterprise NAP CA, you must set the template to use for both authenticated and anonymous requests. This step is required even if you did not choose to allow anonymous requests for health certificates during the installation of HRA. You can use the same template for authenticated and anonymous requests. If you did not allow anonymous requests, configuring an anonymous template in this procedure does not enable anonymous certificate requests.