Event ID 24 — Certificate Acquistion and Deletion

Applies To: Windows Server 2008

If a NAP client computer is not able to contact the HRA server, or if server components are not correctly configured on HRA servers, certification authority (CA) servers, or Network Policy Server (NPS), the client computer will not be able to obtain a health certificate. IPsec policies typically restrict network communication of computers that do not have a valid health certificate.

A compliant NAP client computer might not be able to obtain a health certificate from an HRA server for the following reasons:

  • An error in trusted server group configuration of the NAP client
  • Network connectivity problems on the HRA server, the CA server, or the NAP client
  • A configuration problem on the HRA server
  • A configuration problem on the CA server associated with the HRA

Event Details

Product: Windows Operating System
ID: 24
Source: Microsoft-Windows-NetworkAccessProtection
Version: 6.0
Symbolic Name: NAP_EVENT_HCEA_DELETE_FAILURE
Message: The Network Access Protection Agent failed to delete the certificate with the thumbprint of %1.
The certificate could not be found or the Network Access Protection Agent has insufficient privileges to delete the certificate (%2).
See the administrator for more information.

Resolve

Start the Health Key and Certificate Management service

The NAP Agent service will delete an expired health certificate. If the health certificate is not deleted successfully, it indicates that the Health Key and Certificate Management service is not running.

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To start the Health Key and Certificate Management service:

  1. On the NAP client computer, click Start, click Run, type services.msc, and then press ENTER.
  2. In the console tree, double-click Health Key and Certificate Management.
  3. In the Health Key and Certificate Management Properties window, under Service status, click Start.
  4. Confirm that the service status is Started, and then click OK.
  5. Close the Services console.

Verify

To verify that compliant NAP client computers have valid health certificates, and that noncompliant NAP clients do not have health certificates, review computer certificates using the Certificates snap-in.

To verify that compliant NAP clients have a health certificate:

  1. On a compliant NAP client computer, click Start, click All Programs, click Accessories, click Run, type mmc, and then press ENTER.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Certificates, click Add, choose Computer account, click Next, click Finish, and then click OK.
  4. In the console tree, navigate to Certificates\Personal\Certificates.
  5. In the details pane, verify that a certificate is displayed with Intended Purposes of System Health Authentication.
  6. In a domain environment, verify the health certificate also has an intended purpose of Client Authentication.

To verify that noncompliant NAP clients do not have a health certificate:

  1. On a noncompliant NAP client computer, click Start, click All Programs, click Accessories, click Run, type mmc, and then press ENTER.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Certificates, click Add, choose Computer account, click Next, click Finish, and then click OK.
  4. In the console tree, navigate to Certificates\Personal\Certificates.
    • If the client computer has no personal certificates, Certificates will not appear under Personal.
  5. In the details pane, verify that no certificates are displayed with an intended purpose of System Health Authentication.

Certificate Acquistion and Deletion

NAP Infrastructure