Event ID 9 — CA Availability and Configuration
Applies To: Windows Server 2008
.jpg)
Health Registration Authority (HRA) must be associated with one or more certification authority (CA) servers. These CA servers must be configured to provide health certificates when HRA issues a request on behalf of a compliant Network Access Protection (NAP) client computer. CA servers can also be configured to allow HRA to manage the CA database.
If the HRA or CA server configuration is not correct, or if CA servers are not responding, compliant NAP client computers will be unable to acquire health certificates and their network access might be restricted.
Event Details
| Product: | Windows Operating System |
| ID: | 9 |
| Source: | HRA |
| Version: | 6.0 |
| Symbolic Name: | HRA_ERROR_COULD_NOT_CONTACT_CA_OR_REQ_FAILED |
| Message: | The Health Registration Authority was unable to acquire a certificate for request with the correlation-id %1 at %2 (principal: %3). Discarding the request. The Certificate Server %4 denied the request with the following error: %5 (%6). See the Certificate Server administrator for more information. |
Resolve
Grant HRA permission to request, issue, and manage certificates
This error condition indicates that HRA was successful in submitting a certificate request to the CA server, but did not acquire a certificate. This might be caused by HRA not being granted permissions required to request, issue, and manage health certificates.
If your HRA and NAP CA are running on the same computer, Network Service must be granted permission to request, issue, and manage certificates. If your HRA and NAP CA are running on different computers, these permissions must be granted to the computer name for your HRA server.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To grant these permissions to HRA:
- On the computer where AD CS is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- Right-click the common name for your CA, and then click Properties.
- Click the Security tab, and then click Add.
- If HRA is running on the CA server, under Enter the object names to select, type Network Service, and then click OK.
- If HRA is running on a server other than the CA server, click Object Types, select the Computers check box, and then click OK. Under Enter the object names to select, type the DNS name of your HRA server, and then click OK.
- Click the name of your HRA server, or click NETWORK SERVICE, and for Issue and Manage Certificates and Request Certificates, select Allow.
- Click OK, and then close the Certification Authority console.
Note: To enable HRA to remove expired records from the CA database, for Manage CA, select Allow.
Verify
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To verify that the CA servers are responding, and that AD CS and HRA are configured to issue health certificates:
- On the computer where AD CS is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- In the console tree, click Issued Certificates.
- In the details pane, under Certificate Effective Date, confirm that health certificates are being issued with a current date.
- In the console tree, click Failed Requests.
- In the details pane, under Request Submission Date, confirm that there are no failed health certificate requests displayed with a current date.
- In the console tree, click Pending Requests.
- In the details pane, under Request Submission Date, confirm that there are no pending health certificate requests displayed with a current date.
To verify that HRA is successfully removing expired records from the CA database:
- On the computer where AD CS is installed, click Start, and then click Command Prompt.
- In the command window, type reg query hklm\software\microsoft\hcs, and then press ENTER.
- In the command output, record the value of CertDBCleanupInterval. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.
- Click Start, click Run, type certsrv.msc, and then press ENTER.
- In the Certification Authority console tree, click Issued Certificates.
- In the details pane, under Certificate Expiration Date, verify that no certificates have been expired for longer than the value of CertDBCleanupInterval.