Event ID 36 — Certificate Acquistion and Deletion

Applies To: Windows Server 2008

If a NAP client computer is not able to contact the HRA server, or if server components are not correctly configured on HRA servers, certification authority (CA) servers, or Network Policy Server (NPS), the client computer will not be able to obtain a health certificate. IPsec policies typically restrict network communication of computers that do not have a valid health certificate.

A compliant NAP client computer might not be able to obtain a health certificate from an HRA server for the following reasons:

  • An error in trusted server group configuration of the NAP client
  • Network connectivity problems on the HRA server, the CA server, or the NAP client
  • A configuration problem on the HRA server
  • A configuration problem on the CA server associated with the HRA

Event Details

Product: Windows Operating System
ID: 36
Source: Microsoft-Windows-NetworkAccessProtection
Version: 6.0
Symbolic Name: NAP_EVENT_HRA_CERT_ERROR_BLACKOUT
Message: The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1.
The validation of the server certificate for SSL resulted in an error %3, the certificate is not appropriate for SSL. This server will not be tried again for %4 minutes.
Contact the HRA administrator for more information.

Resolve

Configure and enroll an SSL certificate

In its recommended configuration, HRA receives NAP client health certificate requests over a Secure Sockets Layer (SSL) connection. This error indicates that there is a problem with SSL certificates. Configure a SSL certificate on the HRA server and ensure the client computer trusts the HRA server SSL certificate.

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Provision a server SSL certificate

To configure a SSL certificate on the HRA server:

  1. On the computer where HRA is installed, click Start, click Run, type inetmgr, and press ENTER.
  2. In the console tree, click the name of the HRA server.
  3. In the details pane, double-click Server Certificates.
  4. In the Actions pane, click Create Domain Certificate.
  5. Next to Common name, type the fully qualified domain name of the HRA server.
  6. Type information for your organization in the remaining fields, and then click Next.
  7. On Online Certification Authority, click Select and choose a certification authority (CA) server to sign the certificate.
  8. Under Friendly name, type a friendly name for the CA server, and then click Finish.

Allow the client to trust the server SSL certificate

To enable trust of a server SSL certificate on a NAP client computer, export the Root CA certificate from a a client computer or server that trusts the Root CA and then import this certificate to the destination client computer.

Note: Domain-joined client computers trust the HRA server SSL certificate by default. To enable trust on a workgroup client, you must perform the following procedure.

To export the Root CA certificate from a domain-joined computer:

  1. On a domain-joined computer that trusts the Root CA, click Start, click click Run, type mmc, and then press ENTER.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Certificates, click Add, choose Computer account, click Next, click Finish, and then click OK.
  4. In the console tree, navigate to Certificates\Trusted Root Certification Authorities\Certificates.
  5. In the details pane, right-click Root CA certificate you wish to export, point to All Tasks, and then click Export.
  6. On the Welcome to the Certificate Export Wizard page, click Next.
  7. On the Export File Format page, click Next.
  8. On the File to Export page, click Browse, and then browse to a location on your network or on removable media where you can save the certificate so that it will be accessible to workgroup computers.
  9. After you have selected a location to save the certificate as a file, type a name for the file next to File name, and then click Save.
  10. Verify the file name and location is displayed under File name, click Next, and then click Finish.
  11. Verify that The export was successful is displayed, and then click OK.

To import the Root CA certificate to a workgroup computer and enable trust:

  1. On the destination computer, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove Snap-in.
  3. Click Certificates, click Add, select Computer account, and then click Next.
  4. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
  5. In the console tree, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.
  6. Right click Certificates, point to All Tasks, and then click Import.
  7. On the Welcome to the Certificate Import Wizard page, click Next.
  8. On the File to Import page, click Browse.
  9. Browse to the location where you saved the Root CA certificate from the source computer, and then click Open.
  10. On the File to Import page, verify the location of the Root CA certificate file is displayed under File name, and then click Next.
  11. On the Certificate Store page, select Place all certificates in the following store, verify that Trusted Root Certification Authorities is displayed under Certificate store, and then click Next.
  12. On the Completing the Certificate Import Wizard page, click Finish.
  13. Verify that The import was successful is displayed, and then click OK.
  14. On the destination computer, type the following command at an elevated command prompt and then press ENTER:

**          certutil –addstore -f –enterprise NTAuth filelocation**

Note: Replace filelocation with the path to the location where you saved the Root CA certificate after exporting. For example, D:\RootCA.cer.

  15. Restart the NAP agent service.

 

Verify

To verify that compliant NAP client computers have valid health certificates, and that noncompliant NAP clients do not have health certificates, review computer certificates using the Certificates snap-in.

To verify that compliant NAP clients have a health certificate:

  1. On a compliant NAP client computer, click Start, click All Programs, click Accessories, click Run, type mmc, and then press ENTER.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Certificates, click Add, choose Computer account, click Next, click Finish, and then click OK.
  4. In the console tree, navigate to Certificates\Personal\Certificates.
  5. In the details pane, verify that a certificate is displayed with Intended Purposes of System Health Authentication.
  6. In a domain environment, verify the health certificate also has an intended purpose of Client Authentication.

To verify that noncompliant NAP clients do not have a health certificate:

  1. On a noncompliant NAP client computer, click Start, click All Programs, click Accessories, click Run, type mmc, and then press ENTER.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Certificates, click Add, choose Computer account, click Next, click Finish, and then click OK.
  4. In the console tree, navigate to Certificates\Personal\Certificates.
    • If the client computer has no personal certificates, Certificates will not appear under Personal.
  5. In the details pane, verify that no certificates are displayed with an intended purpose of System Health Authentication.

Certificate Acquistion and Deletion

NAP Infrastructure