Event ID 21 — Certificate Acquistion and Deletion

Applies To: Windows Server 2008

If a NAP client computer is not able to contact the HRA server, or if server components are not correctly configured on HRA servers, certification authority (CA) servers, or Network Policy Server (NPS), the client computer will not be able to obtain a health certificate. IPsec policies typically restrict network communication of computers that do not have a valid health certificate.

A compliant NAP client computer might not be able to obtain a health certificate from an HRA server for the following reasons:

  • An error in trusted server group configuration of the NAP client
  • Network connectivity problems on the HRA server, the CA server, or the NAP client
  • A configuration problem on the HRA server
  • A configuration problem on the CA server associated with the HRA

Event Details

Product: Windows Operating System
ID: 21
Source: Microsoft-Windows-NetworkAccessProtection
Version: 6.0
Symbolic Name: NAP_EVENT_URL_CONTACT_FAILED
Message: The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1.
The request failed with the error code (%3). This server will not be tried again for %4 minutes.
See the HRA administrator for more information.

Resolve

Repair the trusted server configuration

This error condition might be due to an incorrect trusted server group configuration on the NAP client computer or an inability of the client computer to contact HRA servers. To resolve this condition, review the trusted server group settings of NAP client computers, repair the configuration if required, and check network connectivity to the configured HRA servers.

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Review trusted server group settings

To review trusted server group configuration on the NAP client:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Command Prompt.

  2. In the command window, type netsh nap client show configuration, and then press ENTER.

  3. In the command window, type netsh nap client show grouppolicy, and then press ENTER.

  4. In the command output of both commands, review the information in Trusted server group configuration, and confirm the configuration information is correct.

    Important: If the client is using HRA autodiscovery, no trusted server group configuration is displayed. Autodiscovery of HRAs requires that the client trusted server group configuration is blank.

  5. If the client is using HRA autodiscovery:

    1. In the command window, type reg query "HKLM\Software\Microsoft\NetworkAccessProtection\NAPClient\ScratchConfig\Enroll\HcsGroups\DiscoveredGroup"/s****, and then press ENTER.
    2. In the command output, review the server URLs listed next to Server and the HRA priority settings next to Order for accuracy.

Repair NAP client trusted server group settings

To repair the NAP client trusted server group configuration:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Run.
  2. Type napclcfg.msc, and then press ENTER.
  3. In the console tree, double-click Health Registration Settings, and then click Trusted Server Groups.
  4. In the details pane, double-click the name of the trusted server group you want to repair.
  5. To add an HRA server to the trusted server group, type a URL, and then click Add.
  6. To delete an HRA server from the trusted server group, click the URL of an HRA server, and then click Remove.
  7. To modify existing HRA servers, click the URL of an HRA server you want to change, and then click Move Up or Move Down to change the processing order of this HRA server, or click Edit to change the URL of this HRA server.
  8. When you have finished repairing the trusted server group configuration, click OK, and then close the NAP client configuration console.

To repair the NAP client trusted server group configuration in Group Policy:

  1. Open the Group Policy Management Console (GPMC) and edit the Group Policy object associated with your NAP client computers.
  2. Navigate to Computer Configuration\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Health Registration Settings\Trusted Server Groups.
  3. Follow steps 4-7 in the preceding procedure.
  4. Close the Group Policy Management Editory console.
  5. When prompted to apply settings to the Group Policy object, click Yes.

Check network connectivity

To check network connectivity to the HRA server:

  1. On the NAP client computer, click Start, and then click Internet Explorer.
  2. Enter the URL of the HRA server into the address bar of Internet Explorer, and then press ENTER.
  3. If you receive a security alert for the SSL connection, click OK.
  4. If Internet Explorer warns you that the security certificate presented by this Web site was issued for a different Web site's address, click Continue to this website (not recommended). The warning usually appears if the URL does not contain the fully qualified domain name of the HRA server.
  5. If you are prompted to enter your domain credentials, provide the domain name, user name, and password.
  6. When you browse to the HRA Web site, Internet Explorer will display a "500 - Internal server error" message. This is normal, and indicates that the client computer can connect to the HRA server.
  • If you receive an "Internet Explorer cannot display the webpage" message, then there is a connectivity problem between the NAP client and the HRA server, either due to network problems or an incorrect HRA address.
  • If you receive a "403 - Forbidden: Access is denied" message, this indicates a permission problem on the HRA. You might also receive this error if the full HRA URL is not entered in Internet Explorer.
  • If you receive a "404 - File or directory not found" message, this indicates that the client has connected to the HRA server, but the URL is not valid.

If the NAP client settings are correct and the client computer can contact the HRA server, the problem might be due to a configuration issue on the HRA server or CA server. For more information about how to resolve this issue, see "CA availability and configuration" in the Health Registration Authority section (https://go.microsoft.com/fwlink/?LinkID=104093).

Verify

To verify that compliant NAP client computers have valid health certificates, and that noncompliant NAP clients do not have health certificates, review computer certificates using the Certificates snap-in.

To verify that compliant NAP clients have a health certificate:

  1. On a compliant NAP client computer, click Start, click All Programs, click Accessories, click Run, type mmc, and then press ENTER.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Certificates, click Add, choose Computer account, click Next, click Finish, and then click OK.
  4. In the console tree, navigate to Certificates\Personal\Certificates.
  5. In the details pane, verify that a certificate is displayed with Intended Purposes of System Health Authentication.
  6. In a domain environment, verify the health certificate also has an intended purpose of Client Authentication.

To verify that noncompliant NAP clients do not have a health certificate:

  1. On a noncompliant NAP client computer, click Start, click All Programs, click Accessories, click Run, type mmc, and then press ENTER.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Certificates, click Add, choose Computer account, click Next, click Finish, and then click OK.
  4. In the console tree, navigate to Certificates\Personal\Certificates.
    • If the client computer has no personal certificates, Certificates will not appear under Personal.
  5. In the details pane, verify that no certificates are displayed with an intended purpose of System Health Authentication.

Certificate Acquistion and Deletion

NAP Infrastructure