Event ID 27 — Remote Request Processing

  • Article

Applies To: Windows Server 2008 R2

Health Registration Authority (HRA) requires a connection to Network Policy Server (NPS) for validation of Network Access Protection (NAP) client health status. In a domain environment, HRA also requires a connection to the Active Directory global catalog for authentication of client credentials.

Event Details

Product: Windows Operating System
ID: 27
Source: HRA
Version: 6.1
Symbolic Name: HRA_NPS_ERROR_MALFORMED_REQUEST
Message: The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server (NPS) denied the request because the request was malformed (%4). Verify the Health Registration Authority configuration or contact its administrator for more information.

Resolve

Reinstall the HRA role service

HRA forwards client connection requests to NPS for validation. This error condition indicates that there is a problem with the way that HRA is communicating with NPS, and that the HRA service might need to be reinstalled.

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Perform the following steps to reinstall the HRA service.

Remove HRA

To remove the HRA role service:

  1. On the computer where HRA is installed, click Server Manager.
  2. Under Roles Summary, click Network Policy and Access Services.
  3. Under Role Services, click Remove Role Services.
  4. On the Select Roles Services page, clear the Health Registration Authority check box, and then click Next.
  5. On the Confirm Removal Selections page, confirm that Health Registration Authority appears, and then click Remove.
  6. On the Removal Results page, confirm that Health Registration Authority was removed successfullly, and then click Close.
  7. Leave Server Manager open for the following procedure.

Install HRA

To install the HRA role service:

  1. In Server Manager, under Role Services, click Add Role Services.
  2. On the Select Roles Services page, select the Health Registration Authority check box.
  3. If an Add Role Services window appears prompting you to add additional role services, click Add Required Role Services.
  4. On the Select Role Services page, click Next.
  5. On the Choose a Certification Authority to use with the Health Registration Authority page, select the choice that is appropriate for your deployment.
    1. If HRA will use a certification authority (CA) installed on the local computer, select Use the local Certification Authority for this HRA, and then click Next. If Active Directory Certificate Services (AD CS) is not already installed, it will be automatically added to the list of services to be installed with this wizard.
    2. If HRA will use a CA installed on another computer, select Use an existing remote Certification Authority, click Select, click the name of the CA to be associated with this HRA, click OK, and then click Next.
    3. If you will configure a CA for use with HRA later, choose Select a Certification Authority later using the HRA snap-in, and then click Next.
  6. On the Choose Authentication Requirements for the Health Registration Authority page, select an authentication method for your deployment.
    1. If your deployment does not require that health certificates are issued to non-domain joined clients, choose Yes, require requestors to be authenticated as members of a domain, and then click Next.
    2. If non-domain joined clients will be issued health certificates, choose No, allow anonymous requests for health certificates, and then click Next.
  7. On the Choose a Server Authentication Certificate for SSL Encryption page, if HRA will communicate with NAP clients using Secure Sockets Layer (SSL), you must choose a method for provisioning a SSL certificate.
    1. If you will use an existing certificate or import one from a file, select Choose an existing certificate for SSL encryption.
    2. To import a certificate from a file and add it to the list of certificates, click Import, click Next, click Browse, navigate to the file with your stored certificate, click Open, click Next twice, and then click Finish. The new certificate will be displayed in the list of available certificates.
    3. Click the certificate, and then click Next.
  8. If you will use a self-signed certificate, select Create a self-signed certificate for SSL encryption, and then click Next.
  9. If you will configure a certificate for SSL encryption later, choose Choose a certificate for SSL encryption later, and then click Next.
  10. On the Choose a Server Authentication Certificate for SSL Encryption page, if communications between HRA and NAP clients will not be encyrpted with SSL, choose Choose a certificate for SSL encryption later, and then click Next.
  11. If you chose to use the local CA during the configuration of HRA options, and the CA was not already installed, you must now configure AD CS.
    1. On the Active Directory Certificate Services page, click Next.
    2. On the Select Role Services page, click Next.
    3. On the Specify Setup Type page, choose a type of CA for your deployment.
      1. If the local computer is running the Windows Server 2008 Enterprise operating system, and you will configure templates for the issuance of exemption certificates or health certificates on this server, choose Enterprise, and then click Next.
      2. If the local CA will not issue certificates based on custom templates or is not running Windows Server 2008 Enterprise, choose Standalone, and then click Next. Standalone is the recommended CA type for issuing health certificates to either anonymous or domain-authenticated NAP clients.
  12. On the Specify CA Type page, choose Subordinate CA, and then click Next.
  13. On the Set up Private Key page, click Next. If you are reinstalling a CA on this computer, you can choose Use existing private key.
  14. On the Configure Cryptography for CA page, click Next.
  15. On the Configure CA Name page, customize the CA common name and distinguished name suffix if desired, and then click Next.
  16. On the Request Certificate from a Parent CA page, choose Send a certificate request to a parent CA, click Browse, click the name of the parent for this subordinate CA, click OK, and then click Next.
  17. On the Configure Certificate Database page, click Next.
  18. On the Confirm Installation Selections page, click Install.
  19. On the Installation Results page, confirm that HRA and other dependent role services were installed successfully, and then click Close.

Verify

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

HRA uses IIS for validation of domain credentials. To verify that the IIS service on your HRA server has connectivity to the domain controller designated as the gobal catalog server:

  1. On the computer where HRA is installed, click Start.

  2. Right-click Command Prompt, and then click Run as Administrator.

  3. In the command window, type nltest /server:servername /dsgetdc:domainname, where servername is the DNS name of the domain controller you have designated as a global catalog server, and domainname is the domain to which the server belongs, and then press ENTER.

    In the following example, the name of the domain controller server is dc1 and the domain is woodgrovebank.com.

    nltest /server:dc1 /dsgetdc:woodgrovebank.com

  4. Confirm that the command completed successfully.

  5. In the Flags line of output, confirm that GC appears.

To verify the client domain configuration is correct:

  1. On a NAP client computer, click Start, click Control Panel, click System and Maintenance, and then click System.
  2. Under Computer name, domain, and workgroup settings, verify that the Computer name, Full computer name, and Domain for your deployment are correct.

To verify the IIS worker process (w3wp.exe) started successfully:

  1. On a NAP client computer that is configured to use the current HRA, open an elevated command prompt.
  2. In the command window, type net stop napagent && net start napagent, and then press ENTER. This command will restart the NAP Agent service and cause the client computer to request a new health certificate.
  3. On the computer where HRA is installed, click Start, click Run, type eventvwr.msc, and then press ENTER.
  4. In the console tree, double-click Windows Logs, and then click System.
  5. In the details pane, review events with a Source of HRA and a current date and time.
  6. Under Event ID, confirm that 1 is displayed in the list.

Remote Request Processing

NAP Infrastructure