Event ID 7 — Remote Request Processing

  • Article

Applies To: Windows Server 2008 R2

Health Registration Authority (HRA) requires a connection to Network Policy Server (NPS) for validation of Network Access Protection (NAP) client health status. In a domain environment, HRA also requires a connection to the Active Directory global catalog for authentication of client credentials.

Event Details

Product: Windows Operating System
ID: 7
Source: HRA
Version: 6.1
Symbolic Name: HRA_ERROR_CERTNAME_SECPRINCIPAL_MISMATCH
Message: The Health Registration Authority denied the request with the correlation-id %1 at %2 (principal %3) because the request was not authorized (%4). Discarding the request.

Resolve

Repair domain configuration

This error condition indicates that Internet Information Services (IIS) cannot connect to the global catalog, or that there is a problem with domain configuration on the client computer.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Check network connectivity

To check connectivity between IIS and the domain controller designated as a global catalog server:

  1. On the computer where HRA is installed, click Start.

  2. Right-click Command Prompt, and then click Run as Administrator.

  3. In the command window, type nltest /sc_query:domainname, where domainname is the domain to which the server belongs, and then press ENTER.

    In the following example, the name of the domain is woodgrovebank.com.

    nltest /sc_query:woodgrovebank.com

  4. In the command output, record the value next to Trusted DC Name.

  5. In the command window, type nltest /server:servername /dsgetdc:domainname, where servername is the DNS name of the domain controller displayed in the preceding command, and domainname is the domain to which the server belongs, and then press ENTER.

    In the following example, the name of the domain controller server is dc1 and the domain is woodgrovebank.com.

    nltest /server:dc1 /dsgetdc:woodgrovebank.com

  6. Confirm that the command completed successfully. If the command fails, check network connectivity to the domain controller.

  7. In the Flags line of output, confirm that GC appears.

  8. If GC does not appear in the list of flags, contact your domain administrator to enable global catalog on this server.

Repair the domain configuration

To review and change the computer name or domain on the client computer:

  1. On the client computer named in the event message text next to principal, click Start, click Control Panel, click System and Maintenance, and then click System.
  2. Under Computer name, domain, and workgroup settings, confirm that the computer name, full computer name, and domain for your deployment are correct.
  3. If any of these values are not correct, use the following steps to change the computer name or domain.
    1. Click Change settings, and then click Change.
    2. Under Computer name, type a name for this client computer.
    3. Under Member of, choose Domain or Workgroup, type the name of the domain or workgroup to which this computer belongs, and then click OK.
    4. If you are prompted for credentials, type the user name and password for an account with permission to join the domain, click OK, and then click OK again.
    5. If you are prompted to restart the computer, click OK, and then click Close.
    6. If you are prompted to restart the computer, click Restart Now.

Verify

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

HRA uses IIS for validation of domain credentials. To verify that the IIS service on your HRA server has connectivity to the domain controller designated as the gobal catalog server:

  1. On the computer where HRA is installed, click Start.

  2. Right-click Command Prompt, and then click Run as Administrator.

  3. In the command window, type nltest /server:servername /dsgetdc:domainname, where servername is the DNS name of the domain controller you have designated as a global catalog server, and domainname is the domain to which the server belongs, and then press ENTER.

    In the following example, the name of the domain controller server is dc1 and the domain is woodgrovebank.com.

    nltest /server:dc1 /dsgetdc:woodgrovebank.com

  4. Confirm that the command completed successfully.

  5. In the Flags line of output, confirm that GC appears.

To verify the client domain configuration is correct:

  1. On a NAP client computer, click Start, click Control Panel, click System and Maintenance, and then click System.
  2. Under Computer name, domain, and workgroup settings, verify that the Computer name, Full computer name, and Domain for your deployment are correct.

To verify the IIS worker process (w3wp.exe) started successfully:

  1. On a NAP client computer that is configured to use the current HRA, open an elevated command prompt.
  2. In the command window, type net stop napagent && net start napagent, and then press ENTER. This command will restart the NAP Agent service and cause the client computer to request a new health certificate.
  3. On the computer where HRA is installed, click Start, click Run, type eventvwr.msc, and then press ENTER.
  4. In the console tree, double-click Windows Logs, and then click System.
  5. In the details pane, review events with a Source of HRA and a current date and time.
  6. Under Event ID, confirm that 1 is displayed in the list.

Remote Request Processing

NAP Infrastructure