NAP CA Denied the Request

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In a Network Access Protection (NAP) deployment, this problem commonly occurs when the Health Registration Authority (HRA) server is configured to use a standalone NAP certification authority (CA), but the NAP CA is an enterprise CA. It can also occur if on the NAP CA you do not grant permission for HRA to request and issue health certificates.

Description of system behavior

If HRA is configured to request health certificates from another NAP CA, it might obtain a health certificate for the NAP client. If HRA is unable to acquire a health certificate on behalf of the NAP client computer, then the access of NAP client computers will be restricted if health certificate-based Internet Protocol security (IPsec) policies are enforced.

Associated operating system events

  • HRA event ID 9: The Health Registration Authority was unable to acquire a certificate for request with the correlation-id %1 at %2 (principal: %3). Discarding the request. The Certificate Server %4 denied the request with the following error: %5 (%6). See the Certificate Server administrator for more information.

Root cause diagnosis and resolution

To resolve this issue, verify that HRA is configured to use the correct type of NAP CA and that it has been granted sufficient permissions.

HRA is configured to use a standalone CA

When you configure HRA, you can select Use standalone certification authority or Use enterprise certification authority. HRA will use a standalone CA by default. If you configure HRA to use an enterprise CA, you can also use a standalone CA with this setting. However, you cannot use an enterprise CA if HRA is configured to use a standalone CA.

Resolution

If you are using an enterprise NAP CA, you must configure HRA with a setting of Use enterprise certification authority.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this problem

  1. Click Start, click Run, type mmc, and then press ENTER.

  2. Click File, click Add/Remove Snap-in, click Health Registration Authority, click Add, and then click OK twice.

  3. In the console tree, right-click Certification Authority, and then click Properties.

  4. In the Certification Authorities window, choose Use enterprise certification authority.

  5. Under Authenticated compliant certificate template and Anonymous compliant certificate template, select the certificate templates to use, and then click OK.

HRA does not have permission to request, issue, and manage certificates

This error condition indicates that HRA was successful in submitting a certificate request to the CA server, but did not acquire a certificate because it has not been granted permissions to request, issue, and manage health certificates.

Resolution

If your HRA and NAP CA are running on the same computer, Network Service must be granted permission to request, issue, and manage certificates. If HRA and your NAP CA are running on different computers, these permissions must be granted to the computer name for your HRA server.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this problem

  1. On the computer where Active Directory Certificate Services (AD CS) is installed, click Start, click Run, type certsrv.msc, and then press ENTER

  2. Right-click the common name for your CA, and then click Properties.

  3. Click the Security tab, and then click Add.

  4. If HRA is running on the CA server, under Enter the object names to select, type Network Service, and then click OK.

  5. If HRA is running on a server other than the CA server, click Object Types, select Computers, and then click OK. Under Enter the object names to select, type the DNS name of your HRA server, and then click OK.

  6. Click the name of your HRA server, or click NETWORK SERVICE, and for Issue and Manage Certificates and Request Certificates, select Allow.

  7. Click OK, and then close the Certification Authority console.