Event ID 39 — HRA Discovery

Applies To: Windows Server 2008 R2

To use NAP with the IPsec enforcement method, client computers must be configured with trusted server group settings. Trusted server groups provide a list of Health Registration Authority (HRA) servers that NAP clients use when they request a health certificate. There are three methods available to configure trusted sever groups on the NAP client:

  1. Local computer settings. You can use the NAP client configuration console or command line to configure NAP settings on the local computer. If NAP client settings are configured in Group Policy, the local computer NAP client settings will be ignored.
  2. Group Policy settings. You can use the Group Policy Management Console (GPMC) on a computer with the Group Policy Management feature installed to configure NAP client settings in Group Policy.
  3. HRA autodiscovery. You can configure NAP clients to automatically discover HRA servers. To enable HRA autodiscovery, you must configure NAP client registry settings and DNS services (SRV) records. In addition, you must clear the local computer or Group Policy trusted server group settings.

Note: If the client computer is not using the NAP IPsec enforcement method, you can disable HRA autodiscovery.

Event Details

Product: Windows Operating System
ID: 39
Source: Microsoft-Windows-NetworkAccessProtection
Version: 6.1
Symbolic Name: NAP_EVENT_NO_HRAS_CONFIGURED
Message: The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from.
A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made.
Contact the HRA administrator for more information.

Resolve

Configure trusted server groups

This error condition indicates that trusted server groups are not configured on the client computer. To repair this condition, configure a trusted server group using one of the three available methods. If this condition is present on a computer that is not using the IPsec enforcement method, use the "Disable HRA discovery" procedure.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Configure trusted server groups using local client settings

To configure NAP client trusted server group settings on the local computer:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Run.
  2. Type napclcfg.msc, and then press ENTER.
  3. In the console tree, double-click Health Registration Settings, and then click Trusted Server Groups.
  4. Right-click Trusted Server Groups, and then click New.
  5. In the Group Name window, under Group Name, type a name for the new trusted server group, and then click Next.
  6. In the Add Servers window, type the URL for an HRA server you wish to add, and click Add.
  7. To delete an HRA server from the trusted server group, click the URL of an HRA server, and then click Remove.
  8. To modify existing HRA servers, click the URL of an HRA server you want to change, and then click Move Up or Move Down to change the processing order of this HRA server, or click Edit to change the URL of this HRA server.
  9. When you have finished adding or modifying HRA servers to the trusted server group, click Finish.
  10. Repeat this procedure to add additional trusted server groups, if desired.
  11. Close the NAP Client Configuration console.

Configure trusted server group settings using Group Policy

To configure NAP client trusted server group settings in Group Policy:

  1. On a computer with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and then press ENTER.
  2. In the GPMC, right-click the Group Policy object associated with your NAP client computers, and then click Edit.
  3. In the Group Policy Management Editor console, navigate to Computer Configuration\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Health Registration Settings\Trusted Server Groups.
  4. Right-click Trusted Server Groups, and then click New.
  5. In the Group Name window, under Group Name, type a name for the new trusted server group, and then click Next.
  6. In the Add Servers window, type the URL for an HRA server you wish to add, and click Add.
  7. To delete an HRA server from the trusted server group, click the URL of an HRA server, and then click Remove.
  8. To modify existing HRA servers, click the URL of an HRA server you want to change, and then click Move Up or Move Down to change the processing order of this HRA server, or click Edit to change the URL of this HRA server.
  9. When you have finished adding or modifying HRA servers to the trusted server group, click Finish.
  10. Repeat this procedure to add additional trusted server groups if desired.
  11. Close the GPMC.
  12. When prompted to apply settings to the Group Policy object, click Yes.

Configure trusted server group settings using HRA autodiscovery

To configure NAP client trusted server group settings using HRA autodiscovery, you must configure the EnableDiscovery registry key and provision DNS SRV records.

To configure the Enable Discovery registry key:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, click Run, type regedit, and then press ENTER.
  2. If NAP settings on the client computer are configured locally, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups.
  3. If NAP settings on the client computer are configured using Group Policy, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Enroll\HcsGroups.
  4. Right-click HcsGroups, point to New, and then click DWORD (32-bit) Value. For the new DWORD, type EnableDiscovery, and then press ENTER.
  5. Double-click EnableDiscovery, under Value data, type 1, and then click OK.
  6. Close the Registry Editor.

To provision DNS SRV records for HRA autodiscovery:

  1. On the DNS server used by IPsec NAP client computers, click Start, click Run, type dnsmgmt.msc, and then press ENTER.
  2. In the console tree, navigate to Forward Lookup Zones\<domain name>\_sites\<site name>\_tcp.
  3. Right-click _tcp, and then click Other New Records.
  4. In the Resource Record Type window, under Select a resource record type, click Service Location (SRV), and then click Create Record.
  5. In the New Resource Record window, next to Service, type _hra.
  6. Under Host offering this service, type the DNS name or IP address of the HRA server you want to add.
  7. If more than one HRA SRV record is provisioned, next to Priority, type the priority assigned to this HRA in the processing order, and then click OK. Possible values are 0 through 65535, with lower numbers assigned a higher priority.
  8. Repeat steps 4 -7 for all HRA servers you want to add.
  9. To add HRA autodiscovery support for non-domain joined clients, navigate to Forward Lookup Zones\<domain name>\_tcp in the console tree, and then perform steps 3-8 in this procedure.
  10. When you have added SRV records, click Done.

Disable HRA discovery

To disable HRA discovery on computers that are not using the IPsec enforcement method, configure a trusted server group. If NAP client settings are configured in Group Policy, you must configure trusted server groups in Group Policy.

To disable HRA discovery using local computer settings:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Run.
  2. Type napclcfg.msc, and then press ENTER.
  3. In the console tree, double-click Health Registration Settings, and then click Trusted Server Groups.
  4. Right-click Trusted Server Groups, and then click New.
  5. In the Group Name window, under Group Name, type a name for the new trusted server group, and then click Next.
  6. In the Add Servers window, click Finish.
  7. Close the NAP Client Configuration console.

To disable HRA discovery using Group Policy:

  1. On a computer with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and then press ENTER.
  2. In the GPMC, right-click the Group Policy object associated with your NAP client computers, and then click Edit.
  3. In the Group Policy Management Editor console, navigate to Computer Configuration\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Health Registration Settings\Trusted Server Groups.
  4. Right-click Trusted Server Groups, and then click New.
  5. In the Group Name window, under Group Name, type a name for the new trusted server group, and then click Next.
  6. In the Add Servers window, click Finish.
  7. Close the Group Policy Management Editor console.
  8. When prompted to apply settings to the Group Policy object, click Yes.

Verify

You can use the command line and netsh nap client context to display trusted server group settings when NAP client computers use local computer policy or Group Policy to discover HRA servers. The Windows registry or the presence of event ID 40 in Event Viewer will indicate if NAP client computers automatically discover an HRA server configuration using DNS SRV records.

Verify trusted server group settings in local computer or Group Policy

To verify local computer or Group Policy trusted server group settings:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Command Prompt.
  2. In the command window, type netsh nap client show configuration, and then press ENTER.
  3. If the client uses local computer policy to obtain NAP client settings, verify that your HRA servers are listed under Trusted server group configuration in the command output.
  4. In the command window, type netsh nap client show grouppolicy, and then press ENTER.
  5. If the client uses Group Policy to obtain NAP client settings, verify that your HRA servers are listed under Trusted server group configuration in the command output.

Note: If both settings are present, the client will use Group Policy settings.

Verify trusted server group settings for HRA autodiscovery

To verify registry entries for discovered HRA servers:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Command Prompt.
  2. In the command window, type reg query "HKLM\Software\Microsoft\NetworkAccessProtection\NAPClient\ScratchConfig\Enroll\HcsGroups\DiscoveredGroup"/s****, and then press ENTER.
  3. In the command output, next to Server, verify that the URLs displayed for your HRA servers are correct.

To verify events for discovered HRA servers:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Run.
  2. Type eventvwr.msc, and then press ENTER.
  3. In the console tree, navigate to Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.
  4. Right-click Operational, and then click Filter Current Log.
  5. Next to Event sources, select Network Access Protection.
  6. Under Includes/Excludes Event IDs, click the text box containing <All Event IDs>, type 40, and then click OK. All logged occurrences of event 40 will be displayed in the details pane.
  7. Verify that event ID 40 is currently being logged.

HRA Discovery

NAP Infrastructure