Event ID 26 — NPS Availability and Configuration
Applies To: Windows Server 2008
Health Registration Authority (HRA) requires that Network Policy Server (NPS) is installed and running on the same computer. NPS on the local computer must be configured with Network Access Protection (NAP) policies for the evaluation of client health status, or it must be configured as a RADIUS proxy to forward client connection requests to a remote server running NPS for evaluation.
If you configure NPS on the local computer as a RADIUS proxy, then you must configure NAP policies on a remote server running NPS and enable HRA as a RADIUS client. The RADIUS proxy must have network connectivity to the remote server running NPS.
Event Details
Product: | Windows Operating System |
ID: | 26 |
Source: | HRA |
Version: | 6.0 |
Symbolic Name: | HRA_NPS_ERROR_GENERAL_ERROR |
Message: | The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server denied the request (%4). See the Network Policy Server administrator for more information. |
Diagnose
This error might be caused by one of the following conditions:
- The local or remote NPS service is not responding.
- The IIS worker process requires a reset.
- The RADIUS proxy is not configured correctly.
- The NAP health policy server is not configured correctly.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Local or remote NPS service is not responding
To determine if the NPS service is available:
- On the computer where HRA is installed, click Start.
- Right-click Command Prompt, and then click Run as Administrator.
- In the command window, type net start, and then press ENTER.
- Confirm that Network Policy Server appears in the These Windows services are started list.
- If the HRA server is an NPS proxy, repeat this procedure on all remote servers running NPS that are configured to process RADIUS client requests sent from the local computer.
- If the NPS service is not available, see the section titled "Install or enable NPS."
- If the service is available and NPS forwards connection requests to a remote server running NPS for evaluation, follow steps in the following procedure to check connectivity to the remote server.
To check connectivity to a remote server running NPS:
On the computer where HRA is installed, click Start.
Right-click Command Prompt, and then click Run as Administrator.
In the command window, type rpcping -s servername, where servername is the DNS name of the remote server running NPS, and then press ENTER.
In the following example, the name of the remote server running NPS is NPS1 and the domain is woodgrovebank.com.
rpcping -s NPS1.woodgrovebank.com
Confirm that the response reads, "Completed 1 calls."
Repeat this procedure for each remote NAP health policy server used by this HRA.
If the remote server running NPS is not available, contact your network administrator.
IIS worker process requires a reset
To determine if the connection between HRA and the local NPS should be reset:
- On the computer where HRA is installed, click Start, click Run, type eventvwr.msc, and then press ENTER.
- In the console tree, double-click Windows Logs, and then click System.
- In the details pane, under Source, review HRA events. If events 26 and 23 occur together, it indicates that the NPS service might have been unavailable when HRA made a request for evaluation of client health status. If the NPS service is temporarily unavailable while the IIS worker process is active, this can cause HRA to refuse requests from the new NPS service instance.
- If events 26 and 23 occur together, see the section titled "Reset HRA."
- If events 26 and 23 do not occur together, continue to the next section titled "RADIUS proxy is not configured correctly."
RADIUS proxy is not configured correctly
Before you perform this procedure, confirm that at least one compliant NAP client computer has requested a health certificate from this HRA. Also confirm that you intend for the local NPS to forward client health credentials to a remote NPS for evaluation.
To determine if the RADIUS proxy is correctly configured:
- On the NAP health policy server, click Start, click Run, type eventvwr.msc, and then press ENTER.
- In the console tree, double-click Windows Logs, and then click Security.
- In the details pane, review events with a Source of NPS. If events 6276-6278 are present, this indicates that the NAP health policy server is evaluating NAP client health status.
- Review the RADIUS Client field in the message for events 6276-6278.
- If the HRA server is not found as a RADIUS client in NAP event messages 6276-6278, see the section titled "Configure a RADIUS proxy."
- If the HRA server is found as a RADIUS client in NAP event messages 6276-6278, continue to the next section titled "NAP health policy server is not configured correctly."
NAP health policy server is not configured correctly
Before you perform this procedure, confirm that at least one compliant NAP client computer has requested a health certificate from this HRA.
To determine if the NAP health policy server is correctly configured:
- On the computer where HRA is installed, click Start, click Run, type eventvwr.msc, and then press ENTER.
- In the console tree, double-click Windows Logs, and then click Security.
- In the details pane, under Source, review NPS events. If events 6276-6278 are displayed, this indicates that the NAP health policy server is evaluating NAP client health status.
- If event messages 6276-6278 are not found, or if the health status of client computers is not being evaluated correctly, see the section titled "Configure the NAP health policy server."
Resolve
Install or enable NPS
This error condition indicates that the NPS service is unavailable. Check that NPS is running and is not disabled, and make sure the NPS server role is installed correctly. If NPS on the local computer is configured as a RADIUS proxy, then confirm connectivity to the NAP health policy server in a remote RADIUS server group.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Check NPS service availability
To determine if the NPS service is installed and running on the local HRA server and, if applicable, on remote RADIUS servers:
- On the computer where HRA is installed, click Server Manager.
- Under Roles Summary, click Go to Manage Roles.
- Under Network Policy and Access Services, confirm the status of Network Policy Server is Installed.
- If the NPS service is not installed, click Add Role Services, select the Network Policy Server check box, and complete the wizard to install NPS.
- Under Network Policy and Access Services, click Go to Network Policy and Access Services.
- Under System Services, confirm that the status of Network Policy Server is Running.
- If the NPS service is not running, click Network Policy Server, and then click Start.
- Confirm that the NPS service starts successfully.
- If HRA is installed on a server running NPS as a RADIUS proxy:
- Repeat steps 1-5 of this procedure on all remote NAP health policies servers used to evaluate connection requests sent from this HRA.
- Check network connectivity to each remote server running NPS.
Check network connectivity
To check network connectivity to a remote server running NPS:
On the computer where HRA is installed, click Start.
Right-click Command Prompt, and then click Run as Administrator.
In the command window, type rpcping -s servername, where servername is the DNS name of the remote server running NPS, and then press ENTER.
In the following example, the name of the remote NPS server is NPS1 and the domain is woodgrovebank.com.
rpcping -s NPS1.woodgrovebank.com
Confirm that the response reads, "Completed 1 calls."
Repeat this procedure for each remote NAP health policy server used by this HRA.
If the remote server running NPS is not available, contact your network administrator.
Configure a RADIUS proxy
This error condition indicates that the local NPS is not configured as a RADIUS proxy to forward client health credentials to the NAP health policy server for evaluation.
Perform the following procedures to configure the local computer as a RADIUS proxy. These procedures apply if the NPS service on the local computer will forward connection requests to a remote NAP health policy server for evaluation. You should also confirm that the NAP health policy server added to remote RADIUS server groups in the first procedure is configured to evaluate NAP client heath status, and has a corresponding RADIUS client entry to receive connection requests forwarded by the local computer. To determine if the RADIUS client entries are correct on remote RADIUS servers, see the section titled "Configure the NAP health policy server."
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Configuring a RADIUS proxy
To configure remote RADIUS server groups:
- On the computer where HRA is installed, click Start.
- Click Run, type nps.msc, and then press ENTER.
- In the console tree, under RADIUS Clients and Servers, right-click Remote RADIUS Server Groups, and then click New.
- Under Group name, type a name for the remote RADIUS server group. Click Add, and then under Server, type the DNS name or IP address of a server running NPS that is configured to evaluate NAP Internet Protocol security (IPsec) client connection requests forwarded from the local HRA.
- Click Verify, and then click Resolve.
- Confirm that the IP address for your deployment is correct, and then click OK.
- Click the Authentication/Accounting tab. Under Shared secret and Confirm shared secret, type the secret that is configured in NPS settings on the NAP health policy server.
- Click OK twice.
- Leave the NPS console open for the following procedure.
To configure connection request policy to forward authentication requests:
- In the console tree, double-click Policies, and then click Connection Request Policies.
- In the details pane, double-click the connection request policy that is used to authenticate incoming network access requests from IPsec-protected NAP clients.
- Click the Settings tab, and under Forwarding Connection Request, click Authentication.
- Confirm that Forward requests to the following remote RADIUS server group for authentication is selected, and confirm the name of the selected remote RADIUS server group contains the correct NAP health policy servers on your network.
- Close the NPS console.
Configure the NAP health policy server
This error condition indicates that configuration of the NAP health policy server is not correct for the NAP IPsec enforcement method. To configure NPS on the local computer as a NAP health policy server, you must configure the following policies and settings:
- Connection request policy
- Network policy
- Health policy
- System health validators (SHVs)
Note: If other HRA servers will be configured as RADIUS proxies to forward connection requests to the local computer, then you must also configure RADIUS clients.
These procedures apply only if health policies configured in NPS on the local computer will be used to evaluate the health status of NAP client computers. If you have previously configured the server running NPS as a NAP health policy server, then use the following procedures to confirm the settings.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Configure connection request policy
To configure connection request policy to authenticate requests on this server:
- On the computer where HRA is installed, click Start.
- Click Run, type nps.msc, and then press ENTER.
- Right-click Connection Request Policies, and the click New.
- Under Policy Name, type a name for the connection request policy.
- Under Type of network access server, select Health Registration Authority, and then click Next.
- Connection request policy requires that at least one condition is specified. To add a condition that does not deny any incoming access requests, on the Specify Conditions page, click Add.
- In the Select condition window, click Day and Time Restrictions, and then click Add.
- In the Time of day constraints window, select Permitted. Confirm that all days and times are permitted, click OK, and then click Next.
- Confirm that Authenticate requests on this server is selected, click Next three times, and then click Finish.
- Create additional connection requests policies to specify different authentication conditions, as your deployment requires.
- Leave the NPS console open for the following procedures.
Configure health policy
To configure compliant and noncompliant health policies:
- In the console tree, right-click Health Policies, and then click New.
- Under Policy name, type a name for your health policy.
- If this health policy will apply to computers that comply with network requirements, perform the following steps:
- Enter a descriptive name for the new health policy.
- Under Client SHV checks, select Client passes all SHV checks to create a strict health policy, or select Client passes one or more SHV checks to create a more lenient health policy.
- If this health policy will apply to computers that do not comply with network health requirements, perform the following steps:
- Enter a descriptive name for the new health policy.
- Under Client SHV checks, select Client fails one or more SHV checks to create a strict health policy, or select Client fails all SHV checks to create a more lenient health policy.
- Under SHVs used in this health policy, select the check box next to each SHV that will be used to evaluate client health, and then click OK. The Windows Security Health Validator (WSHV) is available by default. Other SHVs are available if they have been installed.
- Repeat this procedure until you have configured at least one compliant and one noncompliant health policy. These health policies will be used to establish conditions for the network policies created in the following procedure.
- Create additional health policies to specify additional requirements of your deployment.
- Leave the NPS console open for the following procedures.
Configure network policy
To configure compliant and noncompliant network policies:
- Right-click Network Policies, and then click New.
- Under Policy Name, type a name for the network policy.
- Under Type of network access server, select Health Registration Authority, and then click Next.
- On the Specify Conditions page, click Add.
- In Select condition, click Health Policies, and then click Add.
- If this network policy will apply to compliant client computers, under Health Policies, choose a health policy that has been configured to match a compliant client health state, and then click OK.
- If this network policy will apply to noncompliant client computers, under Health Policies, choose a health policy that has been configured to match a noncompliant client health state, and then click OK.
- Click Next, select Access granted, and then click Next.
- On the Configure Authentication Methods page, select the Perform machine health check only check box, and then click Next twice.
- On the Configure Settings page, click NAP Enforcement.
- Choose an enforcement mode for this policy. Three enforcement modes are available for staging your NAP deployment:
- To enable reporting mode, select Allow full network access for both compliant and noncompliant NAP client computers. In reporting mode, the health status of client computers is logged, but network access is not restricted. Both compliant and noncompliant computers receive health certificates.
- To enable deferred enforcement mode, select Allow full network access in your compliant network policy and Allow full network access for a limited time in your noncompliant network policy. You must also specify a date and time by which noncompliant clients will have their access restricted. In deferred enforcement mode, client computers immediately receive NAP notifications if they do not comply with network health requirements, but their access is not restricted until the specified date and time.
- To enable full enforcement mode, select Allow full network access in your compliant network policy and Allow limited access in your noncompliant network policy. In full enforcement mode, client computers immediately have their network access restricted if they do not comply with network health requirements.
- To enable auto-remediation of noncompliant clients, select the Enable auto-remediation of client computers check box. If you do not want to enable auto-remediation, clear this check box.
- Click Next, and then click Finish.
- Repeat this procedure until you have at least one compliant and one noncompliant network policy.
- Create additional network policies to specify additional health requirements, as your deployment requires.
- Leave the NPS console open for the following procedures.
Configure system health validators
To configure system health validators:
- In the NPS console tree, double-click Network Access Protection, and then click System Health Validators.
- In the details pane, under Name, double-click the name of an installed system health validator.
- The configuration of system health validators varies according to the implementation. If you are using WSHV, click Configure.
- To configure health requirements for computers running Windows Vista, click the Windows Vista tab.
- To configure health requirements for computers running Windows XP with Service Pack 3, click the Windows XP tab.
- Enable health requirements by selecting the check boxes next to health components. Clear these check boxes to disable requirements. The health requirements that are available when you are using WSHV include firewall, virus protection, spyware protection, automatic updating, and security update protection.
- Click OK, and configure error code resolutions for your deployment. Error code resolutions determine how clients are evaluated under the listed error conditions. You can select to return a status of Compliant or Noncompliant for each condition.
- Click OK, and then close the NPS console.
Configure RADIUS clients
To configure RADIUS clients:
The configuration of RADIUS clients is optional. If your NAP health policy server recieves requests from other HRAs that are running NPS in a RADIUS proxy configuration and will forward authentication requests to the local server, you must configure NPS on the local computer to evaluate these requests and return the results of this evaluation to other HRA servers. Use the following procedure to configure the local computer to process requests recieved from remote HRA servers.
- On the NAP health policy server, click Start.
- Click Run, type nps.msc, and then press ENTER.
- Right-click RADIUS Clients, and then click New RADIUS Client.
- Under Friendly name, type a name for the RADIUS client.
- Under Address (IP or DNS), enter the IP address or DNS name of the remote HRA server, click Verify, and then click Resolve.
- Confirm that the IP address displayed corresponds to the correct remote HRA server, and then click OK.
- Under Shared secret and Confirm shared secret, type the secret that is configured in remote RADIUS server group settings on the remote HRA server.
- If the remote HRA server has enabled the Message-Authenticator attribute in its remote RADIUS server group configuration settings, then select the Access-Request messages must contain the Message-Authenticator attribute check box. If this option is not enabled on the remote HRA, then confirm that this check box is cleared.
- Select the RADIUS client is NAP-capable check box, and then click OK.
- Repeat this procedure for all remote HRA servers that are configured to forward connection requests to the current NPS.
- Close the NPS console.
Reset HRA
HRA runs an IIS worker process, w3wp.exe, that works with NPS to issue health certificates when a NAP client initiates a connection. If the process is idle for several minutes, the process ends until it is called again.
This error condition indicates that the NPS service has become unavailable while w3wp.exe is running, possibly due to a temporary loss of network connectivity or a restarting of the NPS service. You can wait for the w3wp.exe process to end, or you can end the current process, forcing a new w3wp.exe process to start.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To end the w3wp.exe process:
- On the computer where HRA is installed, click Start.
- Right-click Command Prompt, and then click Run as Administrator.
- In the command window, type taskkill /F /IM w3wp.exe, and then press ENTER.
- Confirm that the command completed successfully.
Note: If the w3wp.exe process has ended, the command output will display "ERROR: The process "w3wp.exe" not found."
Verify
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To verify that the NPS service is running and configured to evaluate client health status, use the following procedure to generate a health certificate request on a client computer and verify that client health status is correctly evaluated:
- On a NAP client computer that is configured to use the current HRA, open an elevated command prompt.
- In the command window, type net stop napagent && net start napagent, and then press ENTER. This command will restart the NAP Agent service and cause the client computer to request a new health certificate.
- On the computer with NPS installed and configured as a NAP health policy server, click Start, click Run, type eventvwr.msc, and then press ENTER.
- In the console tree, double-click Windows Logs, and then click Security.
- In the details pane, review events with a Task Category of Network Policy Server and a current date and time.
- If the client computer is compliant with network health requirements, or NPS is configured for reporting mode, confirm that 6278 is displayed in the list under Event ID.
- If the client computer is not compliant with network health requirements, and NPS is configured for deferred enforcement, confirm that 6277 is displayed in the list under Event ID.
- If the client computer is not compliant with network health requirements, and NPS is configured for full enforcement, confirm that 6276 is displayed in the list under Event ID.