Event ID 11 — NPS Availability and Configuration
Applies To: Windows Server 2008
Health Registration Authority (HRA) requires that Network Policy Server (NPS) is installed and running on the same computer. NPS on the local computer must be configured with Network Access Protection (NAP) policies for the evaluation of client health status, or it must be configured as a RADIUS proxy to forward client connection requests to a remote server running NPS for evaluation.
If you configure NPS on the local computer as a RADIUS proxy, then you must configure NAP policies on a remote server running NPS and enable HRA as a RADIUS client. The RADIUS proxy must have network connectivity to the remote server running NPS.
Event Details
Product: | Windows Operating System |
ID: | 11 |
Source: | HRA |
Version: | 6.0 |
Symbolic Name: | HRA_ERROR_COULD_NOT_CONTACT_IAS |
Message: | Microsoft Health Registration Authority could not contact IAS: %1 |
Resolve
Install or enable NPS
This error condition indicates that the NPS service is unavailable. Check that NPS is running and is not disabled, and make sure the NPS server role is installed correctly. If NPS on the local computer is configured as a RADIUS proxy, then confirm connectivity to the NAP health policy server in a remote RADIUS server group.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Check NPS service availability
To determine if the NPS service is installed and running on the local HRA server and, if applicable, on remote RADIUS servers:
- On the computer where HRA is installed, click Server Manager.
- Under Roles Summary, click Go to Manage Roles.
- Under Network Policy and Access Services, confirm the status of Network Policy Server is Installed.
- If the NPS service is not installed, click Add Role Services, select the Network Policy Server check box, and complete the wizard to install NPS.
- Under Network Policy and Access Services, click Go to Network Policy and Access Services.
- Under System Services, confirm that the status of Network Policy Server is Running.
- If the NPS service is not running, click Network Policy Server, and then click Start.
- Confirm that the NPS service starts successfully.
- If HRA is installed on a server running NPS as a RADIUS proxy:
- Repeat steps 1-5 of this procedure on all remote NAP health policies servers used to evaluate connection requests sent from this HRA.
- Check network connectivity to each remote server running NPS.
Check network connectivity
To check network connectivity to a remote server running NPS:
On the computer where HRA is installed, click Start.
Right-click Command Prompt, and then click Run as Administrator.
In the command window, type rpcping -s servername, where servername is the DNS name of the remote server running NPS, and then press ENTER.
In the following example, the name of the remote NPS server is NPS1 and the domain is woodgrovebank.com.
rpcping -s NPS1.woodgrovebank.com
Confirm that the response reads, "Completed 1 calls."
Repeat this procedure for each remote NAP health policy server used by this HRA.
If the remote server running NPS is not available, contact your network administrator.
Verify
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To verify that the NPS service is running and configured to evaluate client health status, use the following procedure to generate a health certificate request on a client computer and verify that client health status is correctly evaluated:
- On a NAP client computer that is configured to use the current HRA, open an elevated command prompt.
- In the command window, type net stop napagent && net start napagent, and then press ENTER. This command will restart the NAP Agent service and cause the client computer to request a new health certificate.
- On the computer with NPS installed and configured as a NAP health policy server, click Start, click Run, type eventvwr.msc, and then press ENTER.
- In the console tree, double-click Windows Logs, and then click Security.
- In the details pane, review events with a Task Category of Network Policy Server and a current date and time.
- If the client computer is compliant with network health requirements, or NPS is configured for reporting mode, confirm that 6278 is displayed in the list under Event ID.
- If the client computer is not compliant with network health requirements, and NPS is configured for deferred enforcement, confirm that 6277 is displayed in the list under Event ID.
- If the client computer is not compliant with network health requirements, and NPS is configured for full enforcement, confirm that 6276 is displayed in the list under Event ID.