Event ID 8 — CA Availability and Configuration
Applies To: Windows Server 2008
Health Registration Authority (HRA) must be associated with one or more certification authority (CA) servers. These CA servers must be configured to provide health certificates when HRA issues a request on behalf of a compliant Network Access Protection (NAP) client computer. CA servers can also be configured to allow HRA to manage the CA database.
If the HRA or CA server configuration is not correct, or if CA servers are not responding, compliant NAP client computers will be unable to acquire health certificates and their network access might be restricted.
Event Details
Product: | Windows Operating System |
ID: | 8 |
Source: | HRA |
Version: | 6.0 |
Symbolic Name: | HRA_ERROR_BAD_CONFIG |
Message: | The Health Registration Authority is mis-configured or can not read its configuration, stopping Health Registration Authority. See the Health Registration Authority administrator for more information. |
Resolve
Configure CA servers in HRA
This error condition indicates that HRA has a CA server configuration that is not valid. Check the names of CA servers configured in HRA, and make sure that HRA is configured with the correct CA server properties and certificate settings.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Add or remove a CA
To add a CA to HRA:
- On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
- In the console tree, right-click Certification Authority, and then click Add Certification Authority. The Add Certification Authority dialog box opens.
- Click Browse. The Select Certification Authority dialog box opens.
- Under CA, click the name of the CA that will be used to issue NAP health certificates, and then click OK twice.
To remove a CA from HRA:
- On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
- In the console tree, click Certification Authority.
- In the details pane, under Certification Authority Name, right-click the name of the CA you want to remove, and then click Delete.
Configure CA settings in HRA
To configure certification authority wait time, certificate validity period, operational mode, policyOID settings, and template settings:
- On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
- In the console tree, right-click Certification Authority, and then click Properties.
- To configure the number of minutes to wait between requests before identifying a CA as unavailable, enter a value next to Number of minutes between requests when a server is identified as unavailable.
- After choosing a unit of time from the drop-down list, enter the number of units, and then click OK.
- If you are using an enterprise CA, perform the following steps to override the validity period that is configured in your certificate templates:
- On the computer where an enterprise CA is installed, click Start, right-click Command Prompt, and then click Run as administrator.
- In the command window, type Certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE, and then press ENTER.
- Confirm that the command completed successfully.
- In the command window, type net stop certsvc && net start certsvc, and then press ENTER.
- Confirm that Active Directory Certificate Services (AD CS) stops and starts successfully.
- If you are using a standalone CA, choose Use standalone certification authority.
- Do not select the check box next to Enable PolicyOIDs unless you are using client extended state information for Network Access Control.
- If you are using an Active Directory-integrated enterprise CA, or if you have configured HRA to use both enterprise and standalone CAs, choose Use enterprise certification authority, and then use the drop-down list to select Authenticated compliant certificate template and Anonymous complaint certificate template. These templates must be configured and published on your enterprise CA before you configure HRA to use an enterprise CA.
Verify
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To verify that the CA servers are responding, and that AD CS and HRA are configured to issue health certificates:
- On the computer where AD CS is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- In the console tree, click Issued Certificates.
- In the details pane, under Certificate Effective Date, confirm that health certificates are being issued with a current date.
- In the console tree, click Failed Requests.
- In the details pane, under Request Submission Date, confirm that there are no failed health certificate requests displayed with a current date.
- In the console tree, click Pending Requests.
- In the details pane, under Request Submission Date, confirm that there are no pending health certificate requests displayed with a current date.
To verify that HRA is successfully removing expired records from the CA database:
- On the computer where AD CS is installed, click Start, and then click Command Prompt.
- In the command window, type reg query hklm\software\microsoft\hcs, and then press ENTER.
- In the command output, record the value of CertDBCleanupInterval. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.
- Click Start, click Run, type certsrv.msc, and then press ENTER.
- In the Certification Authority console tree, click Issued Certificates.
- In the details pane, under Certificate Expiration Date, verify that no certificates have been expired for longer than the value of CertDBCleanupInterval.