Event ID 10 — CA Availability and Configuration
Applies To: Windows Server 2008
Health Registration Authority (HRA) must be associated with one or more certification authority (CA) servers. These CA servers must be configured to provide health certificates when HRA issues a request on behalf of a compliant Network Access Protection (NAP) client computer. CA servers can also be configured to allow HRA to manage the CA database.
If the HRA or CA server configuration is not correct, or if CA servers are not responding, compliant NAP client computers will be unable to acquire health certificates and their network access might be restricted.
Event Details
Product: | Windows Operating System |
ID: | 10 |
Source: | HRA |
Version: | 6.0 |
Symbolic Name: | HRA_ERROR_COULD_NOT_CONTACT_CA |
Message: | The Health Registration Authority was unable to acquire a certificate for request with the correlation-id %1 at %2 (principal: %3). The Certificate Server %4 denied the request with the following error: %6 (%7). This failure was possibly due to a network related issue. The request will be discarded if no other certificate servers are available. This server will not be tried again for %5 minutes. See the Certificate Server administrator for more information. |
Diagnose
This error might be caused by one of the following conditions:
- HRA has a CA server configuration that is not valid.
- Active Directory Certificate Services (AD CS) is not responding to HRA.
- CA servers are not configured to issue health certificates with HRA.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
CA server configuration is not valid
To check the CA server configuration for HRA:
- On the computer where HRA is installed, click Start.
- Right-click Command Prompt, and then click Run as Administrator.
- In the command window, type netsh nap hra show configuration, and then press ENTER.
- Check that the following settings are correctly configured for your deployment:
- Certificate Validity Period
- HRA mode
- PolicyOID setting
- CA server name
- CA server processing order
- Blackout time
- No response timeout
- If the HRA mode is set to Enterprise and Standalone CAs, also check that the following settings are correctly configured:
- Anonymous Template
- Authenticated Template
- To add, delete, or modify CA configuration values, see the section titled "Configure CA servers in HRA."
- If the CA server configuration is valid, continue to the next section titled "AD CS is not available to HRA."
Note: If your deployment is not configured to allow anonymous health certificate requests, you must still configure the anonymous template setting in HRA. In this case, you can use the same template for anonymous and authenticated requests. If anonymous requests are allowed, you should use different certificate templates for anonymous and authenticated requests.
AD CS is not available to HRA
To determine if AD CS is installed and available to HRA, check network connectivity to the CA server and confirm that AD CS is installed and running.
To check network connectivity to the CA server:
On the computer where HRA is installed, click Start.
Right-click Command Prompt, and then click Run as Administrator.
In the command window, type netsh nap hra show configuration, and then press ENTER.
Record the server name that appears under Certification Authority (CA) servers.
In the command window, type rpcping -s servername, where servername is the DNS name of a listed CA server, and then press ENTER.
rpcping -s CA1.woodgrovebank.com
Confirm that the response reads, "Completed 1 calls."
Repeat this procedure for each CA server used by HRA.
If HRA has network connectivity to the CA server, check that AD CS is installed and running on the CA server.
If HRA does not have connectivity to the CA server, contact your network administrator.
To check that AD CS is installed and running on the CA server:
- On a CA server identified in the preceding procedure, click Start.
- Right-click Command Prompt, and then click Run as Administrator.
- In the command window, type net start, and then press ENTER.
- If the CA server is running Windows Server 2003, confirm that Certificate Services appears in the list under These Windows services are started.
- If the CA server is running Windows Server 2008, confirm that Active Directory Certificate Services appears in the list under These Windows services are started.
- If the AD CS service is not available, see the section titled "Install or enable AD CS."
- If the AD CS service is available, continue to the next section titled "AD CS is not configured to issue health certificates with HRA."
AD CS is not configured to issue health certificates with HRA
Before performing this procedure, confirm that at least one compliant NAP client computer has requested a health certificate from a HRA that is configured to use this CA server first in its processing order.
To determine if AD CS is configured to issue health certificates to NAP client computers using HRA:
- On the computer where AD CS is installed, click Start.
- Click Run, type certsrv.msc, and then press ENTER.
- In the console tree, click Pending Requests.
- In the details pane, confirm that no current health certificate requests appear.
- In the console tree, click Failed Requests.
- In the details pane, confirm that no current health certificate requests appear.
- In the console tree, click Issued Certificates.
- In the details pane, under Certificate Effective Date, confirm that certificates are being issued with a current date.
- If the CA is an enterprise CA server, confirm that the correct template appears in the details pane under Certificate Template.
- In the details pane, double-click an issued certificate.
- In the Certificate window, on the General tab, confirm that System Health Authentication appears under This certificate is intended for the following purpose(s).
- If the certificate is intended for domain-authenticated clients, also confirm that Proves your identity to a remote computer appears under This certificate is intended for the following purpose(s).
- If health certificates are not being issued by AD CS, see the section titled "Configure AD CS."
Resolve
To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly
Cause |
Resolution |
---|---|
CA server(s) are not correctly configured to issue health certificates with HRA |
Configure AD CS |
Active Directory Certificate Services (AD CS) is not responding to HRA |
Install or enable AD CS |
Health Registration Authority (HRA) does not have a valid Certification Authority (CA) server configuration |
Configure CA servers in HRA |
Configure AD CS
This error condition indicates that HRA contacted a CA server, but that the CA server is not configured to issue NAP health certificates.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To configure CA servers to issue health certificates, HRA must be granted permission to request and issue health certificates on behalf of NAP clients. If the CA server is an enterprise CA, you must also publish a certificate template with application policy extensions for client authentication and system health authentication. The CA must also be able to issue certificates automatically, without administrator approval.
If your HRA and NAP CA are running on the same computer, Network Service must be granted permissions to issue, manage, and request certificates. If your HRA and NAP CA are running on different computers, these permissions must be granted to the computer name for your HRA server. HRA should be granted permission to manage the CA server so that it can remove expired records from the CA database.
Configure CA settings
To grant permission to HRA to issue, manage, and request certificates:
- On the computer where AD CS installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- Right-click the common name for your CA, and then click Properties.
- Click the Security tab, and then click Add.
- If HRA is running on the CA server, under Enter the object names to select, type Network Service, and then click OK.
- If HRA is running on a server other than the CA server, click Object Types, select the Computers check box, and then click OK. Under Enter the object names to select, type the DNS name of your HRA server, and then click OK.
- Click the name of your HRA server, or click NETWORK SERVICE, and for Issue and Manage Certificates, Manage CA, and Request Certificates, select Allow.
- Click OK, and then close the Certification Authority console.
To configure CA certificate issuance requirements:
- On the computer where AD CS is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- Right-click the common name for your CA, and then click Properties.
- Click the Policy Module tab, and then click Properties.
- Select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.
- Click OK twice, and then close the Certification Authority console.
- Restart the AD CS service. To restart the AD CS service:
- Click Start, right-click Command Prompt, and then click Run as Administrator.
- In the command window, type net stop certsvc && net start certsvc, and then press ENTER.
- Confirm that the AD CS service stops and starts successfully.
Configuring a NAP certificate template
If you are using an enterprise CA to issue health certificates, HRA requires that a health certificate template is available. You do not need to create a certificate template if you are using a standalone CA to issue health certificates.
To create a certificate template for use with NAP on your enterprise CA:
- On the computer where the enterprise CA is installed, click Start, click Run, type certtmpl.msc, and then press ENTER.
- If your enterprise CA is running Windows Server 2008, the system health authentication template is created for you.
- If your enterprise CA is running Windows Server 2003, perform the following steps to create a system health authentication template:
- In the details pane, under Template Display Name, right-click Workstation Authentication, and then click Duplicate Template. This template is used because it is already configured with the client authentication application policy for domain-authenticated health certificates. You should remove the client authentication application policy only if you are configuring a template for anonymous health certificates.
- Under Template display name, type System Health Authentication.
- Select the Publish certificate in Active Directory check box.
- Click the Extensions tab, and then click Application Policies.
- Click Edit, click Add, and then click New.
- In the New Application Policy dialog box, under Name, type System Health Authentication, and under Object identifier, type 1.3.6.1.4.1.311.47.1.1.
- Click OK four times.
HRA must be granted permission to enroll or autoenroll a NAP health certificate. If only enroll permissions are set, then you must manually enroll HRA with a system health authentication certificate. Depending on the group membership of the user account you are using to configure HRA, you might already have the permissions required to enroll.
To grant enroll and autoenroll permissions to HRA:
- In the Certificate Templates console details pane, under Template Display Name, right-click System Health Authentication, and then click Properties.
- Click the Security tab, click Add, click Object Types, select the Computers check box, and then click OK.
- Under Enter the object names to select, type the DNS name of your HRA server, and then click OK. Alternatively, you can type the name of a group for which the HRA server is a member, or the user name or group that is logged into HRA.
- Click the name or group you added, and for Enroll and Autoenroll, select Allow, and then click OK.
- Close the Certificate Templates console.
Next, the new certificate template must be made available for enrollment requests.
To issue the system health authentication certificate template:
- On the computer where the enterprise CA is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- In the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.
- In the list of templates, click System Health Authentication, and then click OK.
- In the details pane, confirm that the template appears with the other available templates.
- Close the Certification Authority console.
Install or enable AD CS
This error condition indicates that HRA was unable to contact the CA server, possibly due to a network issue. Check the names and availability of CA servers configured in HRA and confirm that Active Directory Certificate Services (AD CS) is running on each CA server.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Check network connectivity
To check network connectivity to the CA server:
On the computer where HRA is installed, click Start.
Right-click Command Prompt, and then click Run as Administrator.
In the command window, type netsh nap hra show configuration, and then press ENTER.
Record the server names that appear under Certification Authority (CA) servers.
In the command window, type rpcping -s servername, where servername is the DNS name of a listed CA server, and then press ENTER.
In the following example, the host name of the CA server is CA1 and the domain is woodgrovebank.com.
rpcping -s CA1.woodgrovebank.com
Confirm that the response reads, "Completed 1 calls."
Repeat this procedure for each CA server used by HRA.
If the CA server is not available, contact your network administrator.
Check AD CS service availability
To determine if AD CS is installed and running on the CA server:
- On a CA server identified under Certification Authority (CA) servers in the preceding procedure, click Start.
- Right-click Command Prompt, and then click Run as Administrator.
- In the command window, type net start, and then press ENTER.
- If the CA server is running Windows Server 2003, confirm that Certificate Services appears in the list under These Windows services are started.
- If the CA server is running Windows Server 2008, confirm that Active Directory Certificate Services appears in the list under These Windows services are started.
- If AD CS is not running, start the service.
- If AD CS is running, check that the CA disk is not full.
Start AD CS
To start AD CS:
- On the CA server used in the preceding procedure, in the command window, type net start certsvc, and then press ENTER.
- Confirm that AD CS starts successfully.
Configure CA servers in HRA
This error condition indicates that HRA has a CA server configuration that is not valid. Check the names of CA servers configured in HRA, and make sure that HRA is configured with the correct CA server properties and certificate settings.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Add or remove a CA
To add a CA to HRA:
- On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
- In the console tree, right-click Certification Authority, and then click Add Certification Authority. The Add Certification Authority dialog box opens.
- Click Browse. The Select Certification Authority dialog box opens.
- Under CA, click the name of the CA that will be used to issue NAP health certificates, and then click OK twice.
To remove a CA from HRA:
- On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
- In the console tree, click Certification Authority.
- In the details pane, under Certification Authority Name, right-click the name of the CA you want to remove, and then click Delete.
Configure CA settings in HRA
To configure certification authority wait time, certificate validity period, operational mode, policyOID settings, and template settings:
- On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
- In the console tree, right-click Certification Authority, and then click Properties.
- To configure the number of minutes to wait between requests before identifying a CA as unavailable, enter a value next to Number of minutes between requests when a server is identified as unavailable.
- After choosing a unit of time from the drop-down list, enter the number of units, and then click OK.
- If you are using an enterprise CA, perform the following steps to override the validity period that is configured in your certificate templates:
- On the computer where an enterprise CA is installed, click Start, right-click Command Prompt, and then click Run as administrator.
- In the command window, type Certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE, and then press ENTER.
- Confirm that the command completed successfully.
- In the command window, type net stop certsvc && net start certsvc, and then press ENTER.
- Confirm that Active Directory Certificate Services (AD CS) stops and starts successfully.
- If you are using a standalone CA, choose Use standalone certification authority.
- Do not select the check box next to Enable PolicyOIDs unless you are using client extended state information for Network Access Control.
- If you are using an Active Directory-integrated enterprise CA, or if you have configured HRA to use both enterprise and standalone CAs, choose Use enterprise certification authority, and then use the drop-down list to select Authenticated compliant certificate template and Anonymous complaint certificate template. These templates must be configured and published on your enterprise CA before you configure HRA to use an enterprise CA.
Verify
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To verify that the CA servers are responding, and that AD CS and HRA are configured to issue health certificates:
- On the computer where AD CS is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- In the console tree, click Issued Certificates.
- In the details pane, under Certificate Effective Date, confirm that health certificates are being issued with a current date.
- In the console tree, click Failed Requests.
- In the details pane, under Request Submission Date, confirm that there are no failed health certificate requests displayed with a current date.
- In the console tree, click Pending Requests.
- In the details pane, under Request Submission Date, confirm that there are no pending health certificate requests displayed with a current date.
To verify that HRA is successfully removing expired records from the CA database:
- On the computer where AD CS is installed, click Start, and then click Command Prompt.
- In the command window, type reg query hklm\software\microsoft\hcs, and then press ENTER.
- In the command output, record the value of CertDBCleanupInterval. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.
- Click Start, click Run, type certsrv.msc, and then press ENTER.
- In the Certification Authority console tree, click Issued Certificates.
- In the details pane, under Certificate Expiration Date, verify that no certificates have been expired for longer than the value of CertDBCleanupInterval.