Client Computer Failed to Acquire a Certificate
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
This problem occurs in a deployment of Network Access Protection (NAP) with Internet Protocol security (IPsec) enforcement and can be caused by a variety of issues, including:
There is a configuration problem on Network Policy Server (NPS).
There is a configuration problem on Health Registration Authority (HRA).
There is a configuration problem on the NAP certification authority (CA).
There is a configuration problem on the NAP client computer.
Description of system behavior
The network access of IPsec-enabled NAP client computers that are unable to acquire a health certificate will be restricted if NAP IPsec policies are enforced.
Associated operating system events
- NAP client event ID 21: The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The request failed with the error code (%3). This server will not be tried again for %4 minutes. See the HRA administrator for more information.
Root cause diagnosis and resolution
Due to the number of problems that can cause this issue, isolation can be difficult. To troubleshoot this problem, use the events that you observe on the HRA server and the HRA events table provided in the Tools for Troubleshooting NAP topic. In addition, you can use the error code that is provided with event ID 21 to help determine the root cause. For example, an error code of 500 indicates that there is a server-side configuration problem; an error code of 2147954575 indicates a Secure Sockets Layer (SSL) problem. These codes are derived from WinHttp status codes and error codes.
The following table lists the error codes and their associated status or error value.
Error code |
Status or Value |
100 |
HTTP_STATUS_CONTINUE |
101 |
HTTP_STATUS_SWITCH_PROTOCOLS |
200 |
HTTP_STATUS_OK |
201 |
HTTP_STATUS_CREATED |
202 |
HTTP_STATUS_ACCEPTED |
203 |
HTTP_STATUS_PARTIAL |
204 |
HTTP_STATUS_NO_CONTENT |
205 |
HTTP_STATUS_RESET_CONTENT |
206 |
HTTP_STATUS_PARTIAL_CONTENT |
207 |
HTTP_STATUS_WEBDAV_MULTI_STATUS |
300 |
HTTP_STATUS_AMBIGUOUS |
301 |
HTTP_STATUS_MOVED |
302 |
HTTP_STATUS_REDIRECT |
303 |
HTTP_STATUS_REDIRECT_METHOD |
304 |
HTTP_STATUS_NOT_MODIFIED |
305 |
HTTP_STATUS_USE_PROXY |
307 |
HTTP_STATUS_REDIRECT_KEEP_VERB |
400 |
HTTP_STATUS_BAD_REQUEST |
401 |
HTTP_STATUS_DENIED |
402 |
HTTP_STATUS_PAYMENT_REQ |
403 |
HTTP_STATUS_FORBIDDEN |
404 |
HTTP_STATUS_NOT_FOUND |
405 |
HTTP_STATUS_BAD_METHOD |
406 |
HTTP_STATUS_NONE_ACCEPTABLE |
407 |
HTTP_STATUS_PROXY_AUTH_REQ |
408 |
HTTP_STATUS_REQUEST_TIMEOUT |
409 |
HTTP_STATUS_CONFLICT |
410 |
HTTP_STATUS_GONE |
411 |
HTTP_STATUS_LENGTH_REQUIRED |
412 |
HTTP_STATUS_PRECOND_FAILED |
413 |
HTTP_STATUS_REQUEST_TOO_LARGE |
414 |
HTTP_STATUS_URI_TOO_LONG |
415 |
HTTP_STATUS_UNSUPPORTED_MEDIA |
449 |
HTTP_STATUS_RETRY_WITH |
500 |
HTTP_STATUS_SERVER_ERROR |
501 |
HTTP_STATUS_NOT_SUPPORTED |
502 |
HTTP_STATUS_BAD_GATEWAY |
503 |
HTTP_STATUS_SERVICE_UNAVAIL |
504 |
HTTP_STATUS_GATEWAY_TIMEOUT |
505 |
HTTP_STATUS_VERSION_NOT_SUP |
2147954401 |
ERROR_WINHTTP_OUT_OF_HANDLES |
2147954402 |
ERROR_WINHTTP_TIMEOUT |
2147954404 |
ERROR_WINHTTP_INTERNAL_ERROR |
2147954405 |
ERROR_WINHTTP_INVALID_URL |
2147954406 |
ERROR_WINHTTP_UNRECOGNIZED_SCHEME |
2147954407 |
ERROR_WINHTTP_NAME_NOT_RESOLVED |
2147954409 |
ERROR_WINHTTP_INVALID_OPTION |
2147954411 |
ERROR_WINHTTP_OPTION_NOT_SETTABLE |
2147954412 |
ERROR_WINHTTP_SHUTDOWN |
2147954415 |
ERROR_WINHTTP_LOGIN_FAILURE |
2147954417 |
ERROR_WINHTTP_OPERATION_CANCELLED |
2147954418 |
ERROR_WINHTTP_INCORRECT_HANDLE_TYPE |
2147954419 |
ERROR_WINHTTP_INCORRECT_HANDLE_STATE |
2147954429 |
ERROR_WINHTTP_CANNOT_CONNECT |
2147954430 |
ERROR_WINHTTP_CONNECTION_ERROR |
2147954432 |
ERROR_WINHTTP_RESEND_REQUEST |
2147954437 |
ERROR_WINHTTP_SECURE_CERT_DATE_INVALID |
2147954438 |
ERROR_WINHTTP_SECURE_CERT_CN_INVALID |
2147954444 |
ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED |
2147954445 |
ERROR_WINHTTP_SECURE_INVALID_CA |
2147954457 |
ERROR_WINHTTP_SECURE_CERT_REV_FAILED |
2147954500 |
ERROR_WINHTTP_CANNOT_CALL_BEFORE_OPEN |
2147954501 |
ERROR_WINHTTP_CANNOT_CALL_BEFORE_SEND |
2147954502 |
ERROR_WINHTTP_CANNOT_CALL_AFTER_SEND |
2147954503 |
ERROR_WINHTTP_CANNOT_CALL_AFTER_OPEN |
2147954550 |
ERROR_WINHTTP_HEADER_NOT_FOUND |
2147954552 |
ERROR_WINHTTP_INVALID_SERVER_RESPONSE |
2147954553 |
ERROR_WINHTTP_INVALID_HEADER |
2147954554 |
ERROR_WINHTTP_INVALID_QUERY_REQUEST |
2147954555 |
ERROR_WINHTTP_HEADER_ALREADY_EXISTS |
2147954556 |
ERROR_WINHTTP_REDIRECT_FAILED |
2147954557 |
ERROR_WINHTTP_SECURE_CHANNEL_ERROR |
2147954566 |
ERROR_WINHTTP_BAD_AUTO_PROXY_SCRIPT |
2147954567 |
ERROR_WINHTTP_UNABLE_TO_DOWNLOAD_SCRIPT |
2147954569 |
ERROR_WINHTTP_SECURE_INVALID_CERT |
2147954570 |
ERROR_WINHTTP_SECURE_CERT_REVOKED |
2147954572 |
ERROR_WINHTTP_NOT_INITIALIZED |
2147954575 |
ERROR_WINHTTP_SECURE_FAILURE |
2147954578 |
ERROR_WINHTTP_AUTO_PROXY_SERVICE_ERROR |
2147954579 |
ERROR_WINHTTP_SECURE_CERT_WRONG_USAGE |
2147954580 |
ERROR_WINHTTP_AUTODETECTION_FAILED |
2147954581 |
ERROR_WINHTTP_HEADER_COUNT_EXCEEDED |
2147954582 |
ERROR_WINHTTP_HEADER_SIZE_OVERFLOW |
2147954583 |
ERROR_WINHTTP_CHUNKED_ENCODING_HEADER_SIZE_OVERFLOW |
2147954584 |
ERROR_WINHTTP_RESPONSE_DRAIN_OVERFLOW |
2147954585 |
ERROR_WINHTTP_CLIENT_CERT_NO_PRIVATE_KEY |
2147954586 |
ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY |
2147954586 |
WINHTTP_ERROR_LAST |