Event Information | According to Microsoft : Cause : This event is logged when the Health Registration Authority was unable to validate the request with the Correlation ID at IP address. Resolution : Reinstall the HRA role service HRA forwards client connection requests to NPS for validation. This error condition indicates that there is a problem with the way that HRA is communicating with NPS, and that the HRA service might need to be reinstalled. To perform this procedure,must be a member of the Administrators group or must have been delegated the appropriate authority. Remove HRA To remove the HRA role service:- On the computer where HRA is installed, click Server Manager.
- Under Roles Summary, click Network Policy and Access Services.
- Under Role Services, click Remove Role Services.
- On the Select Roles Services page, clear the Health Registration Authority check box, and then click Next.
- On the Confirm Removal Selections page, confirm that Health Registration Authority appears, and then click Remove.
- On the Removal Results page, confirm that Health Registration Authority was removed successfullly, and then click Close.
- Leave Server Manager open for the following procedure.
Install HRA To install the HRA role service:- In Server Manager, under Role Services, click Add Role Services.
- On the Select Roles Services page, select the Health Registration Authority check box.
- If an Add Role Services window appears prompting you to add additional role services, click Add Required Role Services.
- On the Select Role Services page, click Next.
- On the Choose a Certification Authority to use with the Health Registration Authority page, select the choice that is appropriate for your deployment.
a.If HRA will use a CA installed on the local computer, select Use the local Certification Authority for this HRA, and then click Next.If ADCS is not already installed, it will be automatically added to the list of services to be installed with this wizard. b.If HRA will use a CA installed on another computer, select Use an existing remote Certification Authority, click Select, click the name of the CA to be associated with this HRA, click OK, and then click Next. c.If you will configure a CA for use with HRA later, choose Select a Certification Authority later using the HRA snap-in, and then click Next. - On the Choose Authentication Requirements for the Health Registration Authority page, select an authentication method for your deployment.
a.If your deployment does not require that health certificates are issued to non-domain joined clients, choose Yes, require requestors to be authenticated as members of a domain, and then click Next. b.If non-domain joined clients will be issued health certificates, choose No, allow anonymous requests for health certificates, and then click Next. - On the Choose a Server Authentication Certificate for SSL Encryption page,if HRA will communicate with NAP clients using SSL must choose a method for provisioning a SSL certificate.
a.If using an existing certificate or import one from a file,select Choose an existing certificate for SSL encryption. b.To import a certificate from a file and add it to the list of certificates, click Import, click Next, click Browse, navigate to the file with your stored certificate, click Open, click Next twice, and then click Finish. The new certificate will be displayed in the list of available certificates. c.Click the certificate, and then click Next. - If you will use a self-signed certificate, select Create a self-signed certificate for SSL encryption, and then click Next.
- If you will configure a certificate for SSL encryption later, choose Choose a certificate for SSL encryption later, and then click Next.
- On the Choose a Server Authentication Certificate for SSL Encryption page, if communications between HRA and NAP clients will not be encyrpted with SSL, choose Choose a certificate for SSL encryption later, and then click Next.
- If you chose to use the local CA during the configuration of HRA options, and the CA was not already installed, you must now configure AD CS.
a.On the Active Directory Certificate Services page, click Next. b.On the Select Role Services page, click Next. c.On the Specify Setup Type page, choose a type of CA for your deployment. i.If the local computer is running the Windows Server 2008 Enterprise operating system, and will configure templates for the issuance of exemption certificates or health certificates on this server, choose Enterprise, and then click Next. ii.If the local CA will not issue certificates based on custom templates or is not running Windows Server 2008 Enterprise, choose Standalone, and then click Next.Standalone is the recommended CA type for issuing health certificates to either anonymous or domain-authenticated NAP clients. - On the Specify CA Type page, choose Subordinate CA, and then click Next.
- On the Set up Private Key page, click Next.If reinstalling a CA on this computer,can choose Use existing private key.
- On the Configure Cryptography for CA page, click Next.
- On the Configure CA Name page, customize the CA common name and distinguished name suffix if desired, and then click Next.
- On the Request Certificate from a Parent CA page, choose Send a certificate request to a parent CA, click Browse, click the name of the parent for this subordinate CA, click OK, and then click Next.
- On the Configure Certificate Database page, click Next.
- On the Confirm Installation Selections page, click Install.
- On the Installation Results page, confirm that HRA and other dependent role services were installed successfully, and then click Close.
Verify
To perform this procedure,must be a member of the Administrators group or must have been delegated the appropriate authority. HRA uses IIS for validation of domain credentials.- On the computer where HRA is installed, click Start.
- Right-click Command Prompt, and then click Run as Administrator.
- In the command window, type nltest /server:servername /dsgetdc:domainname, where servername is the DNS name of the domain controller you have designated as a global catalog server, and domainname is the domain to which the server belongs, and then press ENTER.
- Confirm that the command completed successfully.
- In the Flags line of output, confirm that GC appears.
To verify the client domain configuration is correct:- On a NAP client computer, click Start, click Control Panel, click System and Maintenance, and then click System.
- Under Computer name, domain, and workgroup settings, verify that the Computer name, Full computer name, and Domain for your deployment are correct.
Also verify the IIS worker process (w3wp.exe) started successfully. |