Test Lab Guide: Troubleshoot DirectAccess with Network Access Protection (NAP) Microsoft Corporation Published: May 2010 Updated: July 2010 Abstract DirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that enables remote users to securely access intranet shared folders, Web sites, and applications without connecting to a virtual private network (VPN). Network Access Protection (NAP), built into Windows Server 2008 R2 and Windows 7, monitors and assesses the health of client computers when they attempt to connect or communicate on a network. NAP with DirectAccess allows you to specify that only DirectAccess clients that meet system health requirements can reach intranet resources.
DirectAccesswithNAP_TshootStepByStep
Nov 07, 2014
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Test Lab Guide: Troubleshoot DirectAccess with Network Access Protection (NAP)
Microsoft Corporation
Published: May 2010Updated: July 2010
AbstractDirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that enables remote users to securely access intranet shared folders, Web sites, and applications without connecting to a virtual private network (VPN). Network Access Protection (NAP), built into Windows Server 2008 R2 and Windows 7, monitors and assesses the health of client computers when they attempt to connect or communicate on a network. NAP with DirectAccess allows you to specify that only DirectAccess clients that meet system health requirements can reach intranet resources.
This white paper is a companion to the Test Lab Guide: Demonstrate DirectAccess with NAP and describes NAP troubleshooting tools, the results of the tools in the working DirectAccess with NAP test lab, and three NAP health validation troubleshooting scenarios.
Copyright InformationThis document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Date of last update: July 27, 2010
Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Introduction....................................................................................................................................5In this guide.................................................................................................................................5
NAP Troubleshooting Tools............................................................................................................7
NAP Troubleshooting Tools in the Test Lab....................................................................................9NAP status tool......................................................................................................................10netsh nap client show state...................................................................................................10netsh nap client show grouppolicy........................................................................................12Resultant Set of Policy snap-in...............................................................................................13Event Viewer snap-in.............................................................................................................13Certificates snap-in................................................................................................................15
Troubleshooting DirectAccess with NAP Problems.......................................................................17Cannot access intranet resources (root cause 1).......................................................................17
Break the configuration procedure........................................................................................17Step-by-step troubleshooting................................................................................................18Correct the configuration procedure.....................................................................................19
Cannot access intranet resources (root cause 2).......................................................................19Break the configuration procedure........................................................................................20Step-by-step troubleshooting................................................................................................20Correct the configuration procedure.....................................................................................22
NAP client is not automatically remediating system health......................................................23Break the configuration procedure........................................................................................23Step-by-step troubleshooting................................................................................................24Correct the configuration procedure.....................................................................................26
Additional Resources....................................................................................................................27
IntroductionDirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office.
Network Access Protection (NAP), built into Windows Server 2008 R2 and Windows 7, enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with system health requirements can be provided with restricted network access until their configuration is updated and brought into compliance.
The combination of DirectAccess with NAP allows you to verify that DirectAccess client computers meet your system health requirements before allowing access to the intranet.
To learn more about DirectAccess, see the following resources:
DirectAccess Learning Roadmap DirectAccess Getting Started Web site
To learn more about NAP, see the Network Access Protection Product Information Web site.
In this guideThe DirectAccess with NAP test lab, as described in the Test Lab Guide: Demonstrate DirectAccess with NAP, contains four server computers running Windows Server 2008 R2 Enterprise Edition and two client computers running Windows 7 Ultimate Edition. The lab simulates an intranet, the Internet, and a home network and demonstrates DirectAccess with NAP functionality.
The DirectAccess with NAP test lab consists of:
One computer running Windows Server 2008 R2 Enterprise Edition named DC1 that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, enterprise root certification authority (CA), Network Policy Server (NPS), and Health Registration Authority (HRA).
5
One intranet member server running Windows Server 2008 R2 Enterprise Edition named EDGE1 that is configured as the DirectAccess server with NAP full enforcement for access to the intranet.
One intranet member server running Windows Server 2008 R2 Enterprise Edition named APP1 that is configured as a general application server, network location server, and NAP CA.
One standalone server running Windows Server 2008 R2 Enterprise Edition named INET1 that is configured as an Internet DNS and Web server.
One standalone client computer running Windows 7 Ultimate Edition named NAT1 that is configured as a network address translator (NAT) device using Internet Connection Sharing.
One roaming member client computer running Windows 7 Enterprise Edition named CLIENT1 that is configured as a DirectAccess client.
The DirectAccess with NAP test lab consists of three subnets that simulate the following:
A home network named Homenet (192.168.137.0/24) connected to the Internet by a NAT.
The Internet (131.107.0.0/24).
An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the DirectAccess server.
Computers on each subnet connect using a hub or switch. See the following figure.
6
In the DirectAccess with NAP test lab, you configure APP1 as a NAP CA and DC1 as the HRA and NAP health policy server. Then, you configure NAP client settings in Group Policy, update CLIENT1, and demonstrate reporting mode and full enforcement mode NAP functionality when CLIENT1 is connected to the Internet subnet.
This guide uses the working DirectAccess with NAP test lab in full enforcement mode as a basis for describing NAP troubleshooting tools and their results when the DirectAccess client is connected to the Internet subnet. This guide then takes you through three troubleshooting scenarios using the troubleshooting tools to discover the root cause of the problem.
Important This guide does not describe how to troubleshoot a non-functioning DirectAccess with NAP test lab. For general troubleshooting information, see the DirectAccess Troubleshooting Guide and the Network Access Protection Troubleshooting Guide.
NAP Troubleshooting ToolsWindows 7 and Windows Server 2008 R2 provide many tools for gathering information for NAP problem determination and resolution. The following table lists the tools and describes their use and purpose for NAP. For additional information, see Tools for Troubleshooting NAP.
7
Tool Description
Windows Action Center Lists the current security and maintenance issues with the computer. From the Windows Action Center, you can display the Network Access Protection dialog box to determine the restricted state of the computer.
To access the Windows Action Center, right-click the Windows Action Center icon in the notification area, and then click Open Action Center.
NAP Status tool An alternative to Windows Action Center to determine the restricted state of the computer.
To display the current status of the computer in the Network Access Protection dialog box, click Start, type napstat, and then press ENTER.
netsh nap client show state command This command displays the current status of a NAP client computer, including the restricted state, status of enforcement clients and installed system health agents (SHAs).
Use this command to determine the restricted state of the computer at the command line.
netsh nap client show grouppolicy command This command shows the Group Policy-based configuration settings on a NAP client computer, including cryptographic, client tracing, enforcement client, and trusted server group (HRAs) settings.
Use this command to ensure that the DirectAccess client has been properly configured via Group Policy and to determine the uniform resource locators (URLs) to the
8
HRAs.
Note The netsh nap client show configuration command displays the local configuration of the NAP client. However, if any NAP client settings are obtained through Group Policy, the local settings are ignored.
NAP tracing Records tracing information for components of the NAP client. You can enable this with the netsh nap client set tracing enable level=basic|advanced|verbose command from an administrator-level command prompt. Tracing log files are stored in the %SystemRoot%\Tracing folder.
Use this information to obtain detailed, component-level information for the NAP client.
Resultant Set of Policy snap-in Displays the set of Group Policy objects (GPOs) that are applied to a computer or user.
Use this snap-in to determine whether DirectAccess and NAP GPOs have been applied to DirectAccess clients.
Event Viewer snap-in On NAP clients, displays events for the NAP Client service in Applications and Service Logs\Microsoft\Windows\Network Access Protection\Operational.
On the NAP health policy server, displays events with the task category of Network Policy Server in Windows Logs\Security.
On the HRA, displays events with the source of HRA in Windows Logs\System.
Use these events to gather information about the health validation process. You can use the
9
correlation ID in the health validation event on the NAP client to locate the corresponding events on the HRA and NAP health policy server (known as the Session Identifier) for a specific health validation attempt.
Certificates snap-in Displays the installed certificates and their properties.
Use this snap-in to verify that a health certificate issued by the NAP CA is installed in the local computer store with the correct field values. For more information, see Certificates.
NAP Troubleshooting Tools in the Test LabThis section describes the display of key NAP troubleshooting tools when CLIENT1 is connected to the Internet subnet and is compliant with system health requirements.
NAP status toolThe following is an example of the display of the NAP Status tool (Napstat.exe) on CLIENT1:
netsh nap client show stateThe following is the display of the netsh nap client show state command on CLIENT1:
Client state:
----------------------------------------------------
10
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
GroupPolicy = Configured
Enforcement client state:
----------------------------------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79619
Name = IPsec Relying Party
Description = Provides IPsec based enforcement for Network Access Protection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Id = 79621
Name = RD Gateway Quarantine Enforcement Client
Description = Provides RD Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
System health agent (SHA) state:
----------------------------------------------------
Id = 79744
Name = Windows Security Health Agent
11
Description = The Windows Security Health Agent monitors security settings on your computer.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
Compliance results = (0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
Remediation results =
Ok.
Notice that the Restriction state field in the Client state section displays Not restricted (corresponding to full network access in the Napstat.exe tool) and the enforcement client named IPsec Relying Party is initialized.
netsh nap client show grouppolicyThe following is the display of the netsh nap client show grouppolicy command on CLIENT1:
NAP client configuration (group policy):
----------------------------------------------------
NAP client configuration:
----------------------------------------------------
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
12
Admin = Disabled
Name = IPsec Relying Party
ID = 79619
Admin = Enabled
Name = RD Gateway Quarantine Enforcement Client
ID = 79621
Admin = Disabled
Name = EAP Quarantine Enforcement Client
ID = 79623
Admin = Disabled
Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled
Trusted server group configuration:
----------------------------------------------------
Group = Trusted HRA Servers
Require Https = Enabled
URL = https://dc1.corp.contoso.com/domainhra/hcsrvext.dll
Processing order = 1
Ok.
Notice the enabled state of the IPsec Relying Party enforcement client and the URL to the HRA (DC1).
Resultant Set of Policy snap-in The following is an example of the display of the properties of the Computer Configuration object on CLIENT1:
13
Notice that the last Group Policy object (GPO) applied is DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}. This corresponds to the GPO for DirectAccess clients, which contains both DirectAccess and NAP client settings.
Event Viewer snap-inThe following is an example of a NAP client health evaluation event in the Applications and Service Logs\Microsoft\Windows\Network Access Protection\Operational log on CLIENT1:
14
Notice the correlation ID that begins with E87A1F8B.
The following is an example of an HRA health evaluation event in the Windows Logs\System log on DC1:
15
Notice that this event is for the same health evaluation attempt because it has the correlation ID that begins with E87A1F8B.
The following is an example of an NPS health evaluation event in the Windows Logs\System log on DC1:
Notice that this event is also for the same health evaluation attempt because it has the same correlation ID (named Session Identifier in the Quarantine Information section) that begins with E87A1F8B.
When investigating a health evaluation attempt, you can use the correlation ID to locate all of the associated events.
Certificates snap-inThe following is the Personal\Certificates node of the Certificates (Local Computer) snap-in on CLIENT1:
16
Notice the second certificate issued from corp-APP1-SubCA, the NAP CA running on APP1. This is the health certificate.
The following figure is an example of the Details tab for the properties of this certificate, showing the Enhanced Key Usage field:
Notice the System Health Authentication object identifier (OID).
17
Troubleshooting DirectAccess with NAP ProblemsThe following sections contain troubleshooting scenarios in which you deliberately configure the DirectAccess with NAP test lab to impair NAP health evaluation for CLIENT1. You will then use the troubleshooting tools described in this document to determine the root cause of the problem and correct it.
Note The following troubleshooting scenarios use the working DirectAccess with NAP test lab in full enforcement mode.
Cannot access intranet resources (root cause 1)CLIENT1 uses its configured URL to locate the HRA, submit its health state information, and obtain a health certificate. If the URL is incorrect and the HRA cannot be reached, CLIENT1 cannot perform health validation and cannot reach intranet resources using the intranet tunnel.
In this troubleshooting scenario, you configure NAP client Group Policy settings with the wrong URL for the HRA and then troubleshoot the results from the NAP client.
Break the configuration procedureFollow these steps to configure the DirectAccess test lab for this troubleshooting scenario.
To configure DirectAccess clients with the incorrect HRA URL
1. Connect CLIENT1 to the Internet subnet. Verify that CLIENT1 is compliant (has a health certificate) and that you can successfully run the net view \\app1 command from a Command Prompt.
2. On DC1, click Start, type gpme.msc, and then press ENTER.
3. In the Browse for a Group Policy Object dialog box, double-click the policy named DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}.
4. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Health Registration Settings\Trusted Server Groups.
5. In the details pane, double-click Trusted HRA Servers.
6. Click the configured URL in the list, and then click Edit.
7. In Edit URL, change the FQDN in the URL from dc1.corp.contoso.com to dc1.contoso.com, and then click OK twice.
8. On CLIENT1, in an administrator-level Command Prompt window, run the gpupdate
18
/target:computer command.
9. In the Command Prompt window, run the net stop napagent command and then the net start napagent command.
10. In the Command Prompt window, run the net view \\app1 command. This should fail with the System error 53 has occurred message.
Step-by-step troubleshootingIt appears that CLIENT1 cannot access intranet resources. The following procedure steps you through root cause determination of the problem.
To troubleshoot this scenario
1. On CLIENT1, verify that a health certificate is not installed from the Personal\Certificates folder of the Certificates (Local Computer) snap-in.
You should only see the computer certificate issued by corp-DC1-CA. However, because this certificate is not a health certificate, it cannot be used for IPsec authentication to create the intranet tunnel.
2. Click Start, type napstat, and then press ENTER.
3. From the notification area of the desktop, click the Network Access Protection message, and then click the Network Access Protection icon in your taskbar. The Network Access Protection window should state This computer meets security standards defined by your network administrator. Click Close.
This message is misleading because a health evaluation has not occurred. If a health evaluation occurred and CLIENT1 was compliant, there would be a health certificate in the Personal\Certificates folder of the Certificates (Local Computer) snap-in.
4. Click Start, type eventvwr.msc, and then press ENTER.
5. In the console tree, open Applications and Service Logs\Microsoft\Windows\Network Access Protection\Operational.
6. In the contents pane, click the latest Error event. The General tab should display The Network Access Protection Agent failed to acquire a certificate for the request...from https://dc1.contoso.com/domainhra/hcsrvext.dll.
7. Click the https://dc1.contoso.com/domainhra/hcsrvext.dll link on the General tab.
19
Internet Explorer should display Internet Explorer cannot display the webpage.
8. In the Command Prompt window, run the ping dc1.contoso.com command.
The Ping.exe tool should display Ping request could not find the host dc1.contoso.com.
This is the root cause of the problem. CLIENT1 cannot reach the location in the HRA URL, which is incorrectly configured with the wrong FQDN.
Correct the configuration procedureFollow these steps to correct the configuration of the DirectAccess with NAP test lab for this troubleshooting scenario.
To configure DirectAccess clients with the correct HRA URL
1. On DC1, in the details pane of the Group Policy Management Editor snap-in, double-click Trusted HRA Servers.
2. Click the configured URL in the list, and then click Edit.
3. In Edit URL, change the FQDN in the URL from dc1.contoso.com to dc1. corp.contoso.com, and then click OK twice.
4. On CLIENT1, in the Command Prompt window, run the gpupdate /target:computer command.
5. In the Command Prompt window, run the netsh nap client show grouppolicy command. Verify that the URL field in the Trusted server group configuration section has the value https://dc1.corp.contoso.com/domainhra/hcsrvext.dll
6. In the Command Prompt window, run the net stop napagent command, and then the net start napagent command.
7. In the Certificates (Local Computer) snap-in, refresh the contents pane for the Personal\Certificates folder. You should see a new health certificate issued by corp-APP1-SubCA.
8. In the Command Prompt window, run the net view \\app1 command. This should display the Files share successfully.
Cannot access intranet resources (root cause 2)CLIENT1 sends its health state information to DC1, the HRA. If compliant, DC1 requests a health certificate from APP1, the NAP CA, on CLIENT1’s behalf. If the DC1 cannot request certificates
20
from APP1, CLIENT1 cannot obtain a health certificate and reach intranet resources using the intranet tunnel.
In this troubleshooting scenario, you disable the AD CS service on APP1 and then troubleshoot the results from the NAP client.
Break the configuration procedureFollow these steps to configure the DirectAccess test lab for this troubleshooting scenario.
To configure APP1 with a disabled AD CS service
1. Connect CLIENT1 to the Internet subnet. Verify that CLIENT1 is compliant (has a health certificate) and that you can successfully run the net view \\app1 command from a Command Prompt.
2. On APP1, click Start, type services.msc, and then press ENTER.
3. In the details pane of the Services snap-in, double-click Active Directory Certificate Services.
4. In Startup type, select Disabled, and then click Apply. In Service status, click Stop, and then click OK. Close the Services snap-in.
5. On CLIENT1, in the Command Prompt window, run the net stop napagent command, and then the net start napagent command.
6. In the Command Prompt window, run the net view \\app1 command. This should fail with the System error 53 has occurred message.
Step-by-step troubleshootingIt appears that CLIENT1 cannot access intranet resources. The following procedure steps you through root cause determination of the problem.
To troubleshoot this scenario
1. On CLIENT1, verify that a health certificate is not installed from the Personal\Certificates folder of the Certificates (Local Computer) snap-in.
You should only see the computer certificate issued by corp-DC1-CA.
2. Click Start, type napstat, and then press Enter.
3. From the notification area of the desktop, click the Network Access Protection message, and then click the Network Access Protection icon in your taskbar. The Network Access
21
Protection window should state This computer meets security standards defined by your network administrator. Click Close.
This message is misleading because a health evaluation has not occurred.
4. Click Start, type eventvwr.msc, and then press ENTER.
5. In the console tree, open Applications and Service Logs\Microsoft\Windows\Network Access Protection\Operational.
6. In the contents pane, click the latest Error event. The General tab should display The Network Access Protection Agent failed to acquire a certificate for the request...from https://dc1.corp.contoso.com/domainhra/hcsrvext.dll.
7. Click the https://dc1.corp.contoso.com/domainhra/hcsrvext.dll link on the General tab. When prompted, type the User1 account name and its password, and then click OK.
Internet Explorer should display the 500 - Internal server error message. This is normal when using Internet Explorer to view the HRA URL.
RESULT: CLIENT1 can successfully reach and access the HRA URL. Let’s now move to DC1, the HRA.
8. On DC1, click Start, type eventvwr.msc, and then press ENTER.
9. In the console tree, open Windows Logs\System.
10. In the console tree, right-click System, and then click Filter Current Log. In the Filter Current Log window, select HRA in Event sources, and then click OK.
11. In the contents pane, click the latest Error event with an ID of 29. The General tab should display The Health Registration Authority denied the certificate request with the correlation ID...for (principal CORP\CLIENT1$). Either no certification authorities are configured or none are available. Verify the Health Registration Authority configuration or contact its administrator for more information.
12. Run an administrator-level command prompt.
13. In the Command Prompt window, run the netsh nap hra show configuration command. The names of the NAP CAs are listed in the Certification Authority (CA) servers field, which should contain app1.corp.contoso.com.
14. In the Command Prompt window, run the ping app1.corp.contoso.com command. This
22
should be successful.
15. In the Command Prompt window, run the rpcping –s app1.corp.contoso.com command. This should be successful, displaying the Completed 1 calls in 1 ms message.
RESULT: DC1, the HRA, has network and RPC-based connectivity to APP1, the NAP CA. Let’s now move to APP1 and ensure that the AD CS service is running and correctly configured.
16. On APP1, run an administrator-level command prompt.
17. In the Command Prompt window, run the net start command. Look for Active Directory Certificate Services in the alphabetized list. It should not be present.
18. In the Command Prompt window, run the net start certsvc command. You should see the message: System error 1050 has occurred. The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
19. Click Start, type services.msc, and then press ENTER.
20. In the Services snap-in, double-click Active Directory Certificate Services in the list.
21. On the General tab, notice that the Startup type is set to Disabled.
This is the root cause of the problem. DC1, the HRA, cannot access the AD CS service on APP1, the NAP CA, because the AD CS service on APP1 has been disabled.
Correct the configuration procedureFollow these steps to correct the configuration of the DirectAccess with NAP test lab for this troubleshooting scenario.
To configure the AD CS service on APP1
1. On APP1, on the General tab of the Active Directory Certificate Services Properties window, click Automatic in Startup type, click Apply, click Start, and then click OK.
2. On CLIENT1, in the Command Prompt window, run the net stop napagent command and then the net start napagent command.
3. In the Certificates (Local Computer) snap-in, refresh the contents pane for the Personal\Certificates folder. You should see a new health certificate issued by corp-APP1-SubCA.
4. In the Command Prompt window, run the net view \\app1 command. This should display the Files share successfully.
23
NAP client is not automatically remediating system healthCLIENT1 sends its health state information to DC1, an HRA. If compliant, DC1 requests a health certificate from APP1, the NAP CA, on CLIENT1’s behalf. If not compliant, DC1 sends information back to CLIENT1 to remediate its health state.
In this troubleshooting scenario, you disable the network policy for non-compliant NAP clients and then troubleshoot the results from the NAP client.
Break the configuration procedureFollow these steps to configure the DirectAccess test lab for this troubleshooting scenario.
To configure DC1 to disable the non-compliant NAP client network policy
1. Connect CLIENT1 to the Internet subnet. Verify that CLIENT1 is compliant (has a health certificate) and that you can successfully run the net view \\app1 command from a command prompt.
2. Click Start, click Control Panel, click System and Security, and then click Windows Firewall.
3. In the left pane, click Turn Windows Firewall on or off.
4. In Domain network location settings, click Turn off Windows Firewall, and then click OK. Notice that the NAP client automatically turns on Windows Firewall for domain networks.
5. On DC1, click Start, type nps.msc, and then press ENTER.
6. In the console tree of the Network Policy Server snap-in, open Polices, and then click Network Policies.
7. In the details pane, right-click the network policy named NAP IPsec with HRA Noncompliant, and then click Disable. Close the Network Policy Server snap-in.
8. On CLIENT1, in the left pane of the Windows Firewall window, click Turn Windows Firewall on or off.
9. In Domain network location settings, click Turn off Windows Firewall, and then click OK. Notice that the NAP client does not automatically enable Windows Firewall for domain networks.
10. In the Certificates (Local Computer) snap-in, refresh the contents pane for the Personal\Certificates folder. You should see a health certificate issued by corp-APP1-SubCA.
24
11. Double-click the health certificate, click the Details tab, and then click the Valid to field. Note the time that the certificate will expire, and then click OK.
12. In the Command Prompt window, run the net view \\app1 command. This should display the Files share successfully.
The NAP client is not in an expected state; it is not compliant with system health requirements but has a health certificate and can access intranet resources. Although the user on CLIENT1 can easily remediate the system health state manually through the Windows Firewall window or the Windows Action Center, the larger issue of having intranet access when not compliant must be resolved.
Note When the health certificate expires, CLIENT1 will no longer be able to access the intranet resources.
Step-by-step troubleshootingIt appears that CLIENT1 is not automatically remediating its health state. The following procedure steps you through root cause determination of the problem.
To troubleshoot this scenario
1. On CLIENT1, click Start, type napstat, and then press ENTER.
2. From the notification area of the desktop, click the Network Access Protection message, and then click the Network Access Protection icon in your taskbar. The Network Access Protection window should state This computer meets security standards defined by your network administrator. Click Close.
This message is misleading because the Windows Firewall settings do not comply with system health requirements. If a health evaluation had occurred and CLIENT1 was noncompliant, the Windows Firewall for domain networks would be automatically enabled.
3. Click Start, type eventvwr.msc, and then press ENTER.
4. In the console tree, open Applications and Service Logs\Microsoft\Windows\Network Access Protection\Operational.
5. In the contents pane, click the latest Error event. The General tab should display The Network Access Protection Agent failed to acquire a certificate for the request...from https://dc1.corp.contoso.com/domainhra/hcsrvext.dll. Note the correlation ID and
25
date and time of the event.
_______________________________________________________________________
6. Click the https://dc1.corp.contoso.com/domainhra/hcsrvext.dll link on the General tab. When prompted, type the User1 account name and its password, and then click OK.
Internet Explorer should display the 500 - Internal server error message. This is normal when using Internet Explorer to view the HRA URL.
RESULT: CLIENT1 can successfully reach and access the HRA URL. Let’s now move to DC1, the HRA.
7. On DC1, click Start, type eventvwr.msc, and then press ENTER.
8. In the console tree, open Windows Logs\System.
9. In the console tree, right-click System, and then click Filter Current Log. In the Filter Current Log window, select HRA in Event sources, and then click OK.
10. In the contents pane, click the latest Error event with an ID of 3. The General tab should display The Health Registration Authority encountered an error processing the response for the request with the correlation ID...for (principal CORP\CLIENT1$). Either no certification authorities are configured or none are available. Verify the Health Registration Authority configuration or contact its administrator for more information. Verify that the correlation ID is the same as in step 5.
11. In the console tree of the Event Viewer snap-in, click Windows Logs\Security.
12. Scan through the list of events to find the event with the Task Category of Network Policy Server and that most closely matches the date and time of step 5.
13. Click the event. The General tab should display Network Policy Server denied access to a user. Scroll down to the Authentication Details section. The Reason field displays The connection request did not match any configured network policy.
Note The Account Session Identifier field does not store the correlation ID.
14. Click Start, type nps.msc, and then press ENTER.
15. In the console tree of the Network Policy Server snap-in, open Polices, and then click Network Policies.
16. In the details pane, notice that the network policy named NAP IPsec with HRA
26
Noncompliant is in a Disabled state.
This is the root cause of the problem. Because the NAP IPsec with HRA Noncompliant network policy is disabled, the health validation request of CLIENT1 in its non-compliant health state does not match any network policies and is denied by the NPS service.
The NPS service sends that response to the HRA component, which responds to CLIENT1’s health validation request. Because the health validation request did not match the NAP IPsec with HRA Noncompliant network policy, there are no health remediation instructions for CLIENT1, which remains in its non-compliant state and keeps its current health certificate.
Correct the configuration procedureFollow these steps to correct the configuration of the DirectAccess with NAP test lab for this troubleshooting scenario.
To enable the network policy for non-compliant NAP clients
1. On DC1, in the details pane of the Network Policy Server snap-in, right-click the network policy named NAP IPsec with HRA Noncompliant, and then click Enable.
2. On CLIENT1, in the left pane of the Windows Firewall window, click Turn Windows Firewall on or off.
3. In Domain network location settings, click Turn on Windows Firewall, and then click OK.
4. In the left pane of the Windows Firewall window, click Turn Windows Firewall on or off. Click Turn off Windows Firewall, and then click OK. Notice how the NAP client now automatically enables Windows Firewall for domain networks.
5. In the Certificates (Local Computer) snap-in, refresh the contents pane for the Personal\Certificates folder. You should see a health certificate issued by corp-APP1-SubCA.
6. Double-click the health certificate, click the Details tab, and then click the Valid to field. Note that the certificate expiration time is different, corresponding to a newly assigned certificate. Click OK.
7. In the Command Prompt window, run the net view \\app1 command. This should display the Files share successfully.
27
Additional ResourcesFor procedures to configure the DirectAccess with NAP test lab on which this document is based, see the Test Lab Guide: Demonstrate DirectAccess with NAP.
For information about troubleshooting NAP, see the Network Access Protection Troubleshooting Guide. For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.
For design and configuration of your pilot or production deployment of DirectAccess with NAP in Windows Server 2008 R2, see the DirectAccess with Network Access Protection (NAP) solution.
To get your questions about DirectAccess answered, see the Network Infrastructure Servers TechNet Forum. To get your questions about NAP answered, see the Network Access Protection TechNet Forum.
28