Tools for Troubleshooting NAP
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
This topic provides a list of tools and procedures that you can use to obtain detailed information about Network Access Protection (NAP) problems.
NAP diagnostic tools
Use the following tools to diagnose NAP problems:
Netsh commands for NAP client
Log files
NAP event logs
NAP events and errors documentation
Microsoft Management Console
MMC snap-ins
Netsh commands for NAP client
The following Netsh commands for NAP client are useful for troubleshooting:
netsh NAP client show state
This command provides the current status of a NAP client computer, including the restriction state, status of enforcement clients, status of installed system health agents (SHAs), and any trusted server groups that have been configured.
netsh NAP client show config
This command shows the local configuration settings on a NAP client computer, including the cryptographic settings, enforcement client settings, trusted server groups settings, and client tracing settings that have been configured.
netsh NAP client show group
This command shows the Group Policy configuration settings on a NAP client computer, including the cryptographic settings, enforcement client settings, trusted server groups settings, and client tracing settings that have been configured.
Important
If any NAP client settings are configured in Group Policy, the client computer will ignore all local NAP client configuration settings.
For more information, see Netsh Commands for Network Access Protection (NAP) Client (https://go.microsoft.com/fwlink/?LinkID=128797) and Netsh Commands for Health Registration Authority (https://go.microsoft.com/fwlink/?LinkId=136627).
Membership in the local Administrators group, or equivalent, is the minimum required to run commands that change configuration settings on the client computer. Commands that only display configuration status do not require these permissions. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
The following is an example of output from the netsh NAP client show state command.
Client state:
----------------------------------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
Enforcement client state:
----------------------------------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79618
Name = Remote Access Quarantine Enforcement Client
Description = Provides the quarantine enforcement for RAS Client
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79619
Name = IPSec Relying Party
Description = Provides IPSec based enforcement for Network Access Protection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79621
Name = TS Gateway Quarantine Enforcement Client
Description = Provides TS Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides EAP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
System health agent (SHA) state:
----------------------------------------------------
Id = 79744
Name = Windows Security Health Agent
Description = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has finished updating its security state.
Compliance results = (0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
(0x00000000) -
Remediation results =
Ok.
In this example, the EAP enforcement client is initialized, and the computer has been granted full network access.
Important
The netsh nap client show state command displays initialization status for each enforcement client. The netsh nap client show config and netsh nap client show group commands display status of enforcement clients as enabled or disabled. In order to provide client health status to NAP server components, an enforcement client must be both enabled and initialized.
In this example, the compliance results shows output that contains zeros. This output indicates the following system health components configured in Windows Security Center and monitored by the Windows System Health Agent (WSHA) are in compliance with requirements of the Windows System Health Validator (WSHV):
Firewall is on.
Antivirus is installed and running.
The antivirus signature is up to date.
Antispyware is installed and running.
The antispyware signature is up to date.
Automatic updates are enabled.
Security updates are enabled.
Security updates are installed for the security level and source specified.
Log files
You can use log files on servers running Network Policy Server (NPS) and NAP client computers to help troubleshoot NAP problems. Log files can provide the detailed information required for troubleshooting complex problems.
The following log files are useful for troubleshooting.
NPS accounting log files
By default, NPS accounting logs are located in %windir%\system32\logfiles. For information about the format of NPS accounting log files, see Interpret NPS Database Format Log Files (https://go.microsoft.com/fwlink/?LinkId=136631).
NPS trace logging files
You can capture detailed information in log files on servers running NPS by enabling remote access tracing. The Remote Access service does not need to be installed or running to use remote access tracing. When you enable tracing on a server running NPS, several log files are created in %windir%\tracing.
The following log files contain helpful information about NAP:
IASNAP.LOG: Contains detailed information about NAP processes, NPS authentication, and NPS authorization.
IASSAM.LOG: Contains detailed information about user authentication and authorization.
Membership in the local Administrators group, or equivalent, is the minimum required to enable tracing. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To create tracing log files on a server running NPS
Open a command line as an administrator.
Type netsh ras set tr * en.
Reproduce the scenario that you are troubleshooting.
Type netsh ras set tr * dis.
Close the command prompt window.
NAP client tracing log files
You can enable NAP client tracing by using the command line. On computers running Windows Vista®, you can enable tracing by using the NAP Client Configuration console. NAP client tracing files are written in Event Trace Log (ETL) format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which they are written. In the following example, files are written to %systemroot%\tracing\nap. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).
To create NAP event trace log files on a client computer
Open a command line as an administrator.
Type logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-14b209a12613} 0xFFFFFFFF 9 -o %systemroot%\tracing\nap\QAgentRt.etl –ets.
Note
To troubleshoot problems with WSHA, use the following GUID: 789e8f15-0cbf-4402-b0ed-0e22f90fdc8d.
3. Reproduce the scenario that you are troubleshooting.
4. Type **logman stop QAgentRt -ets**.
5. Close the command prompt window.
DHCP client tracing log files
If the DHCP NAP enforcement client is enabled on a client computer, NAP events are also logged when you enable DHCP client tracing. When you enable DHCP client tracing, log files are written to %windir%\System32\LogFiles\WMI.
To create DHCP event trace log files on a client computer
Open a command line as an administrator.
Type netsh dhcp tr en.
Reproduce the scenario that you are troubleshooting.
Type netsh dhcp tr dis.
Close the command prompt window.
Authenticator EAPHost tracing log files
EAPHost trace logs contain debugging information that can help you find the root causes of issues that occur during the EAP authentication process. The debugging information can include application programming interface (API) calls performed, internal function calls performed, and state transitions performed. EAPHost tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).
To create authenticator EAPHost trace log files on a server running NPS
Open a command line as an administrator.
Type logman start trace EapHostAuthr -o .\EapHostAuthr.etl -p {F6578502-DF4E-4a67-9661-E3A2F05D1D9B} 0x4000ffff 0 -ets.
Reproduce the scenario that you are troubleshooting.
Type logman stop EapHostAuthr -ets.
Close the command prompt window.
Client EAPHost tracing log files
EAPHost trace logs can also be created on the client to use for debugging client-side EAP authentication processes. EAPHost tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).
To create client EAPHost trace log files on a server running NPS
Open a command line as an administrator.
Type logman start trace EapHostPeer -o .\EapHostPeer.etl -p {5F31090B-D990-4e91-B16D-46121D0255AA} 0x4000ffff 0 -ets.
Reproduce the scenario that you are troubleshooting.
Type logman stop EapHostAuthr -ets.
Close the command prompt window.
HCAP tracing log files
HCAP trace logs contain debugging information that can help you find the root causes of issues that occur with a server running HCAP. HCAP tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).
To create HCAP trace log files on a server running HCAP
Open a command line as an administrator.
Type logman start HCAPEXT -o .\hcap.etl -p {af000c3b-46c7-4166-89ab-de51df2701ee} 0xFFFFFFFF 9 -ets.
Reproduce the scenario that you are troubleshooting.
Type logman stop HCAPEXT -ets.
Close the command prompt window.
HRA server tracing log files
HRA trace logs contain debugging information that can help you find the root causes of issues that occur with a server running HRA. HRA tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).
To create HRA trace log files on a server running HRA
Open a command line as an administrator.
Type logman start HRAEXT -o .\hra.etl -p {3BEEDE59-FC7D-5057-CE28-BABAD0B27181} 0xFFFFFFFF 9 -ets.
Reproduce the scenario that you are troubleshooting.
Type logman stop HRAEXT -ets.
Close the command prompt window.
NAP server tracing log files
NAP server trace logs contain debugging information that can help you find the root causes of issues that occur with a NAP health policy server. NAP server tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).
To create NAP server trace log files on a server running NPS
Open a command line as an administrator.
Type logman start QSHVHOST -o .\shvhost.etl -p {06BB9E87-F689-4ec5-9E1E-44E1D471F21F} 0xFFFFFFFF 9 -ets.
Reproduce the scenario that you are troubleshooting.
Type logman stop QSHVHOST -ets.
Close the command prompt window.
NAP event logs
Event logs are one of the most useful tools for troubleshooting NAP problems. You can review event logs for NAP on NAP client computers and on servers running NPS and HRA. NAP client events and HRA events are displayed in the NAP events and errors documentation section of this topic.
The following events on servers running NPS display detailed information about NAP client access request processing:
Event ID 6272: Network Policy Server granted access to a user.
This event occurs when a NAP client computer is successfully authenticated and, depending on its health state, obtains full or restricted access to the network.
Event ID 6273: Network Policy Server denied access to a user.
This event occurs when there is a problem with authentication or authorization and is associated with a reason code. For more information, see NPS Reason Codes (https://go.microsoft.com/fwlink/?LinkId=136640).
Event ID 6274: Network Policy Server discarded the request for a user.
This event occurs if there is a configuration problem. It can occur if RADIUS client settings are incorrect or if NPS cannot create accounting logs.
Event ID 6276: Network Policy Server quarantined a user.
This event occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow limited access. It can also occur if you have configured a setting of Allow full network access for a limited time and the specified date is in the past.
Event ID 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
This event occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access for a limited time when the date specified in the policy has passed.
Event ID 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
This event occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access.
For more information about NPS events, see Network Policy Server Infrastructure.
To view NAP-related event logs on a server running NPS or HRA
Click Start, click Run, type eventvwr.msc, and then press ENTER.
Open Custom Views\Server Roles\Network Policy and Access Services.
To view NAP-related event logs on client computers
Click Start, click Run, type eventvwr.msc, and then press ENTER.
If the computer is running Windows 7 or Windows Vista, open Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.
If the computer is running Windows XP with Service Pack 3, open the System log.
NAP events and errors documentation
NAP events and errors documentation provides helpful information for troubleshooting NAP-related operating system events. The following tables list the events that can be generated by NAP client computers and Health Registration Authority (HRA) servers. Click the event ID for step-by-step troubleshooting procedures for that event.
NAP client events
Event ID |
Message |
Source |
The System Health Agent %1 is installed but not registered with the NAP agent. |
Microsoft-Windows-NetworkAccessProtection |
|
The System Health Agent %1 attempted to initialize, but failed because it has initialized already. |
Microsoft-Windows-NetworkAccessProtection |
|
The System Health Agent %1 attempted to uninitialize but failed because it was not initialized. |
Microsoft-Windows-NetworkAccessProtection |
|
The System Health Agent %1 successfully initialized. |
Microsoft-Windows-NetworkAccessProtection |
|
The System Health Agent %1 successfully uninitialized. |
Microsoft-Windows-NetworkAccessProtection |
|
The enforcement client %1 attempted to initialize but failed because it is not registered with the NAP agent. |
Microsoft-Windows-NetworkAccessProtection |
|
The enforcement client %1 attempted to initialize but failed because it has already initialized. |
Microsoft-Windows-NetworkAccessProtection |
|
The enforcement client %1 attempted to uninitialize but failed because it was not initialized. |
Microsoft-Windows-NetworkAccessProtection |
|
The enforcement client %1 successfully initialized. |
Microsoft-Windows-NetworkAccessProtection |
|
The enforcement client %1 successfully uninitialized. |
Microsoft-Windows-NetworkAccessProtection |
|
The System Health Agent %1 failed the call to %2. |
Microsoft-Windows-NetworkAccessProtection |
|
The enforcement client %1 failed the call to %2. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent failed to the peripheral component %1. The error code was %2. See the administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
A Statement of Health with correlation ID %1 could not be created because the maximum size of the connection is too small. |
Microsoft-Windows-NetworkAccessProtection |
|
A Statement of Health Request with correlation ID %1 could not include the following System Health Agents in the statement of Health: %2 |
Microsoft-Windows-NetworkAccessProtection |
|
A packet has been received with an unexpected correlation of %1 instead of %2. |
Microsoft-Windows-NetworkAccessProtection |
|
The Statement of Health Response contained configuration for the following SHAs that are not installed on this computer: %1 |
Microsoft-Windows-NetworkAccessProtection |
|
System Isolation State Change. Previous : State : %1 (%2) Probation Time : %3 Help URL : %4 Current : State : %5 (%6) Probation Time : %7 Help URL : %8 |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The server was not available to service the request (%3). This server will not be tried again for %4 minutes. See the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The server denied access to the request (%3). This server will not be tried again for %4 minutes. See the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The request failed with the error code (%3). This server will not be tried again for %4 minutes. See the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent successfully acquired a certificate for the request with the correlation-id %2 from %1. The certificate can be identified by its thumbprint of %3 |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent successfully deleted the certificate with the thumbprint of %1. The certificate has expired or the health state of the client has changed or a replacement certificate has been acquired. See the administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent failed to delete the certificate with the thumbprint of %1. The certificate could not be found or the Network Access Protection Agent has insufficient privileges to delete the certificate (%2). See the administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The client loaded NAP group policy. |
Microsoft-Windows-NetworkAccessProtection |
|
The NAP service has started. NAP has the following information for this computer: Computer name is %1. Domain status is: %2. The operating system SKU is: %4. The service pack version is: %6. The processor type is: %5. |
Microsoft-Windows-NetworkAccessProtection |
|
A Statement of Health with correlation ID %1 was received from the System Health Agent %2. The duration to check the client's health was %3 ms. |
Microsoft-Windows-NetworkAccessProtection |
|
A Statement of Health with correlation ID %1 was sent to the enforcement client %2. |
Microsoft-Windows-NetworkAccessProtection |
|
A Statement of Health Response with correlation ID %1 was received from the enforcement client %2. The current client state is %3. The following SHAs report this client non-compliant: %4 The following error categories were encountered: %5 The probation expiration time is: %6 The help URL is: %7 The duration of health check was %8 ms. |
Microsoft-Windows-NetworkAccessProtection |
|
The System Health Agent %1 has returned an error code %2. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection agent failed to initialize the following enrollment configuration. HRA Group : %1 CSP Name : %2 Key Specification : %3 Key Length : %4 Signature Algorithm : %5 The initialization failed with the error code (%6). See the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The server was not available to service the request (%3). See the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The server denied access to the request (%3). See the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The request failed with the error code (%3). See the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1. The server presented a certificate that is not trusted for Enterprise authentication. This server will not be tried again for %4 minutes. Contact the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1. The validation of the server certificate for SSL resulted in an error %3, the certificate is not appropriate for SSL. This server will not be tried again for %4 minutes. Contact the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1. The server presented a certificate that is not trusted for Enterprise authentication. Contact the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1. The validation of the server certificate for SSL resulted in an error %3, the certificate is not appropriate for SSL. Contact the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from. A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made. Contact the HRA administrator for more information. |
Microsoft-Windows-NetworkAccessProtection |
|
The Network Access Protection Agent has dynamically discovered the following HRAs for this network (using the query %1): %2 The DNS servers in your configuration at the time this discovery took place included: %3 |
Microsoft-Windows-NetworkAccessProtection |
|
System Isolation State Change. Extended State details: Previous : Extended State : %1 (%2) Current : Extended State : %3 (%4) |
Microsoft-Windows-NetworkAccessProtection |
|
A Statement of Health Response with correlation ID %1 was just received from the enforcement client %2. The extended state in that Statement of Health Response was %3. |
Microsoft-Windows-NetworkAccessProtection |
|
The Microsoft Security System Health Agent detected a change in the status of %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Microsoft Security System Health Agent detected a change in the status of %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent was initialized successfully. Scan Interval: %1 minutes. Time delay before first scan: %2 seconds. Time interval between manual remediation state change: %3 seconds. Manual remediation timeout interval: %4 seconds. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent could not be initialized. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent was uninitialized successfully. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent completed an online scan. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent failed to complete an online scan. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent completed an offline scan. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent failed to complete an offline scan. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent completed a download of security updates. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent failed to complete a download of security updates. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent completed an install of security updates. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent failed to complete an install of security updates. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for firewall succeeded. Windows Firewall was turned on successfully. |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for firewall failed. Windows could not turn on Windows Firewall. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for Automatic Updates succeeded. Automatic Updates was turned on successfully. |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for Automatic Updates failed. Windows could not turn on Automatic Updates. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for Windows Security Center service succeeded. Windows Security Center service was turned on successfully. |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for Windows Security Center service failed. Windows could not turn on Windows Security Center service. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for antispyware succeeded. Windows defender was turned on successfully. |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for antispyware failed. Windows could not turn on Windows Defender. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for antispyware signatures succeeded. Windows Defender signatures were updated successfully. |
Microsoft-Windows-SystemHealthAgent |
|
Automatic remediation for antispyware signatures failed. Windows could not update signatures for Windows Defender. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Center detected a system health state change. The change in state was also successfully detected by the Windows Security Health Agent. |
Microsoft-Windows-SystemHealthAgent |
|
Windows Security Center detected a system health state change but the Windows Security Health Agent could not enumerate the state change. Failure Code: %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent specified a new security health state for the computer. The correlation id for this transaction is %1 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent failed to specify a new security health state for the computer. Failure Code: %1. The correlation id for this transaction is %2 |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent notified the Windows Network Access Protection Service of a change in the security health state of the computer. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent failed to notify the Windows Network Access Protection Service of a change in the security health state of the computer. Failure Code: %1. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent successfully processed a response from the Windows Security Health Validator. The correlation id for this transaction is %1. |
Microsoft-Windows-SystemHealthAgent |
|
The Windows Security Health Agent failed to process a response from the Windows Security Health Validator. Failure Code: %1. The correlation id for this transaction is %2. |
Microsoft-Windows-SystemHealthAgent |
HRA events
Event ID |
Message |
Source |
Microsoft Health Registration Authority extension started successfully. |
HRA |
|
The Health Registration Authority was unable to read the request from the host at %1. See the Health Registration Authority administrator for more information. |
HRA |
|
The Health Registration Authority encountered an error processing the response for the request with the correlation-id %1 at %2 (principal %3) (error %4). See the Health Registration Authority administrator for more information. |
HRA |
|
The Health Registration Authority encountered an internal error (%1). Restart the Health Registration Authority Web site in IIS. See the Network Policy Server administrator for more information. |
HRA |
|
5 |
Event deprecated |
HRA |
The Health Registration Authority extension has stopped successfully. |
HRA |
|
The Health Registration Authority denied the request with the correlation-id %1 at %2 (principal %3) because the request was not authorized (%4). Discarding the request. |
HRA |
|
The Health Registration Authority is mis-configured or cannot read its configuration, stopping Health Registration Authority. See the Health Registration Authority administrator for more information. |
HRA |
|
The Health Registration Authority was unable to acquire a certificate for request with the correlation-id %1 at %2 (principal: %3). Discarding the request. The Certificate Server %4 denied the request with the following error: %5 (%6). See the Certificate Server administrator for more information. |
HRA |
|
The Health Registration Authority was unable to acquire a certificate for request with the correlation-id %1 at %2 (principal: %3). The Certificate Server %4 denied the request with the following error: %6 (%7). This failure was possibly due to a network related issue. The request will be discarded if no other certificate servers are available. This server will not be tried again for %5 minutes. See the Certificate Server administrator for more information. |
HRA |
|
Microsoft Health Registration Authority could not contact IAS: %1 |
HRA |
|
Microsoft Health Registration Authority received a clear session from %1. See the Health Registration Authority administrator for more information. |
HRA |
|
Microsoft Health Registration Authority approved a request. |
HRA |
|
Microsoft Health Registration Authority denied a request. The Network Policy Server has indicated that the client should be quarantined. |
HRA |
|
15 |
Audit event |
HRA |
16 |
Audit event |
HRA |
17 |
Audit event |
HRA |
18 |
Audit event |
HRA |
19 |
Audit event |
HRA |
Microsoft The Health Registration Authority failed to validate the cert request against the configuration. The Health Registration Authority denied the request with the correlation-id %1 at %2 (principal: %3) because it did not satisfy the cryptographic policy (%4). Discarding the request. |
HRA |
|
The Health Registration Authority has approved the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server has indicated that the client should be placed in probation. |
HRA |
|
The Health Registration Authority has approved the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server has indicated that the client should be given full access. |
HRA |
|
The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server was not available to service the request (%4). See the Network Policy Server administrator for more information. |
HRA |
|
The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server had no policy matching the request (%4). See the Network Policy Server administrator for more information. |
HRA |
|
The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server denied the request because the request was not authorized (%4). See the Network Policy Server administrator for more information. |
HRA |
|
The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server denied the request (%4). See the Network Policy Server administrator for more information. |
HRA |
|
The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server (NPS) denied the request because the request was malformed (%4). Verify the Health Registration Authority configuration or contact its administrator for more information. |
HRA |
|
The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server (NPS) was unable to contact one of the resources necessary to validate the request (%4). See the Network Policy Server administrator for more information. |
HRA |
|
Microsoft Health Registration Authority denied the certificate request with the correlation-id %1 at %2 for (principal: %3). Either no certificate servers are configured or the certificate servers that are configured are not available. Contact the Health Registration Authority for more information |
HRA |
|
The Health Registration Authority was unable to connect to the Certification Authority to remove expired records. The Certification Authority %1 denied the request with the following error: %2. Contact the Certification Authority administrator to check the permissions and for more information.%3 |
HRA |
Microsoft Management Console
You can review settings for important NAP-related services using the following consoles:
NPS console
You can use the NPS console to review RADIUS client settings, NPS policy settings, SHV settings, remediation server group settings, and accounting settings.
Membership in the local Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To troubleshoot NAP using the NPS console
Click Start, click Run, type nps.msc, and then press ENTER.
Open RADIUS Clients and Servers, and review settings for RADIUS Clients and Remote RADIUS Server Groups.
Open Policies, and review settings for Connection Request Policies, Network Policies, and Health Policies.
Open Network Access Protection, and review settings for System Health Validators and Remediation Server Groups.
Open Accounting, and review settings for Local File Logging and SQL Server Logging.
NAP Client Configuration console
You can use the NAP Client Configuration console to review NAP client settings on the local computer. The NAP client configuration console is not available on computers running Windows XP.
Important
NAP client settings configured using the NAP Client Configuration console will be ignored if NAP client settings are configured in Group Policy.
## To troubleshoot NAP using the NAP Client Configuration console
1. Click **Start**, click **Run**, type **napclcfg.msc**, and then press ENTER.
2. Open **Enforcement Clients**, and review settings for NAP enforcement clients.
3. Open **User Interface Settings**, and review settings for NAP notifications.
4. Open **Health Registration Settings**, and review cryptographic settings and trusted server group settings.
Certification Authority console
You can use the Certification Authority console to troubleshoot certificate permission and issuing problems.
To troubleshoot NAP using the Certification Authority console
Click Start, click Run, type certsrv.msc, and then press ENTER.
Open the console tree and review certificates in Issued Certificates, Pending Requests, Failed Requests, and Certificate Templates.
Right-click the name of the CA, and then click Properties.
In the CA properties window, review settings on the Policy Module tab and the Security tab.
Certificate Templates console
If you are using an enterprise CA, you can use the Certificate Templates console to review permissions and settings on NAP health certificate templates.
To troubleshoot NAP using the Certificate Templates console
Click Start, click Run, type certtmpl.msc, and then press ENTER.
In the details pane, right-click System Health Authentication, and review settings on the Subject Name tab, the Extensions tab, and the Security tab.
MMC snap-ins
You can use MMC snap-ins to review NAP settings and monitor NAP activity.
HRA snap-in
Use the HRA snap-in to troubleshoot CA settings and cryptographic settings.
Membership in the local Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To troubleshoot NAP using the HRA snap-in
Click Start, click Run, type mmc, and then press ENTER.
Click File, click Add/Remove Snap-in, click Health Registration Authority, click Add, and then click OK twice.
Click Certification Authority, and review the list of CAs.
Right-click Certification Authority, and then click Properties.
In Certification Authorities, review the settings for CA availability, certificate validity period, CA type, and CA templates.
Certificates snap-in
You can use the Certificates snap-in to review certificates that have been issued to the NAP client computer and NAP servers.
To troubleshoot NAP using the Certificates snap-in
Click Start, click Run, type mmc, and then press ENTER.
Click File, click Add/Remove Snap-in, click Certificates, click Add, select Computer account, click Next, click Finish, and then click OK.
Open Personal\Certificates, and review the certificates.
Open Trusted Root Certification Authorities\Certificates, and review the certificates.
IP Security Monitor snap-in
You can use the IP Security Monitor snap-in to review IPsec security associations (SAs) on NAP client computers and server components that are part of a NAP with IPsec enforcement infrastructure.
To troubleshoot NAP using the IP Security Monitor snap-in
Click Start, click Run, type mmc, and then press ENTER.
Click File, click Add/Remove Snap-in, click IP Security Monitor, click Add, and then click OK.
Open Main Mode\Security Associations, and review the associations.
Open Quick Mode\Security Associations, and review the associations.