Use the following procedures on your Network Access Protection (NAP) certification authorities (CAs) to verify that these servers are correctly configured for use with Health Registration Authority (HRA) and the NAP Internet Protocol security (IPsec) enforcement method. NAP CAs are servers that have Active Directory® Certificate Services (AD CS) installed and running and can issue NAP health certificates. For more information about AD CS, see https://go.microsoft.com/fwlink/?LinkId=127816.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

Choosing a NAP CA

HRA must be associated with at least one CA in order to obtain and issue NAP health certificates to compliant NAP client computers. You can select a CA during the installation of HRA by choosing to install the CA locally or by selecting an existing remote CA. You can also add NAP CAs later using the HRA snap-in or a command line. You must use the HRA snap-in or a command line in order to associate more than one CA with HRA. You can configure HRA to use either an enterprise CA or standalone CA. Configuration requirements for a NAP CA differ depending on the type of CA that you choose. You must configure CA security settings and certificate issuance requirements whether you choose a standalone or enterprise CA. In its recommended configuration, HRA is associated with a dedicated standalone subordinate CA. For more information about configuring HRA to use a NAP CA, see Configure NAP Certification Authority.

Choosing a standalone CA

A standalone CA does not use certificate templates. Therefore, you do not need to configure a health certificate template when you use a standalone NAP CA. If you choose a standalone CA, you must still configure CA security settings and certificate issuance requirements so that HRA can request and automatically issue health certificates to compliant client computers.

Choosing an enterprise CA

An enterprise CA issues certificates based on certificate templates. The policy module is used to provide a list of certificate extensions to the issued certificates, such as system health authentication for NAP. If your enterprise CA is running Windows Server® 2008, then the System Health Authentication certificate template is available by default with application policy extensions suitable for domain and health authentication. If your enterprise CA is running Windows Server® 2003, then you must create and publish a template containing these application policy extensions. You can use the following procedures to verify that enterprise CAs are configured to automatically issue health certificates with the correct application policy extensions.

Verify template availability

If your enterprise CA server is running Windows Server 2008, a certificate template for domain-authenticated NAP clients is automatically available with a display name of System Health Authentication. If your enterprise CA is running Windows Server 2003, this template must be created. Use the following procedure to verify that a NAP health certificate template is available with the correct application policy extensions, or create this template if it is not available. This procedure does not apply if you are using a standalone CA.

To verify template availability
  1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

  2. In the details pane, under Template Display Name, review the list of templates. Double-click the name of your NAP health certificate template. If a NAP health certificate template is not listed, perform the following steps:

    1. Right-click Workstation Authentication, and then click Duplicate Template.

    2. Under Template display name, type System Health Authentication, and then click the Extensions tab.

    3. Under Extensions included in this template, click Application Policies, and then click Edit.

    4. Click Add, and then click New.

    5. In New Application Policy, under Name, type System Health Authentication.

    6. Under Object identifier, type 1.3.6.1.4.1.311.47.1.1, and then click OK four times.

    7. Confirm that your new template was created successfully.

    8. To verify your new template, double-click its name and complete the remaining steps in this procedure.

  3. Click the Extensions tab.

  4. Under Extensions included in this template, click Application Policies.

  5. Under Description of Application Policies, verify that System Health Authentication and Client Authentication are listed, and then click Edit.

  6. Click System Health Authentication, and then click Edit.

  7. In Edit Application Policy, under Object identifier, verify the value is 1.3.6.1.4.1.311.47.1.1. If the value of the application policy object identifier is different, then use the previous steps in this procedure to create a new system health authentication template. You should also correct application policy names so that the object identifier associated with System Health Authentication is 1.3.6.1.4.1.311.47.1.1.

  8. Click Cancel three times, and then close the Certificate Templates console.

Note

If this certificate template is used to issue anonymous health certificates, do not include the Client Authentication application policy. Certificates containing the client authentication application policy are issued to clients that authenticate with domain credentials.

Verify certificate availability

On an enterprise CA, certificates must be made available before they can be issued to client computers. Use the following procedure to ensure that your NAP health certificate is available to be issued. This procedure does not apply if you are using a standalone CA.

To verify certificate availability
  1. Click Start, click Run, type certsvr.msc, and then press ENTER.

  2. In the console tree, click Certificate Templates.

  3. In the details pane, under Name, verify that your NAP health certificate is listed. If your enterprise CA server is running Windows Server 2008, the default health certificate template for domain authenticated NAP clients has a display name of System Health Authentication.

  4. If the health certificate template has been created, but is not displayed in the list, use the following steps to issue the template:

    1. Right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

    2. In Enable Certificate Templates, under Name, click the name of your NAP health certificate, and then click OK. If the template is not listed, then it has already been enabled, or you must create it before you perform this procedure.

    3. Verify that your NAP health certificate template is added to the list of templates.

  5. Close the Certification Authority console.

Verify certificate enrollment permissions for HRA

In order for HRA to obtain certificates from an enterprise CA and issue these to clients, it must be granted permission to enroll the health certificate. Enabling autoenroll permission allows HRA to automatically add this certificate to its local certificate store. If only enroll permission are allowed, you must manually provision a health certificate on the HRA server. Use the following procedure to verify that HRA has been granted these permissions. This procedure does not apply if you are using a standalone CA.

To verify certificate enrollment permissions for HRA
  1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

  2. In the details pane, under Template Display Name, double-click the name of your NAP health certificate. If your enterprise CA server is running Windows Server 2008, the default health certificate template for domain-authenticated NAP clients has a display name of System Health Authentication.

  3. Click the Security tab.

  4. Verify that Enroll and Autoenroll permissions have been granted to the DNS name of your HRA server, or to a group of which the HRA server is a member. If these permissions are not allowed, perform the following steps:

    1. Click Add, click Object Types, select the Computers check box, and then click OK.

    2. Under Enter the object names to select, type the DNS name of your HRA server, and then click OK. Alternatively, you can type the name of a group of which the HRA server is a member.

    3. Click the name or group you added, select Allow permissions for Enroll and Autoenroll, and then click OK.

  5. Close the Certificate Templates console.

Verify CA security settings

CA security settings determine whether HRA has permission to issue health certificates. Use the following procedure to verify these permissions on your NAP CAs. This procedure applies to both enterprise and standalone CA servers.

To verify certificate security settings
  1. Click Start, click Run, type certsrv.msc, and then press ENTER.

  2. Right-click the common name for your CA, and then click Properties.

  3. Click the Security tab.

  4. If your HRA and NAP CA are running on the same computer, verify that NETWORK SERVICE is found under Group or user names.

  5. If your HRA and NAP CA are running on different computers, verify that the computer name for your HRA server is found under Group or user names.

  6. Click the name of your HRA server, or click NETWORK SERVICE, and verify that permissions are allowed to Issue and Manage Certificates, Manage CA, and Request Certificates.

  7. Click OK, and then close the Certification Authority console.

Verify certificate issuance requirements

In order for NAP client computers to acquire health certificates immediately when they are determined to be compliant with network health requirements, NAP CAs must be configured to issue health certificates automatically. Use the following procedure to verify that certificates are issued automatically. This procedure applies to both enterprise and standalone CA servers.

To verify certificate issuance requirements
  1. Click Start, click Run, type certsrv.msc, and then press ENTER.

  2. Right-click the common name of your CA, and then click Properties.

  3. Click the Policy Module tab, and then click Properties.

  4. Verify that Follow the settings in the certificate template is selected.

  5. Click OK twice, and then close the Certification Authority console.

Additional references