Share via

HRA Was Unable to Remove Expired Records from the NAP CA

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This error condition indicates that Health Registration Authority (HRA) does not have permission to remove expired records from the certification authority (CA) database, or that the HRA server has lost connectivity to the CA server.

Description of systems behavior

By default, HRA will attempt to manage the CA database by periodically removing expired records. If HRA does not have permission to remove records, the operation will fail. If the CA database increases in size until it there is no more disk capacity left on the NAP CA, then the CA will stop working.

Associated operating system events

  • HRA event ID 30: The Health Registration Authority was unable to connect to the Certification Authority to remove expired records. The Certification Authority %1 denied the request with the following error: %2. Contact the Certification Authority administrator to check the permissions and for more information. %3.

Root cause diagnosis and resolution

This condition can occur during a network outage or if permission settings are missing. To repair this condition, configure the appropriate permission settings or restore network connectivity.

HRA does not have permission to remove expired records

Due to the short-lived nature of health certificates, the number of expired certificates in the CA database can be excessive. Therefore, it is important to monitor the size of the CA database carefully.

Resolution

To repair this condition, grant HRA permission to manage the CA database. If your HRA and NAP CA are running on the same computer, Network Service must be granted permission to manage the CA. If your HRA and NAP CA are running on different computers, this permission must be granted to the computer name for your HRA server. If you use another method to maintain the CA database, you can disable HRA from performing this function.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this problem

  1. On the computer where Active Directory Certificate Services (AD CS) is installed, click Start, click Run, type certsrv.msc, and then press ENTER.

  2. Right-click the common name for your CA, and then click Properties.

  3. Click the Security tab, and then click Add.

  4. If HRA is running on the CA server, under Enter the object names to select, type Network Service, and then click OK.

  5. If HRA is running on a server other than the CA server, click Object Types, select Computers, and then click OK. Under Enter the object names to select, type the DNS name of your HRA server, and then click OK.

  6. Click the name of your HRA server, or click NETWORK SERVICE, and for Manage CA, select Allow.

  7. Click OK, and then close the Certification Authority console.

Disable HRA from removing expired records

If you use another method to maintain the CA database, you can disable HRA from performing this function.

Resolution

To disable HRA from performing this function, set the CertDBCleanupInterval time to 0.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To repair this problem

  1. On the computer where AD CS is installed, click Start, click Run, type regedit, and then press ENTER.

  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HCS.

  3. In the details pane, double-click CertDBCleanupInterval.

  4. In the Edit DWORD dialog box, under Value data, the default value of 12c is displayed in hexadecimal notation.

  5. Under Base, click Decimal. The value of Value data will change to 300, corresponding to the default CA database cleanup period of 300 seconds.

  6. Under Value data, type 0, and then click OK.

  7. Close the Registry Editor.