Event ID 30 — CA Availability and Configuration
Applies To: Windows Server 2008 R2
Health Registration Authority (HRA) must be associated with one or more certification authority (CA) servers. These CA servers must be configured to provide health certificates when HRA issues a request on behalf of a compliant Network Access Protection (NAP) client computer. CA servers can also be configured to allow HRA to manage the CA database.
If the HRA or CA server configuration is not correct, or if CA servers are not responding, compliant NAP client computers will be unable to acquire health certificates and their network access might be restricted.
Event Details
Product: | Windows Operating System |
ID: | 30 |
Source: | HRA |
Version: | 6.1 |
Symbolic Name: | HRA_ERROR_COULD_NOT_PURGE_EXPIRED_RECORDS |
Message: | The Health Registration Authority was unable to connect to the Certification Authority to remove expired records. The Certification Authority %1 denied the request with the following error: %2. Contact the Certification Authority administrator to check the permissions and for more information.%3 |
Resolve
Grant HRA permission to manage the CA server
Due to the short-lived nature of health certificates, the number of expired certificates in the CA database can be excessive. Therefore, it is important to monitor the size of the CA database carefully. By default, HRA will attempt to manage the CA database by periodically removing expired records. If your HRA and NAP CA are running on the same computer, Network Service must be granted permission to manage the CA. If your HRA and NAP CA are running on different computers, this permission must be granted to the computer name for your HRA server. If you use another method to maintain the CA database, you can disable HRA from performing this function.
This error condition indicates that HRA does not have the permission required to remove expired records from the CA database, or that the HRA server has lost connectivity to the CA server.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Grant permission to HRA to remove expired records
To grant permission to HRA to remove expired records from the CA database:
- On the computer where Active Directory Certificate Services (AD CS) is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- Right-click the common name for your CA, and then click Properties.
- Click the Security tab, and then click Add.
- If HRA is running on the CA server, under Enter the object names to select, type Network Service, and then click OK.
- If HRA is running on a server other than the CA server, click Object Types, select the Computers check box, and then click OK. Under Enter the object names to select, type the DNS name of your HRA server, and then click OK.
- Click the name of your HRA server, or click NETWORK SERVICE, and for Manage CA, select Allow.
- Click OK, and then close the Certification Authority console.
Disable HRA from removing expired records
To disable HRA from removing expired records from the CA database:
- On the computer where AD CS is installed, click Start, click Run, type regedit, and then press ENTER.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HCS registry key**.**
- In the details pane, double-click CertDBCleanupInterval.
- In the Edit DWORD dialog box, under Value data, the default value of 12c is displayed in hexadecimal notation.
- Under Base, click Decimal. The value of Value data will change to 300, corresponding to the default CA database cleanup period of 300 seconds.
- Under Value data, type the number 0, and then click OK.
- Close the Registry Editor window.
Note: If you disable HRA from removing expired records from the CA database, you must use another method for managing the CA database.
Verify
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To verify that the CA servers are responding, and that AD CS and HRA are configured to issue health certificates:
- On the computer where AD CS is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
- In the console tree, click Issued Certificates.
- In the details pane, under Certificate Effective Date, confirm that health certificates are being issued with a current date.
- In the console tree, click Failed Requests.
- In the details pane, under Request Submission Date, confirm that there are no failed health certificate requests displayed with a current date.
- In the console tree, click Pending Requests.
- In the details pane, under Request Submission Date, confirm that there are no pending health certificate requests displayed with a current date.
To verify that HRA is successfully removing expired records from the CA database:
- On the computer where AD CS is installed, click Start, and then click Command Prompt.
- In the command window, type reg query hklm\software\microsoft\hcs, and then press ENTER.
- In the command output, record the value of CertDBCleanupInterval. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.
- Click Start, click Run, type certsrv.msc, and then press ENTER.
- In the Certification Authority console tree, click Issued Certificates.
- In the details pane, under Certificate Expiration Date, verify that no certificates have been expired for longer than the value of CertDBCleanupInterval.