HRA: The Health Registration Authority (HRA) server should be configured with a validity time for health certificates of at least 20 minutes and no more than 24 hours
Updated: March 29, 2012
Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
This topic addresses a specific issue that is identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2012, Windows Server 2008 R2 |
Product/Feature |
Health Registration Authority (HRA) |
Severity |
Warning |
Category |
Operations |
Issue
The validity time configured for health certificates is less than 20 minutes or more than 24 hours.
Impact
Network Access Protection (NAP) client computers will renew their health certificates too frequently or infrequently, and might be unable to acquire a health certificate.
Resolution
Configure the validity time for health certificates to be greater than 20 minutes, but less than 24 hours.
Health Registration Authority (HRA) is a component of a NAP infrastructure that plays a central role in NAP Internet Protocol security (IPsec) enforcement. HRA obtains health certificates on behalf of NAP clients when they are determined to be compliant with network health requirements.
The default validity period for health certificates is four hours. Clients will try to renew a health certificate 15 minutes before expiration or when a change in client health status occurs. You can use the following procedure to configure a custom validity period for health certificates.
To configure the validity time for health certificates approved by HRA
On the HRA server, click Start, and then click Run. In the Open box, type mmc, and then press ENTER.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click Health Registration Authority, and then click Add. Select Local computer (the computer on which this console is running), click OK, and then click OK again.
In the console tree, right-click Certification Authority, and then click Properties. The Certification Authorities Properties dialog box opens.
Select the unit of time using the drop-down list. You can select Minutes, Hours, Days, or Weeks.
After you select a unit of time, enter the number of units that you want, and then click OK. Select a value for validity time for health certificates to be more than 20 minutes, but less than 24 hours.
If you are using an enterprise CA, you must follow these steps to override the validity period that is configured in your certificate templates:
Click Start, right-click Command Prompt, and then click Run as administrator.
In the Command Prompt window, type Certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE, and then press ENTER.
In the Command Prompt window, type net stop certsvc && net start certsvc, and then press ENTER.
Verify that Active Directory Certificate Services (AD CS) stops and starts successfully.
Additional references
For more information, see Configure NAP Certification Authority (https://go.microsoft.com/fwlink/?LinkID=177788).