Quantcast
Channel: Network Access Protection forum
Viewing all 1875 articles
Browse latest View live

NAP capable computers are evaluated as Non-NAP capable

April 8, 2011, 8:09 am
$
0
0

Hi,

I am trying to lab test the Microsoft NAP. I have installed NPS server, Domain controller with DNS server and a client PC with WIndows XP SP3. Despite of my repetitive efforts I don't get any information about the client health. All the times it is evaluated as Non-NAP capable.

Few things:

1. Nap agent is running

2. 802.1x authentication is enabled

3. Service centre is running

4. NAP client is attached with a group policy that enables the quarantine. (netsh nap client show grouppolicy does show the policy)

 

But in any case there is no result about the client health. If I configure the network policies without validating the health (that ofcourse is pretty lame) it does connect with that network policies but as soon as I go for health validation it skips to the Non-NAP capable policy.

Its been 10 days working on it and I'm sick of installing the servers again and again.

Search

NAP DHCP 30% not updating.

March 25, 2013, 3:42 am
$
0
0

Hi All,

I have configured NAP-DHCP integrated with SCCM. I have Win XP SP3 machine. Recently few clients have started getting issues with NAP updating. The Configuration Manager system health validator is stuck at 30% nad is not updating all all. Have troed keeping the machine idle for 1-2 hours, but still the issue remain the same. PFB logs for smssha.log: 

<![LOG[CORE:NAPAGENT: Received a SoH Response from the Network Policy Server]LOG]!><time="10:36:19.878+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:2081">
<![LOG[HandleSystemHealthId(79745)]LOG]!><time="10:36:19.878+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:170">
<![LOG[HandleCorrelationV1(21)]LOG]!><time="10:36:19.878+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:536">
<![LOG[CORE: HandleSMSSystemHealthStateV1(
PolicyCookie=1776525952.30286463
SiteID={91E7527C-949D-43F0-BF22-41075067DCD1}
SiteCode=ITP
IsCompliant=False)]LOG]!><time="10:36:19.878+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:445">
<![LOG[CORE: HandleSMSServerInstructionsV1( (Code=4, Data=))]LOG]!><time="10:36:19.878+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:523">
<![LOG[CORE: HandleComplianceResultCodes( 0x8abc0602)]LOG]!><time="10:36:19.894+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:253">
<![LOG[CORE: HandleFailureCategory(2) = Client Component(Fragility)]LOG]!><time="10:36:19.894+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:423">
<![LOG[CORE: HandleFailureErrorCodes( 0x8abc0403)]LOG]!><time="10:36:19.894+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:376">
<![LOG[CORE: HandleIPV4FixupServerList(10.10.10.10)]LOG]!><time="10:36:19.894+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:201">
<![LOG[CQABroker::ProcessSoHResponse completed successfully.]LOG]!><time="10:36:19.894+000" date="03-25-2013" component="smssha" context="" type="1" thread="532" file="qabroker.cpp:2135">

Let me know if anything else is required. 

Arnav Sharma | Facebook |Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Radius Server Group Policy Configuration

March 26, 2013, 3:22 pm
$
0
0
I have successfully setup my radius server for my wireless.  I am able to login to my wireless now using my Active Directory credentials, but for some reason the group policy does not appear to be linked to the NPS server.  In other words, I have created a "Wireless Access" group within AD for users that are allowed to have wireless access, but if I remove myself from that group, my devices are still connected to the wireless with my logon credentials.  Why is this and how can I fix it?

NAP - HRA Discovery

March 27, 2013, 4:28 am
$
0
0

I can't get my NAP Clients to search for a _HRA._TCP DNS Record in the Domain. It's just looking for a record in the site and nowhere else.

If I create a SRV Record like _hra._tcp.<sitename>._sites.<domainname> it does work. So the Discovery is enabled and working. All fine.

But if I delete that record and instead create one in _hra._tcp.<domainname> the client never tries to resolve that name.
I've used Network Monitor and can see that the domain joined client (Windows 7) does not even try to do a DNS Lookup for that SRV Record which is odd.

A manual NSLOOKUP for _hra._tcp works and gives the right info, but as mentioned above, the client is not even trying to find that address.

C:\Users\administrator>nslookup
Default Server:  UnKnown
Address:  192.168.0.10> set type=srv> _hra._tcp
Server:  UnKnown
Address:  192.168.0.10

_hra._tcp.domain.local   SRV service location:
          priority       = 10
          weight         = 10
          port           = 443
          svr hostname   = lfnap02.domain.local
_hra._tcp.domain.local   SRV service location:
          priority       = 10
          weight         = 10
          port           = 443
          svr hostname   = lfnap01.domain.local
lfnap02.domain.local     internet address = 192.168.0.14
lfnap01.domain.local     internet address = 192.168.0.13
> quit

From my point of view, the Discovery is setup correctly because it can find and resolve the Site SRV Record if it exists.
The clients are using DHCP and have the Primary DNS Suffix set. 

C:\Users\administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : LFCLI01
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local
   System Quarantine State . . . . . : Not Restricted


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : domain.local
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D6F-1F-20
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b55d:95d2:c634:711a%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : den 18 mars 2013 13:45:44
   Lease Expires . . . . . . . . . . : den 4 april 2013 10:41:37
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.10
   DHCPv6 IAID . . . . . . . . . . . : 234886493
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-CF-44-0F-00-15-5D-6F-1F-20

   DNS Servers . . . . . . . . . . . : 192.168.0.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.domain.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : domain.local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Anyone who's run into something similar, or have any advice for a solution?

Thanks all, 
Markus Lassfolk

NAP remediation "freezing" on client PC

January 20, 2009, 6:29 am
$
0
0
Hello,
 
I am running NAP (w/ DHCP enforcement) in a test domain, with one client PC for testing.  I first setup NAP in this domain about a month and a half ago and remediation was working fine, in terms of the Configuration Manager System Health Agent.  I had setup two separate NAP policies in ConfigMgr and when I logged into the client as an end user, it would run the system health check and recognize the updates were missing, so it would say "Updating" and proceed to download the updates and force a PC restart for installation.

In the last 3 weeks however, the auto-remediation appears to be getting stuck or freezing.  I purposely remove one of the two security updates from the client PC so that I can test remediation again.  When I log in now as an end user, it still recognizes that an update is missing so it will say "Updating," but when it gets to 30% downloading, it just stops, it never completes.  I've let the client PC sit for over an hour and it will still say "Downloading updates 30%."  I check the Processes running in Task Manager, and don't notice anything strange.  I have confirmed the auto-remediation settings in the Network Policy Server (NPS) setup and made sure the Remediation server group settings are correct in terms of including the servers in which NPS, DHCP and Configuration Manager are located on.

If anyone has had similar experiences with auto-remediation in NAP, I would greatly appreciate any feedback.

Thank you,

Charles Thomas

Server 2008 R2 Radius Server configuration for Checkpoint FW

March 27, 2013, 3:08 pm
$
0
0

I have radius working for all the Cisco Gear.

I can not get a checkpoint (splat) working.

I have not been able to find any information on how to set the Microsoft piece up for checkpoint.  Review of the logs indicate that authentication (2) is being logged however on the Checkpoint GUI authentication fails.

Any help would be appreciated.


Thanks,

 


--------------------------------------------------------------------------------

bc

bc

NPS Windows 7 clients can't connect | iPhone connects!

January 4, 2012, 3:07 pm
$
0
0

Server 2008 R2 (RDS, NPS)
Access point: WRT54GL
Using a wildcard certificate

Ironically, my iPhone 4 connects to the wireless network just fine! I logged in w/ my domain credentials and then I had to accept the wildcard certificate we use, and bam, in on the corporate network using domain credentials.

However, I can't get our Windows 7 machines to connect.

With the current settings, the connection request generates 2 error messages in the Event Viewer - 1 for the computer and 1 for the user attempting to authenticate - both of which say: "Network Policy Server denied access to a user... The message received was unexpected or badly formatted."

I've tried creating a wireless profile on the laptop - and not validating certificates = no go.

The EAP service is running on the laptop.

The NAP service was NOT running on the laptop. I started it. Didn't affect anything.

I read that import certifcates on the client might be necessary... That doesn't sound right. I don't want to have to touch each client - or even apply through GPO.. Is this even relevant?

I have received other error messages in the past when I was tinkering with different connection and network policy settings. But this is where I’m at now.

Help!? Thanks!


NAP slow to validate XP Clients

March 28, 2013, 9:30 am
$
0
0

Hi,

NAP is taking 10-20 minutes to grant full access to client Laptops. The clients are running Windows XP (which were sys prepped) and have the latest version of Windows Update, etc. 

On the server with the NAP setup, I see the following message coming up every few minutes:

Network Policy Server quarantined a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			-
	Account Domain:			-
	Fully Qualified Account Name:	-

Client Machine:
	Security ID:			D\L040820$
	Account Name:			L040820.domain.*
	Fully Qualified Account Name:	domain\L040820$
	OS-Version:			5.1.2600 3.0 x86 Workstation
	Called Station Identifier:		10.160.75.0
	Calling Station Identifier:		101F744B0F56

NAS:
	NAS IPv4 Address:		xx.xx.xx.xx
	NAS IPv6 Address:		-
	NAS Identifier:			XXSERVERXX
	NAS Port-Type:			Ethernet
	NAS Port:			-

RADIUS Client:
	Client Friendly Name:		-
	Client IP Address:			-

Authentication Details:
	Connection Request Policy Name:	NAP DHCP
	Network Policy Name:		NAP DHCP Noncompliant
	Authentication Provider:		Windows
	Authentication Server:		Server.domain
	Authentication Type:		Unauthenticated
	EAP Type:			-
	Account Session Identifier:		313239333431393831

Quarantine Information:
	Result:				Quarantined
	Extended-Result:			-
	Session Identifier:			{F637AB42-ABD9-4E8E-8B5F-3C9335C60262} - 2013-03-27 09:03:44.776Z
	Help URL:			-
	System Health Validator Result(s):	
Windows Security Health Validator
	0
	
	NonCompliant
	No Data
	None[]
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0x0 - )
	(0xc0ff0007 - This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed...)
	(0x400 - )

Now to me, that says it is waiting for Windows Update confirm there are no more updates to install. We only issue updates once a week, but the process is slow EVERY single day. Does the NAP service normally take this long to check clients?

I have checked the WindowsUpdate.log on the clients, and they all seem to have the same sort of errors:

27/03/2013	08:16:23:250	1492	ee8	Misc	===========  Logging initialized (build: 7.6.7600.256, tz: -0000)  ===========											
27/03/2013	08:16:23:703	1492	ee8	Misc	  = Process: C:\WINDOWS\System32\svchost.exe											
27/03/2013	08:16:23:703	1492	ee8	Misc	  = Module: C:\WINDOWS\system32\wuaueng.dll											
27/03/2013	08:16:23:234	1492	ee8	Service	*************											
27/03/2013	08:16:23:703	1492	ee8	Service	** START **  Service: Service startup											
27/03/2013	08:16:23:703	1492	ee8	Service	*********											
27/03/2013	08:16:24:031	1492	ee8	Agent	  * WU client version 7.6.7600.256											
27/03/2013	08:16:24:031	1492	ee8	Agent	  * Base directory: C:\WINDOWS\SoftwareDistribution											
27/03/2013	08:16:24:046	1492	ee8	Agent	  * Access type: No proxy											
27/03/2013	08:16:24:046	1492	ee8	Agent	  * Network state: Connected											
27/03/2013	08:16:26:734	1492	3c8	Agent	***********  Agent: Initializing Windows Update Agent  ***********											
27/03/2013	08:16:26:734	1492	3c8	Agent	***********  Agent: Initializing global settings cache  ***********											
27/03/2013	08:16:26:734	1492	3c8	Agent	  * WSUS server: http://hman46:8530											
27/03/2013	08:16:26:734	1492	3c8	Agent	  * WSUS status server: http://hman46:8530											
27/03/2013	08:16:26:734	1492	3c8	Agent	  * Target group: Workstations											
27/03/2013	08:16:26:734	1492	3c8	Agent	  * Windows Update access disabled: No											
27/03/2013	08:16:26:765	1492	3c8	DnldMgr	Download manager restoring 0 downloads											
27/03/2013	08:16:26:984	1492	3c8	Misc	===========  Logging initialized (build: 7.6.7600.256, tz: -0000)  ===========											
27/03/2013	08:16:26:984	1492	3c8	Misc	  = Process: C:\WINDOWS\System32\svchost.exe											
27/03/2013	08:16:26:984	1492	3c8	Misc	  = Module: C:\WINDOWS\system32\wuapi.dll											
27/03/2013	08:16:26:984	1492	3c8	COMAPI	-------------											
27/03/2013	08:16:26:984	1492	3c8	COMAPI	-- START --  COMAPI: Search [ClientId = Windows System Health Agent Search]											
27/03/2013	08:16:26:984	1492	3c8	COMAPI	---------											
27/03/2013	08:16:27:015	1492	3c8	COMAPI	<<-- SUBMITTED -- COMAPI: Search [ClientId = Windows System Health Agent Search]											
27/03/2013	08:16:33:656	1492	ee8	Report	***********  Report: Initializing static reporting data  ***********											
27/03/2013	08:16:33:656	1492	ee8	Report	  * OS Version = 5.1.2600.3.0.65792											
27/03/2013	08:16:33:968	1492	ee8	Report	  * Computer Brand = Hewlett-Packard											
27/03/2013	08:16:33:968	1492	ee8	Report	  * Computer Model = HP ProBook 6560b											
27/03/2013	08:16:34:078	1492	ee8	Report	  * Bios Revision = 68SCE Ver. F.04											
27/03/2013	08:16:34:078	1492	ee8	Report	  * Bios Name = Default System BIOS											
27/03/2013	08:16:34:078	1492	ee8	Report	  * Bios Release Date = 2011-05-10T00:00:00											
27/03/2013	08:16:34:078	1492	ee8	Report	  * Locale ID = 2057											
27/03/2013	08:16:34:687	1492	e08	Agent	*************											
27/03/2013	08:16:34:687	1492	e08	Agent	** START **  Agent: Finding updates [CallerId = Windows System Health Agent Search]											
27/03/2013	08:16:34:687	1492	e08	Agent	*********											
27/03/2013	08:16:34:687	1492	e08	Agent	  * Include potentially superseded updates											
27/03/2013	08:16:34:687	1492	e08	Agent	  * Online = Yes; Ignore download priority = No											
27/03/2013	08:16:34:687	1492	e08	Agent	  * Criteria = "IsInstalled=0 and CategoryIDs contains '0fa1201d-4330-4fa8-8ae9-b877473b6441'"											
27/03/2013	08:16:34:687	1492	e08	Agent	  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed											
27/03/2013	08:16:34:687	1492	e08	Agent	  * Search Scope = {Machine}											
27/03/2013	08:16:35:750	1492	e08	PT	WARNING: Cached cookie has expired or new PID is available											
27/03/2013	08:16:35:750	1492	e08	PT	Initializing simple targeting cookie, clientId = 627ee7a0-a58d-4bbe-9b3a-8153117b5c8c, target group = Workstations, DNS name = l040855.business.ukho.gov.uk											
27/03/2013	08:16:35:750	1492	e08	PT	  Server URL = http://hman46:8530/SimpleAuthWebService/SimpleAuth.asmx											
27/03/2013	08:16:35:843	1492	e08	PT	WARNING: GetCookie failure, error = 0x8024400D, soap client error = 7, soap error code = 300, HTTP status code = 200											
27/03/2013	08:16:35:843	1492	e08	PT	WARNING: SOAP Fault: 0x00012c											
27/03/2013	08:16:35:843	1492	e08	PT	WARNING:     faultstring:Fault occurred											
27/03/2013	08:16:35:843	1492	e08	PT	WARNING:     ErrorCode:ConfigChanged(2)											
27/03/2013	08:16:35:843	1492	e08	PT	WARNING:     Message:(null)											
27/03/2013	08:16:35:843	1492	e08	PT	WARNING:     Method:"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"											
27/03/2013	08:16:35:843	1492	e08	PT	WARNING:     ID:cb987c87-e31f-4bf9-9868-632b03b93d32											
27/03/2013	08:16:35:906	1492	e08	PT	WARNING: Cached cookie has expired or new PID is available											
27/03/2013	08:16:35:906	1492	e08	PT	Initializing simple targeting cookie, clientId = 627ee7a0-a58d-4bbe-9b3a-8153117b5c8c, target group = Workstations, DNS name = l040855.business.ukho.gov.uk											
27/03/2013	08:16:35:906	1492	e08	PT	  Server URL = http://hman46:8530/SimpleAuthWebService/SimpleAuth.asmx											
27/03/2013	08:16:35:937	1492	e08	PT	+++++++++++  PT: Starting category scan  +++++++++++											
27/03/2013	08:16:35:937	1492	e08	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://hman46:8530/ClientWebService/client.asmx											
27/03/2013	08:16:45:240	1492	e08	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++											
27/03/2013	08:16:45:240	1492	e08	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://hman46:8530/ClientWebService/client.asmx											
27/03/2013	08:17:10:314	1492	ee8	AU	###########  AU: Initializing Automatic Updates  ###########											
27/03/2013	08:17:10:314	1492	ee8	AU	AU setting next detection timeout to 2013-03-27 08:17:10											
27/03/2013	08:17:10:314	1492	ee8	AU	AU setting next sqm report timeout to 2013-03-27 08:17:10											
27/03/2013	08:17:10:314	1492	ee8	AU	  # WSUS server: http://hman46:8530											
27/03/2013	08:17:10:314	1492	ee8	AU	  # Detection frequency: 22											
27/03/2013	08:17:10:314	1492	ee8	AU	  # Target group: Workstations											
27/03/2013	08:17:10:314	1492	ee8	AU	  # Approval type: Scheduled (User preference)											
27/03/2013	08:17:10:314	1492	ee8	AU	  # Scheduled install day/time: Every day at 3:00											
27/03/2013	08:17:10:314	1492	ee8	AU	  # Auto-install minor updates: Yes (Policy)											
27/03/2013	08:17:10:314	1492	ee8	AU	Initializing featured updates											
27/03/2013	08:17:10:314	1492	ee8	AU	Found 0 cached featured updates											
27/03/2013	08:17:10:314	1492	ee8	AU	AU finished delayed initialization											
27/03/2013	08:17:10:314	1492	ee8	AU	#############											
27/03/2013	08:17:10:314	1492	ee8	AU	## START ##  AU: Search for updates											
27/03/2013	08:17:10:314	1492	ee8	AU	#########											
27/03/2013	08:17:10:314	1492	ee8	AU	<<## SUBMITTED ## AU: Search for updates [CallId = {B84E4DB3-DFC0-4722-81F7-CA2C0F2F0C7C}]											
27/03/2013	08:17:10:377	1660	988	Misc	===========  Logging initialized (build: 7.6.7600.256, tz: -0000)  ===========											
27/03/2013	08:17:10:377	1660	988	Misc	  = Process: C:\Program Files\LogMeIn\x86\LogMeIn.exe											
27/03/2013	08:17:10:377	1660	988	Misc	  = Module: C:\WINDOWS\system32\wuapi.dll											
27/03/2013	08:17:10:377	1660	988	COMAPI	-------------											
27/03/2013	08:17:10:377	1660	988	COMAPI	-- START --  COMAPI: Search [ClientId = <NULL>]											
27/03/2013	08:17:10:377	1660	988	COMAPI	---------											
27/03/2013	08:17:10:377	1660	988	COMAPI	<<-- SUBMITTED -- COMAPI: Search [ClientId = <NULL>]											
27/03/2013	08:17:34:058	1492	ee8	AU	Forced install timer expired for scheduled install											
27/03/2013	08:17:34:058	1492	ee8	AU	UpdateDownloadProperties: 0 download(s) are still in progress.											
27/03/2013	08:17:34:058	1492	ee8	AU	Setting AU scheduled install time to 2013-03-28 03:00:00											
27/03/2013	08:18:53:347	1492	e08	PT	+++++++++++  PT: Synchronizing extended update info  +++++++++++											
27/03/2013	08:18:53:347	1492	e08	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://hman46:8530/ClientWebService/client.asmx											
27/03/2013	08:19:03:154	1492	e08	Agent	  * Found 0 updates and 1 categories in search; evaluated appl. rules of 1070 out of 2319 deployed entities											
27/03/2013	08:19:03:248	1492	e08	Agent	*********											
27/03/2013	08:19:03:248	1492	e08	Agent	**  END  **  Agent: Finding updates [CallerId = Windows System Health Agent Search]											
27/03/2013	08:19:03:248	1492	e08	Agent	*************											
27/03/2013	08:19:03:264	1492	e08	Agent	*************											
27/03/2013	08:19:03:264	1492	e08	Agent	** START **  Agent: Finding updates [CallerId = AutomaticUpdates]											
27/03/2013	08:19:03:264	1492	e08	Agent	*********											
27/03/2013	08:19:03:264	1492	e08	Agent	  * Online = Yes; Ignore download priority = No											
27/03/2013	08:19:03:264	1492	e08	Agent	  * Criteria = "IsHidden=0 and IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"											
27/03/2013	08:19:03:264	1492	e08	Agent	  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed											
27/03/2013	08:19:03:264	1492	e08	Agent	  * Search Scope = {Machine}											
27/03/2013	08:19:03:279	1492	ec0	COMAPI	>>--  RESUMED  -- COMAPI: Search [ClientId = Windows System Health Agent Search]											
27/03/2013	08:19:03:279	1492	ec0	COMAPI	  - Updates found = 0											
27/03/2013	08:19:03:279	1492	ec0	COMAPI	---------											
27/03/2013	08:19:03:279	1492	ec0	COMAPI	--  END  --  COMAPI: Search [ClientId = Windows System Health Agent Search]											
27/03/2013	08:19:03:279	1492	ec0	COMAPI	-------------											
27/03/2013	08:19:03:310	1492	e08	Misc	Validating signature for C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wuident.cab:											
27/03/2013	08:19:03:436	1492	e08	Misc	 Microsoft signed: Yes											
27/03/2013	08:19:03:436	1492	e08	Misc	Validating signature for C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wuident.cab:											
27/03/2013	08:19:03:451	1492	e08	Misc	 Microsoft signed: Yes											
27/03/2013	08:19:03:467	1492	e08	Misc	Validating signature for C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wsus3setup.cab:											
27/03/2013	08:19:03:482	1492	e08	Misc	 Microsoft signed: Yes											
27/03/2013	08:19:03:482	1492	e08	Setup	***********  Setup: Checking whether self-update is required  ***********											
27/03/2013	08:19:03:482	1492	e08	Setup	  * Inf file: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wsus3setup.inf											
27/03/2013	08:19:03:514	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\cdm.dll: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:514	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wuapi.dll: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:529	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wuapi.dll.mui: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:529	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wuauclt.exe: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:529	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wuaucpl.cpl: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:561	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wuaucpl.cpl.mui: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:561	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wuaueng.dll: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:576	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wuaueng.dll.mui: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:576	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wucltui.dll: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:592	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wucltui.dll.mui: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:592	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wups.dll: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:592	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wups2.dll: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:623	1492	e08	Setup	Update NOT required for C:\WINDOWS\system32\wuweb.dll: target version = 7.6.7600.256, required version = 7.6.7600.256											
27/03/2013	08:19:03:623	1492	e08	Setup	  * IsUpdateRequired = No											
27/03/2013	08:19:04:734	1492	e08	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++											
27/03/2013	08:19:04:734	1492	e08	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://hman46:8530/ClientWebService/client.asmx											
27/03/2013	08:19:38:379	1492	3c8	COMAPI	-------------											
27/03/2013	08:19:38:379	1492	3c8	COMAPI	-- START --  COMAPI: Search [ClientId = Windows System Health Agent Search]											
27/03/2013	08:19:38:379	1492	3c8	COMAPI	---------											
27/03/2013	08:19:38:379	1492	3c8	COMAPI	<<-- SUBMITTED -- COMAPI: Search [ClientId = Windows System Health Agent Search]											
27/03/2013	08:20:32:750	1492	e08	PT	+++++++++++  PT: Synchronizing extended update info  +++++++++++											
27/03/2013	08:20:32:750	1492	e08	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://hman46:8530/ClientWebService/client.asmx											
27/03/2013	08:20:33:532	1492	e08	Agent	  * Found 0 updates and 67 categories in search; evaluated appl. rules of 1070 out of 2319 deployed entities											
27/03/2013	08:20:33:532	1492	e08	Agent	*********											
27/03/2013	08:20:33:532	1492	e08	Agent	**  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]											
27/03/2013	08:20:33:532	1492	e08	Agent	*************											
27/03/2013	08:20:33:548	1492	e08	Agent	*************											
27/03/2013	08:20:33:548	1492	e7c	AU	>>##  RESUMED  ## AU: Search for updates [CallId = {B84E4DB3-DFC0-4722-81F7-CA2C0F2F0C7C}]											
27/03/2013	08:20:33:548	1492	e08	Agent	** START **  Agent: Finding updates [CallerId = ]											
27/03/2013	08:20:33:548	1492	e7c	AU	  # 0 updates detected											
27/03/2013	08:20:33:548	1492	e08	Agent	*********											
27/03/2013	08:20:33:548	1492	e08	Agent	  * Online = Yes; Ignore download priority = No											
27/03/2013	08:20:33:548	1492	e08	Agent	  * Criteria = "IsInstalled = 0 AND IsHidden = 0"											
27/03/2013	08:20:33:548	1492	e08	Agent	  * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service											
27/03/2013	08:20:33:548	1492	e08	Agent	  * Search Scope = {Machine}											
27/03/2013	08:20:33:548	1492	e7c	AU	#########											
27/03/2013	08:20:33:548	1492	e7c	AU	##  END  ##  AU: Search for updates [CallId = {B84E4DB3-DFC0-4722-81F7-CA2C0F2F0C7C}]											
27/03/2013	08:20:33:548	1492	e7c	AU	#############											
27/03/2013	08:20:33:548	1492	e7c	AU	Featured notifications is disabled.											
27/03/2013	08:20:33:548	1492	e7c	AU	AU setting next detection timeout to 2013-03-28 04:56:37											
27/03/2013	08:20:33:548	1492	e7c	AU	Setting AU scheduled install time to 2013-03-28 03:00:00											
27/03/2013	08:20:33:970	1492	e08	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++											
27/03/2013	08:20:33:970	1492	e08	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://hman46:8530/ClientWebService/client.asmx											
27/03/2013	08:22:07:223	1492	e08	PT	+++++++++++  PT: Synchronizing extended update info  +++++++++++											
27/03/2013	08:22:07:223	1492	e08	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://hman46:8530/ClientWebService/client.asmx											
27/03/2013	08:22:08:333	1492	e08	Agent	  * Found 0 updates and 67 categories in search; evaluated appl. rules of 1070 out of 2319 deployed entities											
27/03/2013	08:22:08:333	1492	e08	Agent	*********											
27/03/2013	08:22:08:333	1492	e08	Agent	**  END  **  Agent: Finding updates [CallerId = ]											
27/03/2013	08:22:08:333	1492	e08	Agent	*************											
27/03/2013	08:22:08:349	1492	e08	Agent	*************											
27/03/2013	08:22:08:349	1492	e08	Agent	** START **  Agent: Finding updates [CallerId = Windows System Health Agent Search]											
27/03/2013	08:22:08:349	1492	e08	Agent	*********											
27/03/2013	08:22:08:349	1492	e08	Agent	  * Include potentially superseded updates											
27/03/2013	08:22:08:349	1492	e08	Agent	  * Online = No; Ignore download priority = No											
27/03/2013	08:22:08:349	1492	e08	Agent	  * Criteria = "IsInstalled=0 and CategoryIDs contains '0fa1201d-4330-4fa8-8ae9-b877473b6441'"											
27/03/2013	08:22:08:349	1492	e08	Agent	  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed											
27/03/2013	08:22:08:349	1492	e08	Agent	  * Search Scope = {Machine}											
27/03/2013	08:22:08:365	1660	b6c	COMAPI	>>--  RESUMED  -- COMAPI: Search [ClientId = <NULL>]											
27/03/2013	08:22:08:365	1660	b6c	COMAPI	  - Updates found = 0											
27/03/2013	08:22:08:365	1660	b6c	COMAPI	---------											
27/03/2013	08:22:08:365	1660	b6c	COMAPI	--  END  --  COMAPI: Search [ClientId = <NULL>]											
27/03/2013	08:22:08:365	1660	b6c	COMAPI	-------------											
27/03/2013	08:22:08:380	1660	988	COMAPI	-------------											
27/03/2013	08:22:08:380	1660	988	COMAPI	-- START --  COMAPI: Search [ClientId = <NULL>]											
27/03/2013	08:22:08:380	1660	988	COMAPI	---------											
27/03/2013	08:22:08:380	1660	988	COMAPI	<<-- SUBMITTED -- COMAPI: Search [ClientId = <NULL>]											
27/03/2013	08:23:47:606	1492	e08	Agent	  * Found 0 updates and 1 categories in search; evaluated appl. rules of 480 out of 1357 deployed entities											
27/03/2013	08:23:47:606	1492	e08	Agent	*********											
27/03/2013	08:23:47:606	1492	e08	Agent	**  END  **  Agent: Finding updates [CallerId = Windows System Health Agent Search]											
27/03/2013	08:23:47:606	1492	e08	Agent	*************											
27/03/2013	08:23:47:606	1492	e08	Agent	*************											
27/03/2013	08:23:47:606	1492	e08	Agent	** START **  Agent: Finding updates [CallerId = ]											
27/03/2013	08:23:47:606	1492	e08	Agent	*********											
27/03/2013	08:23:47:606	1492	e08	Agent	  * Online = Yes; Ignore download priority = No											
27/03/2013	08:23:47:606	1492	e08	Agent	  * Criteria = "IsInstalled = 0 AND IsHidden = 0"											
27/03/2013	08:23:47:606	1492	e08	Agent	  * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service											
27/03/2013	08:23:47:606	1492	e08	Agent	  * Search Scope = {Machine}											
27/03/2013	08:23:47:622	1492	ec0	COMAPI	>>--  RESUMED  -- COMAPI: Search [ClientId = Windows System Health Agent Search]											
27/03/2013	08:23:47:622	1492	ec0	COMAPI	  - Updates found = 0											
27/03/2013	08:23:47:622	1492	ec0	COMAPI	---------											
27/03/2013	08:23:47:622	1492	ec0	COMAPI	--  END  --  COMAPI: Search [ClientId = Windows System Health Agent Search]											
27/03/2013	08:23:47:622	1492	ec0	COMAPI	-------------											
27/03/2013	08:23:48:044	1492	e08	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++											
27/03/2013	08:23:48:044	1492	e08	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://hman46:8530/ClientWebService/client.asmx											
27/03/2013	08:23:49:028	1492	e08	Misc	WARNING: Send failed with hr = 80072ee7.											
27/03/2013	08:23:49:028	1492	e08	Misc	WARNING: SendRequest failed with hr = 80072ee7. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>											
27/03/2013	08:23:49:028	1492	e08	PT	  + Last proxy send request failed with hr = 0x80072EE7, HTTP status code = 0											
27/03/2013	08:23:49:028	1492	e08	PT	  + Caller provided credentials = No											
27/03/2013	08:23:49:028	1492	e08	PT	  + Impersonate flags = 0											
27/03/2013	08:23:49:028	1492	e08	PT	  + Possible authorization schemes used = 											
27/03/2013	08:23:49:028	1492	e08	PT	WARNING: SyncUpdates failure, error = 0x8024402C, soap client error = 5, soap error code = 0, HTTP status code = 200											
27/03/2013	08:23:49:028	1492	e08	PT	WARNING: PTError: 0x8024402c											
27/03/2013	08:23:49:028	1492	e08	PT	WARNING: SyncUpdates_WithRecovery failed.: 0x8024402c											
27/03/2013	08:23:49:028	1492	e08	PT	WARNING: Sync of Updates: 0x8024402c											
27/03/2013	08:23:49:028	1492	e08	PT	WARNING: SyncServerUpdatesInternal failed: 0x8024402c											
27/03/2013	08:23:49:028	1492	e08	Agent	  * WARNING: Failed to synchronize, error = 0x8024402C											
27/03/2013	08:23:49:028	1492	e08	Agent	x											
27/03/2013	08:23:49:028	1492	e08	Agent	*********											
27/03/2013	08:23:49:028	1492	e08	Agent	**  END  **  Agent: Finding updates [CallerId = ]											
27/03/2013	08:23:49:028	1492	e08	Agent	*************											
27/03/2013	08:23:49:028	1492	e08	Agent	WARNING: WU client failed Searching for update with error 0x8024402c											
27/03/2013	08:23:49:044	1660	9.00E+08	COMAPI	>>--  RESUMED  -- COMAPI: Search [ClientId = <NULL>]											
27/03/2013	08:23:49:044	1660	9.00E+08	COMAPI	  - Updates found = 0											
27/03/2013	08:23:49:044	1660	9.00E+08	COMAPI	  - WARNING: Exit code = 0x00000000, Result code = 0x8024402C											
27/03/2013	08:23:49:044	1660	9.00E+08	COMAPI	---------											
27/03/2013	08:23:49:044	1660	9.00E+08	COMAPI	--  END  --  COMAPI: Search [ClientId = <NULL>]											
27/03/2013	08:23:49:044	1660	9.00E+08	COMAPI	-------------											
27/03/2013	08:23:49:044	1660	988	COMAPI	WARNING: Operation failed due to earlier error, hr=8024402C											
27/03/2013	08:23:49:044	1660	988	COMAPI	FATAL: Unable to complete asynchronous search. (hr=8024402C)											
27/03/2013	08:23:49:200	1492	e08	Report	REPORT EVENT: {F092AE8D-4114-44C2-B593-C5AED23E8B5F}	2013-03-27 08:19:03:248-0000	1	147	101	{00000000-0000-0000-0000-000000000000}	0	0	Windows System Health Agent Sea	Success	Software Synchronization	Windows Update Client successfully detected 0 updates.
27/03/2013	08:23:49:200	1492	e08	Report	REPORT EVENT: {3903F1A9-D5FC-42DA-A76C-EE465170DD2E}	2013-03-27 08:20:33:532-0000	1	147	101	{00000000-0000-0000-0000-000000000000}	0	0	AutomaticUpdates	Success	Software Synchronization	Windows Update Client successfully detected 0 updates.
27/03/2013	08:23:49:200	1492	e08	Report	REPORT EVENT: {C9386E86-99D9-49DC-9C7A-C6B8968AD09A}	2013-03-27 08:20:33:532-0000	1	156	101	{00000000-0000-0000-0000-000000000000}	0	0	AutomaticUpdates	Success	Pre-Deployment Check	Reporting client status.
27/03/2013	08:23:49:200	1492	e08	Report	REPORT EVENT: {12E9E744-836A-40E6-BEC6-C0FB82C21A50}	2013-03-27 08:22:08:333-0000	1	147	101	{00000000-0000-0000-0000-000000000000}	0	0		Success	Software Synchronization	Windows Update Client successfully detected 0 updates.
27/03/2013	08:23:49:200	1492	e08	Report	REPORT EVENT: {74A569CE-1F73-4774-A905-291EAF1440AD}	2013-03-27 08:22:08:333-0000	1	156	101	{00000000-0000-0000-0000-000000000000}	0	0		Success	Pre-Deployment Check	Reporting client status.
27/03/2013	08:34:59:397	1492	e08	Report	Uploading 5 events using cached cookie, reporting URL = http://hman46:8530/ReportingWebService/ReportingWebService.asmx											
27/03/2013	08:34:59:413	1492	e08	Report	Reporter successfully uploaded 5 events.

In particular, I think this is where the fault could lie...

  Server URL = http://hman46:8530/SimpleAuthWebService/SimpleAuth.asmx
WARNING: GetCookie failure, error = 0x8024400D, soap client error = 7, soap error code = 300, HTTP status code = 200
WARNING: SOAP Fault: 0x00012c
WARNING:     faultstring:Fault occurred
WARNING:     ErrorCode:ConfigChanged(2)
WARNING:     Message:(null)
WARNING:     Method:"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"
WARNING:     ID:cb987c87-e31f-4bf9-9868-632b03b93d32

WARNING: Cached cookie has expired or new PID is available

Do I perhaps need to add the http://hman46...... full address to the allowed services on the NAP policy? The server itself is allowed, but I wonder if the port it is affecting it. OR do I need to add the internal proxy address to the allowed NAP services?

Does it need to be an address in the proxy exceptions?

Search

Not pining with DC. But pining with ADC

March 29, 2013, 4:11 am
$
0
0

Hi,

One of client machine i can't able to ping with DC, But that is pining with ADC. only not pining with DC.

What might the problem ?

That machine is in AD only

Thanks in advance


Regards, Hari Prasad.D

server 2003 and kerio internet

March 30, 2013, 6:49 am
$
0
0

Hi all,

I have a server 2003 with only one lan interface which has a public IP. I installed Vmware 9 on server and I want to make kerio firewall  virtually.

I want to other clients connect to internet via kerio in the future at private lan. But now I want know is it possible to make vpn session for remote clients through kerio ans srv 2003 to access internet?

tks

NPS certificate issue with Non domain Windows machines

September 4, 2012, 8:45 pm
$
0
0

Our enviroment is:


Active Directory Windows Server 2008 R2
Primary     NPS in Server 2008 R2 Enterprise
Secondary NPS in server 2008 R2 Enterprise
both NPS servers have NPS and AD CS roles [Radius is using Enterprise  Certificate which it's Subordinate  from DC CA )

NPS is set up to use PEAP-EAP-MSCHAP v2 and The client (Controller MSM765)  is set up to use WPA (WPA OR WPA2).

All Domain Machines PC,Laptop,Macbook work fine with radius Server but for non domain machines we have to install the certificate manually to Trusted Root location for Windows machines only to get Radius to works and i'd able to made a connection to my Radius server, using auth method MS-CHAP v2,how it works with iPad ,iPhone and macbook as the cert  is popping up after i entered my credentials, and just click to continue of the certificate,

Now suddenly all non domain Windows machines stopped working with Radius and the logs shows this code reason  265
but i have Installed the trusted root certification authority on the client computer  as usual and i have checked that the radius cert if it's exist in trused
 the root  using mmc and i found it there.


these are  the logs for windows user that i have installed the cert in trusted root folder:

@@Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
 Security ID:   domain\Tim
 Account Name:   tim
 Account Domain:   domain
 Fully Qualified Account Name: domain1\tim

Client Machine:
 Security ID:   NULL SID
 Account Name:   -
 Fully Qualified Account Name: -
 OS-Version:   -
 Called Station Identifier:  00-24-A8-9B-1C-81
 Calling Station Identifier:  24-77-03-6C-6B-28

NAS:
 NAS IPv4 Address:  172.26.4.38
 NAS IPv6 Address:  -
 NAS Identifier:   SG0299L160
 NAS Port-Type:   Wireless - IEEE 802.11
 NAS Port:   153

RADIUS Client:
 Client Friendly Name:  Controller1
 Client IP Address:   172.26.4.38

Authentication Details:
 Connection Request Policy Name: Secure Wireless Connections
 Network Policy Name:  Trusted Machine and Users
 Authentication Provider:  Windows
 Authentication Server:  domain
 Authentication Type:  PEAP
 EAP Type:   -
 Account Session Identifier:  39613065373830302D3030303030306136
 Logging Results:   Accounting information was written to the local log file.
 Reason Code:   265
 Reason:    The certificate chain was issued by an authority that is not trusted.

 

2nd log @@Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
 Security ID:   NULL SID
 Account Name:   PC
 Account Domain:   Domain
 Fully Qualified Account Name: Domain\pc
Client Machine:
 Security ID:   NULL SID
 Account Name:   -
 Fully Qualified Account Name: -
 OS-Version:   -
 Called Station Identifier:  00-24-A8-9B-1C-81
 Calling Station Identifier:  24-77-03-6C-6B-28

NAS:
 NAS IPv4 Address:  172.26.4.38
 NAS IPv6 Address:  -
 NAS Identifier:   SG0299L160
 NAS Port-Type:   Wireless - IEEE 802.11
 NAS Port:   154

RADIUS Client:
 Client Friendly Name:  Controller1
 Client IP Address:   172.26.4.38

Authentication Details:
 Connection Request Policy Name: Secure Wireless Connections
 Network Policy Name:  -
 Authentication Provider:  Windows
 Authentication Server:  Domain
 Authentication Type:  EAP
 EAP Type:   -
 Account Session Identifier:  39613065373830302D3030303030306137
 Logging Results:   Accounting information was written to the local log file.
 Reason Code:   8
 Reason:    The specified user account does not exist.

But i have found this temporary solution by  creating  a wireless profile in the user PC and remove validate server cerificate from security tab and enable 802.1x
setting to use user or copmuter authintication in adanaced security then anyone have AD aacount  and memeber in wireless group
 can authinticate without need to install the Radius cert manually and that is very bad  as i need
student to validate cert so  after one year this cert will be expired then the  students need to come over again next year to get a new cert from IT and this is the

@@this is the log for the user (without need any cert) erver granted full access to a user because the host met the defined health policy.

User:
 Security ID:   domain\tim
 Account Name:   1337
 Account Domain:   domain
 Fully Qualified Account Name: domain\tim

Client Machine:
 Security ID:   NULL SID
 Account Name:   -
 Fully Qualified Account Name: -
 OS-Version:   -
 Called Station Identifier:  00-24-A8-9B-1C-81
 Calling Station Identifier:  24-77-03-6C-6B-28

NAS:
 NAS IPv4 Address:  172.26.4.38
 NAS IPv6 Address:  -
 NAS Identifier:   SG0299L160
 NAS Port-Type:   Wireless - IEEE 802.11
 NAS Port:   124

RADIUS Client:
 Client Friendly Name:  Controller1
 Client IP Address:   172.26.4.38

Authentication Details:
 Connection Request Policy Name: Secure Wireless Connections
 Network Policy Name:  Trusted Machine and Users
 Authentication Provider:  Windows
 Authentication Server:  domain
 Authentication Type:  PEAP
 EAP Type:   Microsoft: Secured password (EAP-MSCHAP v2)
 Account Session Identifier:  37656134383634372D3030303030303839

Quarantine Information:
 Result:    Full Access
 Extended-Result:   -
 Session Identifier:   -
 Help URL:   -
 System Health Validator Result(s): -

2011IT

NAP+IPSec - IPSec Rules

March 14, 2013, 3:33 pm
$
0
0

Good afternoon everyone
I need some help, I am implementing NAP + IPSec, this is my scenario

1 DC
1 Server for NAP
1 Windows XP computer
1 Windows 7 Computer

I used the Step by Step Guide to NAP + IPSec, after correcting some details that come along the way, I made ​​my implementation work but not 100%.

I configured the two PC's to be compliant I check they have health certificates and everything works fine I have PING RDP and File Sharing.

but when I turn my computer with Windows 7 noncompliant and ceases to have the health certificate, I can not get the computer with XP responer stop the PING, the RDP and FileSharing, I checked again and again congiruacion rules IPSec but still no success.

agradecere your help

att

Carlos Landaverry
Guatemala

DHCP client enforcement not working

April 1, 2013, 11:58 am
$
0
0

Hi,

I have been struggling with this for a few days and need your help. I configured DHCP enforcement according to the step-by-step guide available from microsoft. I am doing everything exactly it says in the tutorial, but whenever i apply NAP to the Scope or on the server client loses connection and  is not able to obtain an IP address, neither restricted not full.

Going through all the troubleshooting steps this is what i got:

Netsh nap client show state - enabled (Group policy -configured, Initialized - yes  )

netsh nap client show group - it shows as applied. (enforcement client enabled)

Netsh nap client show configuration -(enforcement client is Disabled!!!!) 

Also i noticed  DHCP quarantine client enforcement feature on the client (NAPCLCFG.MSC) would control configuration state, as far i understand this feature is supposed to be managed by Group Policy but its not.  

Nothing was working unless i enabled  enforcement client via the "Netsh nap client set enforcement ID = 79617 ADMIN = "ENABLED" " command. after that client started doing everything the way it was supposed to: If i disabled Firewall, it was placed in the restricted network, remediation would enable firewall automatically and after that ipconfig/renew would obtain ip address with full access.  

I would really appreciate someone pointing me what i did wrong

thanks

 

CMAK 64 bit client works but 32 bit client does not

April 2, 2013, 9:32 am
$
0
0

Hi Everyone,

I've banged my head on the table on this problem long enough. I've swallowed my pride and come to you all looking for assistance. 

First, I'm embarrassed to say yes we use Microsoft RAS and have a ton of users still on XP.

To the problem... I've used CMAK to build two clients (64bit and 32bit). The client configurations for the most part are pretty straight forward. The issue is with our custom route file. I have a single route hosted on a remote computer that the clients are configured to grab upon connecting. This whole process works perfectly on the 64 bit clients. On the 32 bit I come up with the error that everyone else seems to come up with as well "routing table failed (800700e8)."

The client was built on a Windows 7 32bit install. 

I know this is old material. I hoping someone will browse by, take pity on me and my bruised head, and offer up some fresh ideas.

Thanks,

J

Basic VPN question

April 2, 2013, 11:16 am
$
0
0

Greetings All,

I am new to setting up a VPN and one of the tasks I've been assigned is to configure a certain set of users permission to VPN to the domain.  They're on Win 2008 R2 and the VPN appliance is external to Windows (still waiting to hear from the network team on what they are using).  Also, there is no server in AD that has the Network Policy and Access Services role installed.  My question is whether or not this is even necessary if VPN access is being handled by an appliance.  Is setting the option on the Dial-In tab to allow for the set of users that need VPN access sufficient or will it not work without NPAS?

Thanks in advance.

JC

Search

DHCP NAP Windows 7 Client SCCM 2012 SP1 Windows 2012

March 6, 2013, 6:28 am
$
0
0

We have the following config:

  • Windows 2012 DHCP with NPS and HRA services installed (192.168.5.11)
  • Windows 2008 R2 with SCCM 2012 SP1 - no NAP settings (192.168.5.125)
  • Windows 7 Clients obtaining IP from DHCP and client to SCCM install (192.168.8.0/24)

We have configured the following policies on the NPS Server:

  • Connection Request: DHCP: Called Station ID: 192.168.8.0
  • Network Policies with appropriate MS-Service Class for DHCP scope, with compliant and non-compliant Health Polices (very simple, the only thing that isn't being checked is Win Updates)

The DHCP is happy to dish out IP addresses to compliant machines no problem at all. When a machine goes non-compliant it registers the non-compliant machine with event ID 6276 - Network Policy Server quarantined a user.

It then proceeds to send the limited access DHCP options which the client then happily ignores.

I've run WireShark on the clients to capture the DHCP response and I can see the different options being returned to the client, specifically option 121 with the classless static routes.

When I run napstat it says full network access - no issues raised.

Output from netsh nap client show config


NAP client configuration: 
---------------------------------------------------- 

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

Hash algorithm = sha1RSA (1.3.14.3.2.29) 

Enforcement clients: 
---------------------------------------------------- 
Name            = DHCP Quarantine Enforcement Client 
ID              = 79617 
Admin           = Disabled 

Name            = IPsec Relying Party 
ID              = 79619 
Admin           = Disabled 

Name            = RD Gateway Quarantine Enforcement Client 
ID              = 79621 
Admin           = Disabled 

Name            = Microsoft Forefront UAG Quarantine Enforcement Client 
ID              = 79622 
Admin           = Enabled 

Name            = EAP Quarantine Enforcement Client 
ID              = 79623 
Admin           = Disabled 

Client tracing: 
---------------------------------------------------- 
State = Disabled 
Level = Disabled 

Ok.

Output from netsh nap client show state:

Client state: 
---------------------------------------------------- 
Name                   = Network Access Protection Client 
Description            = Microsoft Network Access Protection Client 
Protocol version       = 1.0 
Status                 = Enabled 
Restriction state      = Not restricted 
Troubleshooting URL    =  
Restriction start time =  
Extended state         =  
GroupPolicy            = Configured 

Enforcement client state: 
---------------------------------------------------- 
Id                     = 79617 
Name                   = DHCP Quarantine Enforcement Client 
Description            = Provides DHCP based enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = Yes 

Id                     = 79619 
Name                   = IPsec Relying Party 
Description            = Provides IPsec based enforcement for Network Access Protection 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79621 
Name                   = RD Gateway Quarantine Enforcement Client 
Description            = Provides RD Gateway enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79622 
Name                   = Microsoft Forefront UAG Quarantine Enforcement Client 
Description            = Reports client health status. 
Version                = 4.0.2095.10000 
Vendor name            = Microsoft Corporation 
Registration date      = 11/01/2013 09:04:05 
Initialized            = No 

Id                     = 79623 
Name                   = EAP Quarantine Enforcement Client 
Description            = Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies. 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

System health agent (SHA) state: 
---------------------------------------------------- 
Id                     = 7467776 
Name                   = ESET SHA 
Description            = ESET System Health Agent (SHA) checks compliance of ESET products policy defined by system administrator. 
Version                = 5.0.2126.0  
Vendor name            = ESET 
Registration date      = 23/08/2012 16:12:42 
Initialized            = No 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (0) -  

Id                     = 79744 
Name                   = Windows Security Health Agent
 
Description            = The Windows Security Health Agent monitors security settings on your computer.
 
Version                = 1.0
 
Vendor name            = Microsoft Corporation
 
Registration date      =  
Initialized            = Yes 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating the security state of this computer.
 
Compliance results     = 
Remediation results    = 

Id                     = 79745 
Name                   = Configuration Manager 2012 System Health Agent 
Description            = Configuration Manager 2012 System Health Agent facilitates enforcement of software update compliance using Network Access Protection. 
Version                = 2012 
Vendor name            = Microsoft Corporation 
Registration date      = 23/01/2013 17:54:04 
Initialized            = No 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (0) -  

Ok.

Output from netsh nap client show grouppolicy:


NAP client configuration (group policy): 
---------------------------------------------------- 

NAP client configuration: 
---------------------------------------------------- 

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048 

Hash algorithm = sha1RSA (1.3.14.3.2.29) 

Enforcement clients: 
---------------------------------------------------- 
Name            = DHCP Quarantine Enforcement Client 
ID              = 79617 
Admin           = Enabled 

Name            = IPsec Relying Party 
ID              = 79619 
Admin           = Disabled 

Name            = RD Gateway Quarantine Enforcement Client 
ID              = 79621 
Admin           = Disabled 

Name            = Microsoft Forefront UAG Quarantine Enforcement Client 
ID              = 79622 
Admin           = Disabled 

Name            = EAP Quarantine Enforcement Client 
ID              = 79623 
Admin           = Disabled 

Client tracing: 
---------------------------------------------------- 
State = Enabled 
Level = Advanced 

Trusted server group configuration: 
---------------------------------------------------- 
Group            = HRA Servers 
Require Https    = Enabled 
URL              = https://<FQDN>/domainhra/hcsrvext.dll 
Processing order = 1 
Group            = HRA Servers 
Require Https    = Enabled 
URL              = https://<FQDN>/nondomainhra/hcsrvext.dll 
Processing order = 2 

User interface settings: 
---------------------------------------------------- 
Title       = Network Access Protection 
Description = Your machine does not meet the security requirements defined by the company. If your machine does remediate automatically please contact IT 
Image       =  

Ok.

I've tried running: netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE"and restarting the NAP agent on client machines - same thing.

Any ideas what is going wrong?

The Network Policy Server service terminated with the following error: %%-2147014883

April 3, 2013, 1:44 am
$
0
0

Hello,

NPS Server does not start.


In the System logs of Event Viewer we have entry:

The Network Policy Server service terminated with the following error: 
%%-2147014883

Operating system:

Windows Server 2008 R2 Enterprise

Please advise on steps how to troubleshoot it.

Thanks,

Andrei Moraru Endava

error 691 vpn connection, are there any mistakes?

February 17, 2013, 9:52 pm
$
0
0

Dear All,

As you can see the link, I think my windows server 2008 r2 and windows 7 settings are correct, but the error code insists on 691. Client and server firewalls are off.

Any suggestion to solve my problem please?

Regards,

M.

the link: http://sdrv.ms/Ys74ms

mAJID pAMADOR

Single sign on to integrate Windows AD, Google mail and LOB (SAP) on Linux

April 5, 2013, 12:31 am
$
0
0
Is there a Single sign on solution to integrate Windows AD, Google mail and LOB (SAP) on Linux?

Domain Controller GPO causes Event ID 6273, Reason Code 16, Credential mismatch in NPS

December 18, 2012, 10:46 am
$
0
0

I am running NPS as a RADIUS server on a domain controller for a Cisco VPN gateway on Windows 2008 R2 for the domain in our subsidiary in the U.S. We have it configured using MS-CHAP-v2 and authenticating against AD (authenticate on local machine) and all is good. However, when I applied a GPO that we developed and deployed in our head office using the CIS CAT tools to increase security on the domain controllers, the NPS server begins rejecting everyone who connects with Event ID 6273, Reason Code 16, "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.".

If I remove the GPO, all is well again. I have gone through the GPO and made sure there were no references to accounts (groups or otherwise) or network paths that were not available in the aforementioned domain. I am wondering if NPS requires unauthenticated access to the directory in order to perform the account lookups. The reason I ask is that after the GPO is active, I never see the event indicating a connection to the directory (Event ID 4400). We have disabled all unauthenticated access to AD as well as anonymous account enumeration in the GPO. Should we be running NPS with a user account in this case?

Viewing all 1875 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>