Debugging NAP Errors (part 1)
I’ve heard from a lot of folks who set up NAP in a lab who would love to have more information on all the great data that Network Policy Server (NPS) writes into the audit log. If you haven’t checked out our auditing, go to Server Manager and click on the main node for our role (Network Policy and Access Services). You will see all related NAP server events at the top of the right hand pane.
This will be part 1 in a series of “Debugging NAP” posts. I decided to kick it off by examining the messages / errors which come from our Windows Security Center NAP integration piece (included in XP SP3, Vista and Server 2008). It is called the Windows System Health Agent on the client (or WSHA) and the Windows System Health Validator on the server (or WSHV).
Let’s start with XP.
Here is a Windows XP SP3 client in my office hitting the “compliant” policy for 802.1x based NAP.
|
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: JEFFSI-WS08\Jeff
Account Name: JEFFSI-WS08\Jeff
Account Domain: JEFFSI-WS08
Fully Qualified Account Name: JEFFSI-WS08\Jeff
Client Machine:
Security ID: NULL SID
Account Name: jeffsi-xpsp3
Fully Qualified Account Name: -
OS-Version: 5.1.2600 3.0 x86 Domain Controller
Called Station Identifier: 00-16-b9-a5-ca-00
Calling Station Identifier: 00-c0-9f-ed-36-fe
NAS:
NAS IPv4 Address: 30.0.0.1
NAS IPv6 Address: -
NAS Identifier: ProCurve Switch 2626
NAS Port-Type: Ethernet
NAS Port: 5
RADIUS Client:
Client Friendly Name: HP ProCurve 2626
Client IP Address: 10.0.0.1
Authentication Details:
Proxy Policy Name: NAP 802.1X (Wired)
Network Policy Name: NAP 802.1X (Wired) Compliant
Authentication Provider: Windows
Authentication Server: JEFFSI-WS08
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: {546059F2-1B15-416B-88BC-F1DC391E6491} - 2008-02-09 17:37:04.781Z
Help URL: -
System Health Validator Result(s):
Windows Security Health Validator
Compliant
No Data
None
|
(0x0 - ) Firewall Status |
|
(0x0 - ) Anti-Virus Status |
|
(0x0 - ) **Not used on XP** |
|
(0x0 - ) Automatic Update Status |
|
(0x0 - ) Update (Patch) Status |
|
(0x0 - ) Update Severity Rating |
|
At the very end of this audit is the interesting data for NAP compliance. Each position, denoted by “0x0” has significance in the Windows Security Center. I have mapped them out in yellow above. In the case above, the client is fully compliant and 0x0 means “no errors – looking good”.
Let’s do some error examples:
Firewall turned OFF on the client:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0xc0ff0001 - A system health component is not enabled.)
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - ) |
Anti-Virus real-time protection DISABLED on the client:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0x0 - )
(0xc0ff0047 - A third-party system health component is not enabled.)
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - ) |
Automatic Updates turned OFF on the client:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0x0 - )
(0x0 - )
(0x0 - )
(0xc0ff0001 - A system health component is not enabled.)
(0x0 - )
(0x0 - ) |
Update MISSING on the client -or- the client hasn’t successfully contacted patch server recently:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0xc0ff0007 - This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed.)
(0x40 - **See Severity Codes table at the end of the post**) |
Now on to Vista.
Here is a Windows Vista SP1 client in my office hitting the “compliant” policy for 802.1x based NAP. Notice the slight difference in the codes below.
|
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: JEFFSI-WS08\Jeff
Account Name: JEFFSI-WS08\jeff
Account Domain: JEFFSI-WS08
Fully Qualified Account Name: JEFFSI-WS08\jeff
Client Machine:
Security ID: NULL SID
Account Name: Jeffsi-VistaSP1.redmond.corp.microsoft.com
Fully Qualified Account Name: -
OS-Version: 6.0.6001 1.0 x86 Domain Controller
Called Station Identifier: 00-16-b9-a5-ca-00
Calling Station Identifier: 00-07-e9-12-2b-d0
NAS:
NAS IPv4 Address: 30.0.0.1
NAS IPv6 Address: -
NAS Identifier: ProCurve Switch 2626
NAS Port-Type: Ethernet
NAS Port: 7
RADIUS Client:
Client Friendly Name: HP ProCurve 2626
Client IP Address: 10.0.0.1
Authentication Details:
Proxy Policy Name: NAP 802.1X (Wired)
Network Policy Name: NAP 802.1X (Wired) Compliant
Authentication Provider: Windows
Authentication Server: JEFFSI-WS08
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: {E043E3C1-8B1C-4DF6-AF1B-67C035120F42} - 2008-02-20 05:38:57.863Z
Help URL: -
System Health Validator Result(s):
Windows Security Health Validator
Compliant
No Data
None
|
(0x0 - ) Firewall Status |
|
(0x0 - ) Anti-Virus Status |
|
(0x0 - ) Anti-Virus Up-to-date |
|
(0x0 - ) Anti-Malware Status |
|
(0x0 - ) Anti-Malware Up-to-date |
|
(0x0 - ) Automatic Update Status |
|
(0x0 - ) Update (Patch) Status |
|
(0x0 - ) Update Severity Rating |
|
Firewall turned OFF on the client:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0xc0ff0001 - A system health component is not enabled)
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - ) |
Anti-Virus real-time protection DISABLED on the client:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0x0 - )
(0xc0ff0047 - A third-party system health component is not enabled.)
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - ) |
Anti-Malware real-time protection DISABLED on the client:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0x0 - )
(0x0 - )
(0x0 - )
(0xc0ff0001 - A system health component is not enabled.)
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - ) |
Automatic Updates turned OFF on the client:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0xc0ff0001 - A system health component is not enabled.)
(0x0 - )
(0x0 - ) |
Update MISSING on the client -or- the client hasn’t successfully contacted patch server recently:
|
Windows Security Health Validator
NonCompliant
No Data
None
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0x0 - )
(0xc0ff0007 - This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed.)
(0x400 - **See Severity Codes table at the end of the post**) |
I also thought it would be cool to give you some of the internal codes. Check ‘um out.
Update Severity Rating Codes
|
0x00000040 |
Unspecified (All) |
|
0x00000080 |
Low |
|
0x00000100 |
Moderate |
|
0x00000200 |
Important |
|
0x00000400 |
Critical |
Windows System Health Agent / Validator Error Codes
|
0xC0FF0001 |
A system health component is not enabled. |
|
0xC0FF0002 |
A system health component is not installed. |
|
0xC0FF0003 |
The Windows Security Center service is not running. |
|
0xC0FF0004 |
The signatures for a particular system health component are not up to date. |
|
0xC0FF0007 |
This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed. |
|
0xC0FF0017 |
The Windows Security Health Validator could not process the latest Statement of Health (SoH) because the SoH is invalid. |
|
0xC0FF0018 |
The Windows Security Center service has not started. An administrator may try to start the service manually. |
|
0xC0FF0047 |
A third-party system health component is not enabled. |
|
0xC0FF0048 |
The signatures for a particular third-party system health component are not up to date. |
I hope this helps when you are troubleshooting between a NAP client/server. Please let me know what you think about this post and feel free to add comments with any questions you might have!
Jeff Sigman
Senior Program Manager
Network Access Protection (NAP)
Please check out the NAP Blog, FAQ, Forum, MSDN and Site.
