Applying Network Access Protection configuration failed

When trying to activate the configuration on a UAG server, you might find that the activation fails, and you are getting the following message in the status window:

Error: Applying Network Access Protection configuration failed.

Error: The UAG DirectAccess configuration cannot be activated

Error: DirectAccess could not be activated.

This, ironically, happens even when Network Access Protection (NAP) is not in use at all, and even when DirectAccess is disabled. The reason this is happening is often because the Health Registration Authority (HRA) sub-role does not exist on your server. What happens under the hood is that UAG tries to run the following command routinely as part of the activation process:

netsh nap hra reset caserver

This command resets the HRA settings, but since the HRA sub-role does not exist, NETSH returns an error, UAG fails. If you looked at the UAG Server trace during such an activation, you would see the following line:

[2]0B88.0BE8::03/11/2011-18:59:06.579 [DA.ConfigAgent]Command [nap hra reset caserver] failed to execute.

The root cause can be easily seen by opening the Server Manager console on the UAG Server:

Fixing this is rather easy – click on the top-level NAP role, and scroll down to role services. Click on ‘Add Role Services’ and add the HRA role back. After that, activation should complete successfully!

In some cases, you may need to complete remove the NAP role and re-add it. This is lengthier and tougher, because it also removes the RDG role, which takes some configuration when you re-add it later, but your intuition should allow you to configure it properly.

Cheers to Ashu and Ashish for their help with writing this!