Debugging NAP Errors (part 1)
I’ve heard from a lot of folks who set up NAP in a lab who would love to have more information on all the great data that Network Policy Server (NPS) writes into the audit log. If you haven’t checked out our auditing, go to Server Manager and click on the main node for our role (Network Policy and Access Services). You will see all related NAP server events at the top of the right hand pane.
This will be part 1 in a series of “Debugging NAP” posts. I decided to kick it off by examining the messages / errors which come from our Windows Security Center NAP integration piece (included in XP SP3, Vista and Server 2008). It is called the Windows System Health Agent on the client (or WSHA) and the Windows System Health Validator on the server (or WSHV).
Let’s start with XP.
Here is a Windows XP SP3 client in my office hitting the “compliant” policy for 802.1x based NAP.
Network Policy Server granted full access to a user because the host met the defined health policy. User: Security ID: JEFFSI-WS08\Jeff Account Name: JEFFSI-WS08\Jeff Account Domain: JEFFSI-WS08 Fully Qualified Account Name: JEFFSI-WS08\Jeff Client Machine: Security ID: NULL SID Account Name: jeffsi-xpsp3 Fully Qualified Account Name: - OS-Version: 5.1.2600 3.0 x86 Domain Controller Called Station Identifier: 00-16-b9-a5-ca-00 Calling Station Identifier: 00-c0-9f-ed-36-fe NAS: NAS IPv4 Address: 30.0.0.1 NAS IPv6 Address: - NAS Identifier: ProCurve Switch 2626 NAS Port-Type: Ethernet NAS Port: 5 RADIUS Client: Client Friendly Name: HP ProCurve 2626 Client IP Address: 10.0.0.1 Authentication Details: Proxy Policy Name: NAP 802.1X (Wired) Network Policy Name: NAP 802.1X (Wired) Compliant Authentication Provider: Windows Authentication Server: JEFFSI-WS08 Authentication Type: PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: - Quarantine Information: Result: Full Access Extended-Result: - Session Identifier: {546059F2-1B15-416B-88BC-F1DC391E6491} - 2008-02-09 17:37:04.781Z Help URL: - System Health Validator Result(s): Windows Security Health Validator Compliant No Data None
|
At the very end of this audit is the interesting data for NAP compliance. Each position, denoted by “0x0” has significance in the Windows Security Center. I have mapped them out in yellow above. In the case above, the client is fully compliant and 0x0 means “no errors – looking good”.
Let’s do some error examples:
Firewall turned OFF on the client:
Windows Security Health Validator NonCompliant No Data None (0xc0ff0001 - A system health component is not enabled. ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) |
Anti-Virus real-time protection DISABLED on the client:
Windows Security Health Validator NonCompliant No Data None (0x0 - ) (0xc0ff0047 - A third-party system health component is not enabled. ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) |
Automatic Updates turned OFF on the client:
Windows Security Health Validator NonCompliant No Data None (0x0 - ) (0x0 - ) (0x0 - ) (0xc0ff0001 - A system health component is not enabled. ) (0x0 - ) (0x0 - ) |
Update MISSING on the client -or- the client hasn’t successfully contacted patch server recently:
Windows Security Health Validator NonCompliant No Data None (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0xc0ff0007 - This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed. ) (0x40 - **See Severity Codes table at the end of the post** ) |
Now on to Vista.
Here is a Windows Vista SP1 client in my office hitting the “compliant” policy for 802.1x based NAP. Notice the slight difference in the codes below.
Network Policy Server granted full access to a user because the host met the defined health policy. User: Security ID: JEFFSI-WS08\Jeff Account Name: JEFFSI-WS08\jeff Account Domain: JEFFSI-WS08 Fully Qualified Account Name: JEFFSI-WS08\jeff Client Machine: Security ID: NULL SID Account Name: Jeffsi-VistaSP1.redmond.corp.microsoft.com Fully Qualified Account Name: - OS-Version: 6.0.6001 1.0 x86 Domain Controller Called Station Identifier: 00-16-b9-a5-ca-00 Calling Station Identifier: 00-07-e9-12-2b-d0 NAS: NAS IPv4 Address: 30.0.0.1 NAS IPv6 Address: - NAS Identifier: ProCurve Switch 2626 NAS Port-Type: Ethernet NAS Port: 7 RADIUS Client: Client Friendly Name: HP ProCurve 2626 Client IP Address: 10.0.0.1 Authentication Details: Proxy Policy Name: NAP 802.1X (Wired) Network Policy Name: NAP 802.1X (Wired) Compliant Authentication Provider: Windows Authentication Server: JEFFSI-WS08 Authentication Type: PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: - Quarantine Information: Result: Full Access Extended-Result: - Session Identifier: {E043E3C1-8B1C-4DF6-AF1B-67C035120F42} - 2008-02-20 05:38:57.863Z Help URL: - System Health Validator Result(s): Windows Security Health Validator Compliant No Data None
|
Firewall turned OFF on the client:
Windows Security Health Validator NonCompliant No Data None (0xc0ff0001 - A system health component is not enabled) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) |
Anti-Virus real-time protection DISABLED on the client:
Windows Security Health Validator NonCompliant No Data None (0x0 - ) (0xc0ff0047 - A third-party system health component is not enabled. ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) |
Anti-Malware real-time protection DISABLED on the client:
Windows Security Health Validator NonCompliant No Data None (0x0 - ) (0x0 - ) (0x0 - ) (0xc0ff0001 - A system health component is not enabled. ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) |
Automatic Updates turned OFF on the client:
Windows Security Health Validator NonCompliant No Data None (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0xc0ff0001 - A system health component is not enabled. ) (0x0 - ) (0x0 - ) |
Update MISSING on the client -or- the client hasn’t successfully contacted patch server recently:
Windows Security Health Validator NonCompliant No Data None (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0x0 - ) (0xc0ff0007 - This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed. ) (0x400 - **See Severity Codes table at the end of the post** ) |
I also thought it would be cool to give you some of the internal codes. Check ‘um out.
Update Severity Rating Codes
0x00000040 |
Unspecified (All) |
0x00000080 |
Low |
0x00000100 |
Moderate |
0x00000200 |
Important |
0x00000400 |
Critical |
Windows System Health Agent / Validator Error Codes
0xC0FF0001 |
A system health component is not enabled. |
0xC0FF0002 |
A system health component is not installed. |
0xC0FF0003 |
The Windows Security Center service is not running. |
0xC0FF0004 |
The signatures for a particular system health component are not up to date. |
0xC0FF0007 |
This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed. |
0xC0FF0017 |
The Windows Security Health Validator could not process the latest Statement of Health (SoH) because the SoH is invalid. |
0xC0FF0018 |
The Windows Security Center service has not started. An administrator may try to start the service manually. |
0xC0FF0047 |
A third-party system health component is not enabled. |
0xC0FF0048 |
The signatures for a particular third-party system health component are not up to date. |
I hope this helps when you are troubleshooting between a NAP client/server. Please let me know what you think about this post and feel free to add comments with any questions you might have!
Jeff Sigman
Senior Program Manager
Network Access Protection (NAP)