RGB42
asked on
Troubleshooting NAP: Non NAP Capable client
I'm attempting to configure Network Access Protection via Remote Desktop Gateway but when I attempt to connect to a network resource via the RDGateway the connection fails with the error " ...your computer or device did not pass the Network Access Protection requirements ...".
The Windows Security Logs on the RDGateway server show event id's 6272 and 6276, basically stating that the client is Non NAP Capable. However, I have gone through all the troubleshooting steps I can find online for the client as well the server but nothing has worked so far.
The steps I used for my set-up can be found here:
http://technet.microsoft.com/en-us/library/gg618548(v=ws.10).aspx
I am working in a production domain with a brand new server acting as the RDGateway and NAP server. Also, in my environment, I did not configure a Remote Desktop Session Host, but instead am attempting to connect to another available server.
On the server side, I temporarily altered the NPS Network "NAP RD Gateway Non NAP-Capable" policy to allow full network access just to verify that the policies are being processed and was able to connect just fine.
On the client, I downloaded and executed the tsgqecclientconfig.cmd as noted in the instructions, rebooted, and verified that the registry settings were correct.
The command "netsh nap client show state" command returns the following:
C:\>netsh nap client show state
Client state:
--------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
GroupPolicy = Not Configured
Enforcement client state:
--------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79619
Name = IPsec Relying Party
Description = Provides IPsec based enforcement for Network Access Pr
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79621
Name = RD Gateway Quarantine Enforcement Client
Description = Provides RD Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides Network Access Protection enforcement for EAP
as those used with 802.1X and VPN technologies.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
System health agent (SHA) state:
--------------------------
Id = 79744
Name = Windows Security Health Agent
Description = The Windows Security Health Agent monitors security se
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has f
is computer.
Compliance results =
Remediation results =
Id = 88048
Name = Intel(R) AMT SHA
Description = Intel(R) AMT SHA Application
Version = VER_PRODUCTVERSION_STR
Vendor name = Intel(R)
Registration date = 5/7/2010 11:50:27 AM
Initialized = No
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (0) -
Ok.
--------------------------
These settings appear to be correct based on what I've found online so far.
I've allowed full access through all firewalls between the client and the server and tested access, so that doesnt appear to be the issue either.
From what I can gather, either the client is not sending a SoH, or the server is not recieving it.
If anyone has seen this issue before of think they might have a solution I'd certainly appreciate your assistance.
Thanks,
RGB
The Windows Security Logs on the RDGateway server show event id's 6272 and 6276, basically stating that the client is Non NAP Capable. However, I have gone through all the troubleshooting steps I can find online for the client as well the server but nothing has worked so far.
The steps I used for my set-up can be found here:
http://technet.microsoft.com/en-us/library/gg618548(v=ws.10).aspx
I am working in a production domain with a brand new server acting as the RDGateway and NAP server. Also, in my environment, I did not configure a Remote Desktop Session Host, but instead am attempting to connect to another available server.
On the server side, I temporarily altered the NPS Network "NAP RD Gateway Non NAP-Capable" policy to allow full network access just to verify that the policies are being processed and was able to connect just fine.
On the client, I downloaded and executed the tsgqecclientconfig.cmd as noted in the instructions, rebooted, and verified that the registry settings were correct.
The command "netsh nap client show state" command returns the following:
C:\>netsh nap client show state
Client state:
--------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
GroupPolicy = Not Configured
Enforcement client state:
--------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79619
Name = IPsec Relying Party
Description = Provides IPsec based enforcement for Network Access Pr
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79621
Name = RD Gateway Quarantine Enforcement Client
Description = Provides RD Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides Network Access Protection enforcement for EAP
as those used with 802.1X and VPN technologies.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
System health agent (SHA) state:
--------------------------
Id = 79744
Name = Windows Security Health Agent
Description = The Windows Security Health Agent monitors security se
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has f
is computer.
Compliance results =
Remediation results =
Id = 88048
Name = Intel(R) AMT SHA
Description = Intel(R) AMT SHA Application
Version = VER_PRODUCTVERSION_STR
Vendor name = Intel(R)
Registration date = 5/7/2010 11:50:27 AM
Initialized = No
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (0) -
Ok.
--------------------------
These settings appear to be correct based on what I've found online so far.
I've allowed full access through all firewalls between the client and the server and tested access, so that doesnt appear to be the issue either.
From what I can gather, either the client is not sending a SoH, or the server is not recieving it.
If anyone has seen this issue before of think they might have a solution I'd certainly appreciate your assistance.
Thanks,
RGB
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
I had to go into the RD Gateway Manager and from there I could see there an error about the certificate. I had to then import the certificate and apply it, then this error went away.