Jaa


Debugging NAP Errors (part 1)

I’ve heard from a lot of folks who set up NAP in a lab who would love to have more information on all the great data that Network Policy Server (NPS) writes into the audit log. If you haven’t checked out our auditing, go to Server Manager and click on the main node for our role (Network Policy and Access Services). You will see all related NAP server events at the top of the right hand pane.

This will be part 1 in a series of “Debugging NAP” posts. I decided to kick it off by examining the messages / errors which come from our Windows Security Center NAP integration piece (included in XP SP3, Vista and Server 2008). It is called the Windows System Health Agent on the client (or WSHA) and the Windows System Health Validator on the server (or WSHV).

Let’s start with XP.

Here is a Windows XP SP3 client in my office hitting the “compliant” policy for 802.1x based NAP.

Network Policy Server granted full access to a user because the host met the defined health policy.

User:

                Security ID: JEFFSI-WS08\Jeff

                Account Name: JEFFSI-WS08\Jeff

                Account Domain: JEFFSI-WS08

                Fully Qualified Account Name: JEFFSI-WS08\Jeff

Client Machine:

                Security ID: NULL SID

                Account Name: jeffsi-xpsp3

                Fully Qualified Account Name: -

                OS-Version: 5.1.2600 3.0 x86 Domain Controller

                Called Station Identifier: 00-16-b9-a5-ca-00

                Calling Station Identifier: 00-c0-9f-ed-36-fe

NAS:

                NAS IPv4 Address: 30.0.0.1

                NAS IPv6 Address: -

                NAS Identifier: ProCurve Switch 2626

                NAS Port-Type: Ethernet

                NAS Port: 5

RADIUS Client:

                Client Friendly Name: HP ProCurve 2626

                Client IP Address: 10.0.0.1

Authentication Details:

                Proxy Policy Name: NAP 802.1X (Wired)

                Network Policy Name: NAP 802.1X (Wired) Compliant

                Authentication Provider: Windows

                Authentication Server: JEFFSI-WS08

                Authentication Type: PEAP

                EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)

                Account Session Identifier: -

Quarantine Information:

                Result: Full Access

                Extended-Result: -

                Session Identifier: {546059F2-1B15-416B-88BC-F1DC391E6491} - 2008-02-09 17:37:04.781Z

                Help URL: -

                System Health Validator Result(s):

Windows Security Health Validator

                Compliant

                No Data

                None

(0x0 - ) Firewall Status

(0x0 - ) Anti-Virus Status

(0x0 - ) **Not used on XP**

(0x0 - ) Automatic Update Status

(0x0 - ) Update (Patch) Status

(0x0 - ) Update Severity Rating

At the very end of this audit is the interesting data for NAP compliance. Each position, denoted by “0x0” has significance in the Windows Security Center. I have mapped them out in yellow above. In the case above, the client is fully compliant and 0x0 means “no errors – looking good”.

Let’s do some error examples:

Firewall turned OFF on the client:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0xc0ff0001 - A system health component is not enabled. )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

Anti-Virus real-time protection DISABLED on the client:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0x0 - )

                (0xc0ff0047 - A third-party system health component is not enabled. )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

Automatic Updates turned OFF on the client:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0xc0ff0001 - A system health component is not enabled. )

                (0x0 - )

                (0x0 - )

Update MISSING on the client -or- the client hasn’t successfully contacted patch server recently:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0xc0ff0007 - This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed. )

                (0x40 - **See Severity Codes table at the end of the post** )

Now on to Vista.

Here is a Windows Vista SP1 client in my office hitting the “compliant” policy for 802.1x based NAP. Notice the slight difference in the codes below.

Network Policy Server granted full access to a user because the host met the defined health policy.

User:

                Security ID: JEFFSI-WS08\Jeff

                Account Name: JEFFSI-WS08\jeff

                Account Domain: JEFFSI-WS08

                Fully Qualified Account Name: JEFFSI-WS08\jeff

Client Machine:

                Security ID: NULL SID

                Account Name: Jeffsi-VistaSP1.redmond.corp.microsoft.com

                Fully Qualified Account Name: -

                OS-Version: 6.0.6001 1.0 x86 Domain Controller

                Called Station Identifier: 00-16-b9-a5-ca-00

                Calling Station Identifier: 00-07-e9-12-2b-d0

NAS:

                NAS IPv4 Address: 30.0.0.1

                NAS IPv6 Address: -

                NAS Identifier: ProCurve Switch 2626

                NAS Port-Type: Ethernet

                NAS Port: 7

RADIUS Client:

                Client Friendly Name: HP ProCurve 2626

                Client IP Address: 10.0.0.1

Authentication Details:

                Proxy Policy Name: NAP 802.1X (Wired)

                Network Policy Name: NAP 802.1X (Wired) Compliant

                Authentication Provider: Windows

                Authentication Server: JEFFSI-WS08

                Authentication Type: PEAP

                EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)

                Account Session Identifier: -

Quarantine Information:

                Result: Full Access

                Extended-Result: -

                Session Identifier: {E043E3C1-8B1C-4DF6-AF1B-67C035120F42} - 2008-02-20 05:38:57.863Z

                Help URL: -

                System Health Validator Result(s):

Windows Security Health Validator

                Compliant

                No Data

                None

(0x0 - ) Firewall Status

(0x0 - ) Anti-Virus Status

(0x0 - ) Anti-Virus Up-to-date

(0x0 - ) Anti-Malware Status

(0x0 - ) Anti-Malware Up-to-date

(0x0 - ) Automatic Update Status

(0x0 - ) Update (Patch) Status

(0x0 - ) Update Severity Rating

Firewall turned OFF on the client:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0xc0ff0001 - A system health component is not enabled)

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

Anti-Virus real-time protection DISABLED on the client:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0x0 - )

                (0xc0ff0047 - A third-party system health component is not enabled. )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

Anti-Malware real-time protection DISABLED on the client:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0xc0ff0001 - A system health component is not enabled. )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

Automatic Updates turned OFF on the client:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0xc0ff0001 - A system health component is not enabled. )

                (0x0 - )

                (0x0 - )

Update MISSING on the client -or- the client hasn’t successfully contacted patch server recently:

Windows Security Health Validator

                NonCompliant

                No Data

                None

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0x0 - )

                (0xc0ff0007 - This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed. )

                (0x400 - **See Severity Codes table at the end of the post** )

I also thought it would be cool to give you some of the internal codes. Check ‘um out.

Update Severity Rating Codes

0x00000040

Unspecified (All)

0x00000080

Low

0x00000100

Moderate

0x00000200

Important

0x00000400

Critical

Windows System Health Agent / Validator Error Codes

0xC0FF0001

A system health component is not enabled.

0xC0FF0002

A system health component is not installed.

0xC0FF0003

The Windows Security Center service is not running.

0xC0FF0004

The signatures for a particular system health component are not up to date.

0xC0FF0007

This computer will be automatically synchronized with the Windows Server Update Services server and new security updates must be installed.

0xC0FF0017

The Windows Security Health Validator could not process the latest Statement of Health (SoH) because the SoH is invalid.

0xC0FF0018

The Windows Security Center service has not started. An administrator may try to start the service manually.

0xC0FF0047

A third-party system health component is not enabled.

0xC0FF0048

The signatures for a particular third-party system health component are not up to date.

I hope this helps when you are troubleshooting between a NAP client/server. Please let me know what you think about this post and feel free to add comments with any questions you might have!

Jeff Sigman
Senior Program Manager
Network Access Protection (NAP)

Please check out the NAP Blog, FAQ, Forum, MSDN and Site.

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    February 22, 2008
    Hey NAP team, I want to ask 2 more FAQs.
  1. What editions of XP is the NAP client supported on? XP Pro, Tablet, MCE, Home?
  2. Since MMC 3.0 is also available in XPSP3, does MS plan in the future to develop a graphical MMC snap-in for XP?