These days, I spend most of my work time with DirectAccess and Network Access Protection (including night!). During A Poc, I was surprised to see a NAP client considered as compliant unable to access the internal Network. Problem, by default NAP client is not configured to trace relevant events. The Group Policy generated by Forefront UAG does not include this option. A little NETSH.EXE magic command can solve this problem :
Once tracing is activated, I was able to find the following event. NAP client is considered as compliant, but cannot get a certificate from the Health Registration Authority.
Let’s keep in mind that Correlation ID and try to find a corresponding event in the SYSTEM log of my UAG box that is also my HRA. And I can find an event with the same correlation ID. And now the problem appears : 0x80070005, witch is the nick name for Access Denied!
My Health registration does not have the required privileges in order to submit the System Health Authentication certificate. Hera are the good permissions.
Don’t forget to restart the Certificate Services services to make the new permissions operational. Keep this URL in the bookmark of your favorite browser : Network Access Protection Troubleshooting guide.
DirectAccess project rule n°1 : always check prerequisites twice, it’s never enough!
BenoitS – Simple and Secure by Design but Business compliant
