The Network Access Protection Agent service may not start after you restart a Windows Vista Service Pack 1-based computer

Article translations Article translations
Article ID: 954373 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

After you restart a Windows Vista Service Pack 1-based computer, the Network Access Protection Agent service may not start. Also, the Network Access Protection Agent service may not start if you try to manually restart the Network Access Protection Agent service.

Note Additionally, the following services may not start:
  • KtmRm for Distributed Transaction Coordinator
  • Terminal Services
  • DNS Client

CAUSE

This issue occurs when Trust Server Group is configured incorrectly.

RESOLUTION

To resolve this issue, configure Trust Server Group. To do this, follow these steps:
  1. Click Start, click Run, type gpmc.msc, and then press ENTER.
  2. Locate and right-click Group Policy Object, and then click New.
  3. Type NAP client settings in the Name box, and then click OK.
  4. Right-click NAP client settings in the details pane, and then click Edit.
  5. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then locate System Services.
  6. Click System Services, and then double-click Network Access Protection Agent in the details pane.
  7. Click to select Define this policy setting, click Automatic, and then click OK.
  8. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Network Access Protection, expand NAP Client Configuration, and then locate Enforcement Clients.
  9. Click Enforcement Clients, right-click IPsec Relying Party in the details pane, and then click Enable.
  10. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Network Access Protection, expand Health Registration Settings, and then locate Trusted Server Groups.
  11. Right-click Trusted Server Groups, and then click New.
  12. In the New Trusted Server Group dialog box, type Trusted HRA Servers, and then click Next.
  13. In the Add URLs of the health registration authority that you want the client to trust text box, type https://servername.domainname /domainhra/hcsrvext.dl, click Add, and then click Finish.
  14. Close Group Policy Management Editor.
  15. Right-click NAP client settings, and then click Enable.
  16. Restart your computer.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

Health Registration Authority (HRA) discovery by Network Access Protection (NAP) clients

NAP clients must be able to discover the location of HRAs on the intranet before they start the health evaluation process of an IPsec NAP enforcement. This automated discovery process can occur by one of the following methods:
  • Trusted server groups configuration in Group Policy

    You can configure trusted server groups from the Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\Health Registration Settings\Trusted Server Groups node in a local or Active Directory-based Group Policy setting.
    To configure trusted server groups, you can also use one of the following methods:
    • The NAP Client Configuration snap-in
    • The netsh nap client add|set|delete trustedservergroup command
    • The netsh nap client add|set|delete server command
    The trusted server group is an ordered list of URLs that corresponds to the locations of the HRAs.
  • The DNS SRV record for HRAs

    A NAP client that uses the IPsec Relying Party enforcement client can perform a DNS query for SRV records for the FQDN _hra._tcp.site_name._sites.domain_name record to discover the location of HRAs on the intranet.
A NAP client that runs Windows Server 2008, Windows Vista SP1, or Windows XP SP3 and uses the IPsec Relying Party enforcement client queries for the HRA SRV records if the following conditions are true:
  • No trusted server group is configured.
  • The
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups\EnableDiscovery
    registry value (DWORD type) is set to 1.

Properties

Article ID: 954373 - Last Review: October 20, 2009 - Revision: 1.0
APPLIES TO
  • Windows Vista Service Pack 1, when used with:
    • Windows Vista Business 64-bit Edition
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Ultimate
Keywords: 
kbtshoot kbexpertiseinter kbprb KB954373

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com