Verify IIS Configuration
Applies To: Windows Server 2008, Windows Server 2012
Use this procedure to verify that Internet Information Services (IIS) is running and configured correctly on your Health Registration Authority (HRA) server. IIS Web sites are used by HRA to process client health certificate requests.
For more information about IIS, see http://go.microsoft.com/fwlink/?LinkId=94386.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Verify availability of DomainHRA and NonDomainHRA Web sites
Two Web sites can be created on your HRA server, depending on the choices you make during the installation of HRA. These sites are used by HRA to process domain-authenticated or anonymous health certificate requests. After installation, no additional configuration of these Web sites is required. However, if IIS is not running or is not correctly configured, HRA might not be able to issue health certificates.
To verify availability of DomainHRA and NonDomainHRA Web sites
Click Start, click Administrative Tools, and then click Services.
In the Services window, verify that the World Wide Web Publishing Service is Started and that its Startup Type is set to Automatic.
Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the Internet Information Services (IIS) Manager window, double-click the computer name of your HRA server.
Double-click Web Sites, and then double-click Default Web Site.
Verify that both the DomainHRA and NonDomainHRA Web sites are displayed if you chose to allow anonymous requests for health certificates during the installation of HRA.
Verify that only the DomainHRA Web site is displayed if you chose to require requestors to be authenticated as members of a domain during the installation of HRA.
Click DomainHRA, and then double-click Authentication. Verify that only Windows Authentication is enabled.
If the NonDomainHRA Web site is installed, click NonDomainHRA, and then double-click Authentication. Verify that only Anonymous Authentication is enabled.
Click the computer name of your HRA server, and then double-click ISAPI and CGI Restrictions. Verify that the hcsrvext.dll extension is set to Allowed.
If anonymous health certificate requests are enabled, you must not configure the NonDomainHRA Web site URL with a higher processing order than the DomainHRA Web site in trusted server group settings on NAP client computers. This can result in domain-joined NAP clients obtaining health certificates that are incompatible with domain authentication requirements used in IPsec-protected communications.