HRA Server Role

Applies To: Windows Server 2008

Health Registration Authority (HRA) is responsible for validating client credentials and then forwarding a certificate request to a certification authority (CA) on behalf of Network Access Protection (NAP) clients. HRA validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. NAP clients use health certificates to communicate on an IPsec-protected network.


The following is a list of all aspects that are part of this managed entity:

Name Description

HRA Status

HRA uses an Internet Information Services (IIS) worker process, w3wp.exe, to issue health certificates when a NAP client initiates a connection. If the process is idle for several minutes, it is terminated until it is called again.

The w3wp.exe process cannot start if HRA does not have a valid configuration or adequate physical resources.

Local Request Processing

Health Registration Authority (HRA) uses a HTTP/HTTPS interface to read and process Network Access Protection (NAP) client health certificate requests. This interface can be configured with custom settings, called request policy, that require NAP client computers to use specified security methods when communicating with HRA.

By default, HRA is configured to allow client computers to use any of the available request policy methods. You can also specify custom settings. If you configure a custom request policy on HRA, you must ensure that NAP clients use these security methods to request health certificates.

Remote Request Processing

Health Registration Authority (HRA) requires a connection to Network Policy Server (NPS) for validation of Network Access Protection (NAP) client health status. In a domain environment, HRA also requires a connection to the Active Directory global catalog for authentication of client credentials.

NAP Infrastructure