HRA Discovery

Applies To: Windows Server 2008

To use NAP with the IPsec enforcement method, client computers must be configured with trusted server group settings. Trusted server groups provide a list of Health Registration Authority (HRA) servers that NAP clients use when they request a health certificate. There are three methods available to configure trusted sever groups on the NAP client:

  1. Local computer settings. You can use the NAP client configuration console or command line to configure NAP settings on the local computer. If NAP client settings are configured in Group Policy, the local computer NAP client settings will be ignored.
  2. Group Policy settings. You can use the Group Policy Management Console (GPMC) on a computer with the Group Policy Management feature installed to configure NAP client settings in Group Policy.
  3. HRA autodiscovery. You can configure NAP clients to automatically discover HRA servers. To enable HRA autodiscovery, you must configure NAP client registry settings and DNS services (SRV) records. In addition, you must clear the local computer or Group Policy trusted server group settings.

Note: If the client computer is not using the NAP IPsec enforcement method, you can disable HRA autodiscovery.


Event ID Source Message



The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from.
A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made.
Contact the HRA administrator for more information.



The Network Access Protection Agent has dynamically discovered the following HRAs for this network (using the query %1):
The DNS servers in your configuration at the time this discovery took place included:

IPsec Enforcement Client

NAP Infrastructure