Understanding HRA Request Policy
Updated: March 29, 2012
Applies To: Windows Server 2008, Windows Server 2012
You can use the Health Registration Authority (HRA) snap-in to specify the security mechanisms that the HRA server uses to communicate with client computers. These settings, known as request policy settings, determine which asymmetric key algorithm, hash algorithm, and cryptographic service provider (CSP) the HRA server uses to encrypt communication with client computers. If you specify request policy settings using the HRA snap-in, the HRA server will use only these security mechanisms to communicate with client computers.
You do not need to configure request policy settings on your HRA server. By default, a NAP-capable client computer initiates a negotiation process with a HRA server using a mutually acceptable default security mechanism for encrypting communication. You should not modify request policy settings unless you have thoroughly tested your request policy settings in a secure test environment.
If you configure request policy settings on your HRA server, you must configure identical request policy settings on your client computers. If your HRA servers are not configured to use exactly the same asymmetric key algorithm, hash algorithm, and CSP as your client computers, then your HRA servers will not be able to communicate with client computers. The client computers might be determined to be noncompliant, which will result in limited network connectivity.
You can configure HRA server request policy settings by specifying custom cryptographic policy. Cryptographic policy settings specify asymmetric key algorithms, hash key algorithms, and cryptographic service providers. For more information, see Configure HRA Cryptographic Policy.
Asymmetric key algorithms
Asymmetric key algorithms are also known as public key algorithms. Asymmetric algorithms are used to generate the asymmetric keys that are associated with client health certificate requests. Default settings allow any available algorithm to be accepted in communication between the HRA server and client computers. You can use the HRA snap-in to specify which algorithms in the list are allowed, and you can modify the minimum and maximum key lengths for these algorithms.
Hash key algorithms
Hash algorithms are also known as secure hash algorithms or hash functions. Hash algorithms are designed to perform a one-way operation on data, providing a unique output value that can be used for verification, but cannot be used to re-create the original data. Default settings support the use of any hash algorithm. You can use the HRA snap-in to specify which algorithms in the list are allowed.
Cryptographic service providers
Cryptographic service providers are hardware and software components of Windows operating systems that provide generic cryptographic functions. Each of the CSPs configured for use by HRA can support different algorithms, formats, and keys used for encryption and decryption. Default settings support the use of any CSP. You can use the HRA snap-in to specify which CSPs in the list are used.
You can configure HRA server request policy settings by specifying custom transport policy. Transport policy settings specify HTTP client user agents. For more information, see Configure HRA Transport Policy.
HTTP client user agents
HTTP client user agents are strings that specify the identity of HTTP/HTTPS client applications used to request health certificates from HRA. Any agent is allowed by default. You can use the HRA snap-in to specify the allowed user agents.