Understanding HRA Authentication Requirements

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

During the installation of Health Registration Authority (HRA), you are given the option to configure HRA to provide health certificates only when users are authenticated to the domain, or to optionally provide health certificates to anonymous users. If you choose to allow anonymous requests for health certificates, two Web sites will be created:

  • DomainHRA

    Internet Information Services (IIS) authentication settings on this site have Windows authentication enabled. All other authentication methods are disabled.

  • NonDomainHRA

    IIS authentication settings on this site have Anonymous authentication enabled. All other authentication methods are disabled.

If you choose to require that only authenticated members of the domain are granted the ability to receive health certificates, then only the DomainHRA Web site is created.

These Web sites host an IIS Internet Server Application Programming Interface (ISAPI) extension that processes HTTP/HTTPS requests, evaluates health using Network Policy Server (NPS), and issues health certificates using a certification authority (CA).

Important

If anonymous certificate requests are allowed, you should configure trusted server groups on NAP clients so that authenticated certificate requests are given a higher priority in the ordered list of URLs than anonymous certificate requests. This will help to ensure that domain members that pass health checks are not issued anonymous health certificates.

Certificates for SSL encryption

IIS can use Secure Sockets Layer (SSL) to encrypt communications with NAP client computers. If you enable SSL, remote clients must access your site by using URLs that start with https://, and your IIS server must be provisioned with a SSL certificate. Requirements for this SSL certificate are:

  • The certificate must be in either the local computer certificate store or the current user certificate store.

  • The current system time must be after the Valid from property of the certificate and before the Valid to property of the certificate.

  • The certificate must be meant for server authentication. This requires the Enhanced Key Usage property of the certificate to specify Server Authentication (1.3.6.1.5.5.7.3.1).

If you import an existing certificate for use with SSL encryption during installation of the HRA role service, it is automatically added to the local computer certificate store. You can also create a self-signed certificate or install a certificate for SSL encryption later.

Additional references