Configure Health Registration Settings

Applies To: Windows Server 2008, Windows Server 2012

You can use the NAP Client Configuration snap-in to specify the security mechanisms that a client computer uses to communicate with health registration authority (HRA) servers. In addition, you can use the NAP Client Configuration snap-in to specify the HRA servers with which a client computer can communicate. A client computer must communicate with an HRA server to obtain a health certificate. A health certificate is required for NAP with IPsec-based enforcement.

To specify which security mechanism a client uses to communicate with an HRA server, you must configure the request policy. The request policy specifies the asymmetric key algorithm, hash algorithm, and cryptographic service provider a client computer uses when it initiates communication with an HRA server. You can specify only one asymmetric key algorithm, hash algorithm, and cryptographic service provider on a client computer.

When you configure an asymmetric key algorithm, hash algorithm, or cryptographic service provider on the client, you must configure exactly the same request policy on the HRA server. For example, if you configure your clients to encrypt communication using only the Rivest-Shamir-Adelman (RSA) asymmetric key algorithm with a minimum key length of 128, then you must configure your HRA servers to accept communication that is encrypted with exactly the same asymmetric key algorithm and exactly the same minimum key length. If your HRA servers and client computers are not configured to use the same request policy, then your HRA servers will not be able to communicate with your client computers and your client computers could be deemed unhealthy and could have limited network connectivity. If you do not configure request policy settings on a client computer, the client computer initiates a negotiation process with the HRA using the default security mechanism for encrypting communication.


You should not modify request policy settings unless you have thoroughly tested your request policy settings in a secure test environment. Altering request policy settings can cause your client computers to lose network connectivity.

To specify which HRA servers you want a client computer to communicate with, you must configure a trusted server group. A trusted server group consists of one or more HRA servers. If you have more than one HRA server in a trusted server group, you can specify the order in which client computers attempt to contact the servers. This is useful if you have several HRA servers in different network segments or domains and you want to prioritize which servers a client attempts to access first. You must configure at least one trusted server group; otherwise, a client computer will not know how to contact an HRA server to obtain a certificate of health.

Configure NAP Client Request Policy

Configure Trusted Server Groups for NAP Clients

Additional references

NAP Client Configuration Overview

NAP Client Configuration Checklist