When you set the CertDBCleanupInterval registry value to 0 on a Windows Server 2008-based computer, the functionality for cleaning up expired certificates is not disabled as expected

When you set the CertDBCleanupInterval registry value to 0 on a Windows Server 2008-based computer, the functionality for cleaning up expired certificates is not disabled as expected

Article ID : 949473
Last Review : March 6, 2008
Revision : 1.0

SYMPTOMS

By default, the Network Access Protection Health Registration Authority (NAP HRA) tries to clean up expired certificates every five minutes on a Windows Server 2008-based computer. If the HRA does not have the required permissions to manage corporate certification authorities, a failure is logged in the System log after every cleanup attempt. The interval between these cleanup attempts is controlled by the following registry value:

HKEY_LOCAL_MACHINE SOFTWARE Microsoft HCS CertDBCleanupInterval

If you set the CertDBCleanupInterval value to 0, you expect cleanup functionality to be disabled. Instead, several cleanup attempts per second are unexpectedly performed. This behavior generates several failure events per second in the System log.These failure events resemble the following:

Log Name: SystemSource: HRADate: <date_time>Event ID: 30Task Category: NoneLevel: ErrorKeywords: ClassicUser: N/AComputer: <fqdn_of_server>Description:The Health Registration Authority was unable to connect to the Certification Authority to remove expired records.The Certification Authority   <fqdn_of_certification_authority> denied the request with the following error: 0x80070005.Contact the Certification Authority administrator to check the permissions and for more information.

MORE INFORMATION

Health Registration Authority (HRA) is a component of an NAP infrastructure that plays a central role in NAP IPsec enforcement. HRA obtains health certificates on behalf of NAP clients when they are verified as compliant with network health requirements. These health certificates authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet. If an NAP client does not have a health certificate, IPsec peer authentication fails. Therefore, the NAP client cannot communicate with other IPsec-protected computers on the network.

HRA is installed on a computer that is also running Network Policy Server (NPS) and Internet Information Services (IIS). If these services are not already installed, they will be added when you install HRA.


APPLIES TO
• Windows Server 2008 Datacenter without Hyper-V
• Windows Server 2008 Enterprise without Hyper-V
• Windows Server 2008 for Itanium-Based Systems
• Windows Server 2008 Standard without Hyper-V
• Windows Server 2008 Datacenter
• Windows Server 2008 Enterprise
• Windows Server 2008 Standard

Back to the top

Keywords: 
kbhowto kbinfo KB949473

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image