Use this procedure to verify that Internet Information Services (IIS) is running and configured correctly on your Health Registration Authority (HRA) server. IIS Web sites are used by HRA to process client health certificate requests.

For more information about IIS, see https://go.microsoft.com/fwlink/?LinkId=94386.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

Verify availability of DomainHRA and NonDomainHRA Web sites

Two Web sites can be created on your HRA server, depending on the choices you make during the installation of HRA. These sites are used by HRA to process domain-authenticated or anonymous health certificate requests. After installation, no additional configuration of these Web sites is required. However, if IIS is not running or is not correctly configured, HRA might not be able to issue health certificates.

To verify availability of DomainHRA and NonDomainHRA Web sites
  1. Click Start, click Administrative Tools, and then click Services.

  2. In Services, verify that Started is displayed for World Wide Web Publishing Service and that its Startup Type is set to Automatic.

  3. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  4. In Internet Information Services (IIS) Manager, double-click the computer name of your HRA server.

  5. Double-click Web Sites, and then double-click Default Web Site.

    • Verify that both the DomainHRA and NonDomainHRA Web sites are displayed if you chose to allow anonymous requests for health certificates during the installation of HRA.

    • Verify that only the DomainHRA Web site is displayed if you chose to require requestors to be authenticated as members of a domain during the installation of HRA.

  6. Click DomainHRA, and then double-click Authentication. Verify that only Windows Authentication is enabled.

    If the NonDomainHRA Web site is installed, click NonDomainHRA, and then double-click Authentication. Verify that only Anonymous Authentication is enabled.

  7. Click the computer name of your HRA server, and then double-click ISAPI and CGI Restrictions. Verify that the hcsrvext.dll extension is set to Allowed.

Important

If anonymous health certificate requests are enabled, do not configure the NonDomainHRA Web site URL with a higher processing order than the DomainHRA Web site in trusted server group settings on NAP client computers. This can result in NAP clients that are domain members obtaining health certificates that are incompatible with domain authentication requirements used in IPsec-protected communications.

Additional references