The function of the System Health Validator point in Configuration Manager 2007 is to pass to the Network Policy Server a statement of health for a Configuration Manager client that it has validated as either compliant or non-compliant. If it is unable to do this because of an error condition, the System Health Validator point instead passes to the Network Policy Server a statement of health with a blank health status and one of four failure categories with an error code.
By default, all failure categories on the Network Policy Server equate to a heath state of non-compliant. However, each failure category can be configured on the Configuration Manager System Health Validator on the Network Policy Server so that, for example, a failure on the System Health Validator point does not result in all clients having restricted network access.
If the failure is on the client side so that the Configuration Manager Network Access Protection (NAP)-capable client is unable to evaluate its compliance status, the client sends either a Client Component Failure Category or a Client Communication Failure Category in its statement of health to the System Health Validator point, with a failure error code. The System Health Validator point verifies that the failure error code matches one of its known client failure error codes, and then passes the statement of health unchanged to the Network Policy Server. If there is no match on the System Health Validator point for the particular failure error code, the System Health Validator point sets the compliance state as "Invalid" and passes this to the Network Policy Server. Again, by default, this is mapped to a health state of non-compliant on the Network Policy Server.
If the failure is on the server side so that the System Health Validator point is unable to validate a client statement of health that has a known compliance status, the compliance status is removed in the client statement of health and instead a Server Component Failure Category or a Server Communication Failure Category is added before the statement of health is passed to the Network Policy Server. The server failure is also sent to the client that logs the error (but otherwise takes no action).
As well as being passed to the Network Policy Server, these failures are logged on both the client (in the file SMSSha.log) and the System Health Validator point (SmsSHVQuarValidator.log). The failures are also logged in the Application event log on the Network Policy Server and raised as Configuration Manager status messages.
Client Failure Categories and Errors
The following table lists the possible client failure error codes (with descriptions) that will be validated and passed to the Network Policy Server if the Configuration Manager NAP-capable client is unable to evaluate its compliance status. These error codes reside in the registry on the System Health Validator point under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMSSHV\Settings\ClientFragility. You can manually add your own error codes into the registry with your choice of description. You do not need to restart the service SMS_SYSTEM_HEALTH_VALIDATOR for these new error codes to be used by the System Health Validator point.
| Failure Description | Failure Error Code (hexadecimal) |
|---|---|
|
AD Not Accessible |
80040301 |
|
Assigned MP Refresh Failed |
80040300 |
|
Bad Client Certificate |
80040305 |
|
Bad Server Certificate |
80040304 |
|
Client Health Evaluation Internal Error |
80040246 |
|
Client Not Assigned |
80040302 |
|
Internal Location Error |
80040303 |
|
Message Verification Failed |
80040309 |
|
Proxy MP Refresh Failed |
80040307 |
|
Resident MP Refresh Failed |
80040308 |
|
Server Unreachable |
80040306 |
|
SHA not yet initialized |
80270007 |
Server Failure Categories and Codes
If the System Health Validator point is unable to retrieve the Configuration Manager health state reference from Active Directory Domain Services (for example, because the schema is not extended or the information has not yet replicated), the compliance status in the statement of health is changed to "unknown" rather than setting it to a blank value with a server category failure. This scenario falls under the category of SHA vendor specific error code received on the Network Policy Server, and it is also, by default, configured as non-compliant.
However, once the health state reference is successfully retrieved, the System Health Validator point can encounter a number of different errors that prevent validation from succeeding. Many are standard Microsoft Windows errors and independent from Configuration Manager, with examples being out of memory, name resolution failure, and network path not found. The System Health Validator point generates just one failure error when it is unable to validate the statement of health. The Application event log on the Network Policy Server computer should be used to determine the cause of this failure.
| Failure Description | Failure Error Code (hexadecimal) |
|---|---|
|
System Health Validation point failure |
8ABC0404 |
See Also
Concepts
About the Statement of Health (SoH) in Network Access ProtectionConfiguring Failure Categories for Configuration Manager Network Access Protection
About NAP Health State References in Network Access Protection
Log Files for Network Access Protection
How to Verify Network Access Protection Components