Re: SSL Publishing issue (error 500 Target principal name is incorrect - 2146893022)

After much banging head against walls, and getting so confused my brain
needed a heatsink, I seem to have solved it!

I am still using the wildcard cert externally, but on the internal web
servers I have assigned a cert with their internal FQDN and changed the ISA
rule to fwd to the internal FQDN (and enabled fwd'ing of original host
header)...

Now it works perfectly...
I would say that this config is wrong, but it can't be - it works, it would
make more sense for the DNS to be consistent through the entire process and
the same cert to be used. Now I have more complicated config, and more certs
to renew.... But, at least only one public cert is required, which will keep
the costs down when we are ready to move into production...

Now to add OWA and 2 SPS Portals into the SSL mix... I suspect a bumper pack
of asprin may be required!!


"MattG" <email@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OfVbMyB2FHA.268@xxxxxxxxxxxxxxxxxxxxxxx
>I am having some issues publishing my SSL sites via ISA 2004.
>
> My aim is to have 2 SSL sites published through ISA. I intend to use basic
> auth and will make a choice over having a pop-up authentication box (auth
> at ISA or IIS) or customise the UI of the ISA OWA forms auth at a later
> stage (after I've got it working!)...
>
>
> Test environment info:
>
> ISA01 - ISA2004 (std) SP1 on dual homed server (win2k3 std SP1), server is
> a domain member. NIC1 is internal network (10.10.10.0/24), NIC2 is
> perimeter network (192.168.123.0/24).
>
> Web01 - IIS on win2k3 server (std sp1). Single NIC on internal LAN. Site
> is currently only hosting a html page saying "hello1".
>
> Web02 - IIS on separate win2k3 (std sp1). Single NIC on internal LAN. Site
> is currently only hosting a html page saying "hello2".
>
> Steps taken thus far:
>
> Thinking I had better start by taking little steps, I created http
> publishing rules to publish site1.domain.com to
> web01.internaldomain.local, and the same for site2.domain.com to
> web02.internaldomain.local.
> My internal DNS servers host the domain.com zone for the internal network
> (as well as the AD zone internaldomain.local), externally the zone is
> hosted by the ISP, externally 'site1' and 'site2' are CNAMES pointing to
> host01.domain.com which resolves to the public IP. Internally they are A
> records pointing to the internal IP's.
> The ISA server uses internal DNS servers to name resolution. It has static
> IP's on both interfaces and no gateway on the internal network, and no DNS
> on the perimeter.
> All web servers are physically on the internal network, the perimeter
> network consists only of the second interface to the ISA server and the
> second interface on the router. It only exists as my initial reading up on
> ISA showed me to give it 2 interfaces, and it does make sense for it to
> have 2...
> The router is configured to NAT all incoming http and http requests onto
> the perimeter interface of the ISA server.
>
> I created host file entries on the test machine (my home machine actually,
> to test the ISA from outside) and all is working as expected thus far.
> http://site1.domain.com shows "hello1" and http://site2.domain.com shows
> "hello2".
>
> I then enabled basic auth on both sites and retested (no ISA changes), and
> everything still worked (internally and externally).
>
> I created a web server certificate on my internal CA with the common name
> "*.domain.com" (I only have one public IP and therefore need to use a
> wildcard cert in ISA in order to publish 2 SSL sites off the one IP),
> exported as PFX and imported onto both web servers and the ISA server.
> I assigned the cert to the sites on the web servers and used the default
> port (443) on each.
> Internally accessing the sites using https://site1.domain.com (and site2)
> works fine.
> I also imported my root cert onto my test machine (home PC) so all certs
> issued by this CA are trusted, to avoid cert warnings about them not being
> verifiable up to a trusted publisher.
>
> I then created secure web server publishing rules and a web listener for
> HTTPS, I assigned the web listener the cert used before, and with the
> following exceptions to rules for SSL and HTTP are identical:
>
> HTTP SSL
> Port 80 443
> Cert N/A *.domain.com
>
> I selected the following during the secure web server wizard:
>
> SSL Bridging, Allow, Secure connection to clients and web server, fwd host
> header.
>
> The external FQDN's are now resolved in the hosts file on the ISA server
> to the internal IP's to rule out a DNS issue.
>
>
> Neither secure site works externally, and I am not prompted for
> credentials.
> Error: 500 Internal server error. Target principal name is incorrect
> (-2146893022)
>
> The error is the same for both sites.
>
> If I "IISRESET /STOP" the web servers I get a different error: 10061
> connection refused. So it looks like the traffic is reaching IIS and
> ISA/IIS can't agree/negotiate, but there is nothing in the IIS logs for a
> connection coming from either the ISA server or the outside world on 443.
> I then tested the sites from the ISA server and found that unless I added
> a rule to allow http and https it didn't work, having added a rule to
> allow from "local host" to "all networks" the sites work both on 80 and
> 443. I then changed the rule to allow http/https from "all" to "all" but
> it made no difference...
> Thinking it my be a routing issue (the web servers would normally route
> out via the internal network) I set the gateways to be the internal
> interface on the ISA server, and then no gateway at all as neither setting
> made any difference. And nor should it as the HTTP publishing works...
>
> I have seen quite a few posts regarding the error after upgrading SBS, or
> changing certs, and have followed the steps that seemed relevant to my
> scenario and am no further forward.
>
>
> I would really appreciate any help any of you can offer as I am at a
> complete loss as to why this doesn't work...
> I hope my ramblings above give you enough info, but if I haven't given
> enough please ask!
>
>
> --
>
>
> MattG
> MCP (Windows XP)
> MCP (Windows Server 2003)
>
>
>
>


.

Relevant Pages

  • Re: OWA Form Resetting
    ... It seems that I had FBA turned on on both the ISA & Exchange server. ... I was issued a new SSL certificate from InstantSSL.com. ... After installing the new cert and REBOOTING, ...
    (microsoft.public.isa)
  • Re: OWA problem after renewal of SSL cert
    ... Yes...installed cert into the Exchange server's cert store...I exported ... w/private key and installed in ISA server's cert store as well... ... server or on the Exchange server? ...
    (microsoft.public.exchange.admin)
  • RE: ISA 2004 Connectivity to Internal Web Servers
    ... Open ISA Server 2004 Admin Console ... Bypass proxy for Web servers in this network ... Sill in Web Browser tab, click Add button to open Add Server window. ... when all internal clients attempt to ...
    (microsoft.public.isa)
  • Re: Direct Push failed.
    ... he security certificatee on the server is invalid. ... If have this error which means my ISA is working correctly am i right? ... The way is to export out the root cert from the ... In some cases you will have to install the trusted root certificate. ...
    (microsoft.public.exchange.setup)
  • Re: Direct Push failed.
    ... The phone has to trust the Root server that issued the certificate to your ... I am having an exchange server 2003 with service pack 2 and ISA 2000 in my ... configured the ISA 2000 is using one cert for all. ... microsoft-server-activesync, will i also disable the cert for OWA? ...
    (microsoft.public.exchange.setup)