Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

500 target principal name Error w/ FBA and wildcard cert

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> 500 target principal name Error w/ FBA and wildcard cert Page: [1]
Login
Message << Older Topic   Newer Topic >>
500 target principal name Error w/ FBA and wildcard cert - 9.Mar.2006 1:31:06 AM   
kenisswell

 

Posts: 29
Joined: 31.Dec.2005
Status: offline 		OK I am getting the 500 Internal Server Error – The target principal name is incorrect" Error. I think this is related to the use of the same wildcard certificate on my ISA and my Exchage FE but I am not sure. I thought that issue was resolved.
*If this is because I use the same certificate on my ISA and my Exchage FE, could some one explain if I can use my (expensive) wildcard cert on the ISA but then use a (free) self signed cert on the exchange FE? 


Here is my set up:
  • ISA 2004 with SP1.
  • Back-end Exchange 2003 SP2, on W2k3 sp1
  • Front-end Exchange 2003 SP2 on W2k3. (HTTP is set to use FBA with high compression)
  • Currently my OWA (using FBA, SSL w/ my wildcard certificate) is working directly through another firewall not yet going through my ISA firewall.  This resolves with mail.mydomain.com (notice it is not mail2). Works fine.
  • I have a wildcard certificate issued from a trusted public CA (*.mydomain.net)
  • I have external DNS records with mail.mydomain.net pointing to the working OWA (using old firewall)
  • I have second external DNS records with mail2.mydomain.net pointing to the new ISA server
  • I have an internal DNS records with mail.mydomain.net pointing to the working OWA FE server internal IP
  • I have an second internal DNS records with mail2.mydomain.net pointing to the same working OWA FE server (same IP as above)
  • My ISA server resolves mail2.mydomain.net to the correct internal IP of my OWA FE server.



I have published my OWA site on my ISA 2004.

Public Name
  • websites - mail2.mydomain.net


Bridging
  • Web server checked
  • Redirect request to SSL -443
  • Unchecked - Use a certificate to authenticate to the SSL web server


Users
  • all


Traffic
  • HTTPS


TO
  • points to mail2.mydomain.net;
  • checked "Forward the original host header..."
  • Request comes from ISA server


Listener
  • Networks External
  • Enable SSL 443
    • Certificate = *.mydomain.net

  • Authentication
    • OWA forms-based only



When connecting to the https://mail2.mydomain.net, (from external) clients get this error.
500 Internal Server Error – The target principal name is incorrect" Error.

If I change my ISA server to use 'requests appear to come from client' on the TO (tab) then it seems to time out and clients get
Error Code: 404 Not Found


< Message edited by kenisswell -- 9.Mar.2006 2:03:38 AM >
Post #: 1
RE: 500 target principal name Error w/ FBA and wildcard... - 9.Mar.2006 9:00:08 AM   
kenisswell

 

Posts: 29
Joined: 31.Dec.2005
Status: offline 		OK, I believe I have resolved my own dilemma. My issue was finally resolved with two main steps.
 
1) Use a "self signed" certificate on my ISA-to-OWA FE server connection. (I am still using my wildcard cert on my external-to-ISA side)
2) Turn off Forms based authentication on my OWA FE server. (along with some IIS restarts)

My ISA server's OWA web publishing rule is now operational.

It appears that I still can not use the same wildcard certificate on both sides of the ISA server (i.e. Client <> ISA and ISA <> OWA server). I thought somone said it was resolved. While it is true that Tom does mention that he uses separate certificates in one of his articles on Publishing Multiple Web Sites using a Wildcard Certificate in ISA Server 2004 (http://www.isaserver.org/tutorials/2004wildcardcert.html), it was tough to find info on this subject. The specifics of this whole subject were hard to find and also it seems like that is a bad design.

*Note. Unfortunately I was hoping to have it working side by side with my old OWA configuration for a while while I tested it. Now since I had to turn off FBA on my OWA FE I don't really have that option. I would like to test this side by side so I suppose I could set up an entirely new Exchange OWA FE server for testing with the ISA server but thats a lot of work. Maybe I could create a second Exchange Virtual Server on my OWA server but I am not sure if that would work or how exactly to do that. ???

< Message edited by kenisswell -- 9.Mar.2006 9:01:58 AM >

(in reply to kenisswell)
Post #: 2
RE: 500 target principal name Error w/ FBA and wildcard... - 12.Mar.2006 6:05:02 AM   
jydavis226@yahoo.com

 

Posts: 3
Joined: 8.Feb.2006
Status: offline 		Hi, I just posted a message where I am also getting the message "Error Code:  500 Internal Server Error.  The target principal name is incorrect." Now this happened after I moved my SBS server from one location to another location where we rec'd new static IP addresses for the DSL line.  So I changed all of that for the firewall (which is a Sonicwall) as it was set up before.  Now we can get onto the server from w/in the network and also go out to the internet.  But when the users try from home to get into https://xx.xxxxxxxx.com/exchange, that's when the message comes up. Now I know this has something to do with the actual certificate that was originally created (because it used to work).  So do I have to re-create the certificate again?  Now I did not create it before and I have no idea how to do that.  Is there a way to modify that certificate?  Is the certificate pointing to the old static IP address? Can you tell me what I am doing wrong or need to change?  Thx. Jackie

(in reply to kenisswell)
Post #: 3
RE: 500 target principal name Error w/ FBA and wildcard... - 24.Mar.2006 5:43:41 PM   
adenhaan

 

Posts: 35
Joined: 15.Jul.2005
Status: offline
quote:

ORIGINAL: kenisswell

It appears that I still can not use the same wildcard certificate on both sides of the ISA server (i.e. Client <> ISA and ISA <> OWA server).


from : http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx

I am using wildcard certificates and getting the error: 500 Internet Server Error – The target principal name is incorrect.

ISA Server only supports wildcard certificates on the ISA Server computer. When using HTTPS to HTTPS bridging, you cannot use wildcard certificates to authenticate the back-end Web server. Instead, on the internal Web server, create a new certificate that matches the name of the internal Web server, as specified on the To tab in the Web publishing rule.

< Message edited by adenhaan -- 24.Mar.2006 5:46:31 PM >

(in reply to kenisswell)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> 500 target principal name Error w/ FBA and wildcard cert Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts