Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SSL
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SSL - 12.Feb.2002 6:48:00 PM
|
|
|
lcarson
Posts: 12
Joined: 12.Feb.2002
From: Brunswick, GA USA
Status: offline
|
We have an IIS server running behind ISA and are trying to implement SSL on a specific directory, but get the following error.
500 Internal Server Error - The certificate chain was issued by an untrusted authority. (-2146893019)
Internet Security and Acceleration Server
The certificate is from our own MS standalone CA.
Help!
|
|
|
|
|
RE: SSL - 13.Feb.2002 4:32:00 PM
|
|
|
lcarson
Posts: 12
Joined: 12.Feb.2002
From: Brunswick, GA USA
Status: offline
|
okay the problem has changed. Hopefully this means I am making progress!
500 Internal Server Error - The target principal name is incorrect. (-2146893022)
Internet Security and Acceleration Server
Your help is appreciated!
|
|
|
|
RE: SSL - 15.Feb.2002 5:04:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Larry,
Restart the servers and see if that helps. Also, make sure you are testing from an external network client.
HTH,
Tom
|
|
|
|
|
RE: SSL - 15.Feb.2002 9:20:00 PM
|
|
|
lcarson
Posts: 12
Joined: 12.Feb.2002
From: Brunswick, GA USA
Status: offline
|
Here is what worked, so far, but we're not there yet!
Reissued the certificate with the netbios name instead of FQDN. Now we get error on the cert but can access the SSL site.
Now the goal is to get it to work with the FQDN so we can do the same with public site and our verisign cert.
Is some sort of Internal DNS necessary or something?
[ February 15, 2002, 09:21 PM: Message edited by: Larry ]
|
|
|
|
RE: SSL - 16.Feb.2002 4:29:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Larry,
OK, it sounds like its a problem with the name on the certificate itself. It has to be exactly the same as the name included in the host header.
HTH,
Tom
|
|
|
|
|
RE: SSL - 19.Feb.2002 8:45:00 PM
|
|
|
lcarson
Posts: 12
Joined: 12.Feb.2002
From: Brunswick, GA USA
Status: offline
|
Okay, I'm ready to make this work on our public site using our verisign cert.
The error I get is "target principal name is incorrect."
As mentioned previously, I fixed this on our other webserver by issuing a cert using the netbios name instead of FQDN. www.mydomain.com was on the cert and in DNS, but with ISA in the middle it didn't work. So, I changed the cert to reflect the machine name and it works. I can't do that with the verisign cert that has worked until the firewall.
what can I do?
Larry
|
|
|
|
|
RE: SSL - 27.Feb.2002 4:36:00 PM
|
|
|
lcarson
Posts: 12
Joined: 12.Feb.2002
From: Brunswick, GA USA
Status: offline
|
Solution:
Publish using two web publishing rules (1) for http (2) for https.
Two destination sets (1) for http (2) for https to specific dir.
Create one listener enable SSL import cert from web server.
Key to solution:
use the FQDN in every instance (as it should match the cert name) and not the IP. This requires internal DNS to resolve the FQDN to the private IP of the web server or alternatively a HOST file on ISA (as mentioned in Sharma's excellent how-to in the learning zone).
This is what worked for us!
Larry
[ February 27, 2002, 04:37 PM: Message edited by: Larry ]
|
|
|
|
RE: SSL - 27.Feb.2002 7:18:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Larry,
Good one!
Thanks for the follow up on this and for the solution!
Thanks!
Tom
|
|
|
|
|
RE: SSL - 27.Mar.2002 2:34:00 PM
|
|
|
spyros
Posts: 19
Joined: 26.Mar.2002
Status: offline
|
I'm getting the "target principal name incorrect" error too, but seem to have followed prescriptions above. IIS behind ISA. Local CA. Issued cert for IIS web site using FQDN of public address. Host header of IIS web site has FQDN of public web site. Destination set has FQDN of public web site. Web publishing rule redirects to FQDN of internal address for IIS server. Internal DNS resolves ok, external resolves ok.
When I get the "target principal name" error from an external site, I have already established an HTTPS connection, and I can display the File|Properties in IE and see that the certificate is indeed the one I issued for the internal web server. However, no display of the page, only the error message.
Also - Publishing rule works for port 80 - gets data fine. Just fails when I add that little "s" to the URL!
Any thoughts?
[ March 27, 2002, 10:36 PM: Message edited by: Spyros Sakellariadis ]
|
|
|
|
RE: SSL - 23.Apr.2002 5:28:00 AM
|
|
|
SanMan
Posts: 50
Joined: 23.Feb.2001
From: ZA
Status: offline
|
Hi Spyros,
Check you're OWA web publishing rule to ensure that it redirects to a fqdn which is on your internal network. I added a entry to the hosts file on the ISA Server. Worked for me.
HTH,Let me know how it goes.
SanMan
|
|
|
|
|
RE: SSL - 18.Jul.2002 6:38:00 PM
|
|
|
Darik
Posts: 87
Joined: 28.May2002
Status: offline
|
Larry:
I got the same error, I am using Verisign Trial cert
500 Internal Server Error - The certificate chain was issued by an untrusted authority. (-2146893019)
Internet Security and Acceleration Server
-I have Cert install on Web Srv
-I have Cert Instal on ISA
exernal users are authenticated using ISA
internal users work fine using https
but when I redirected SSL new session using ISA it gave the above error
1-DNS name: abc.com is on dns ..external users ping and get the response from abc.com external ip
2-destination set define abc.com and ISA has host file configure using abc.com with internal address config
internal users ping abc.com and get the response from internal site
3-Machine Name xyz.com and Netbiod name is WEB
4-certificate name exernal DNS and Internal host file name is abc.com
without https if my external users type abc.com they work fine using http and abc.com but not SSL new session they work fine with https through ISA and then forward as http
Where is the main problem
Note:
a-Web Srv does not require client cert
b-CA root is install under WebProxy Services
Pls help to find the solution
Thanks
D
|
|
|
|
|
RE: SSL - 19.Jul.2002 2:12:00 AM
|
|
|
Darik
Posts: 87
Joined: 28.May2002
Status: offline
|
Intresting:
First I was geting target principal name is incorrect."
I defined directory under destination set and now I am geting
403 Forbidden - The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Internet Security and Acceleration Server
any solution pls
As I am sure all name are correct caz I am able to go using http from outside and inside
Thanks
D
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
