When I set the ISA server to Redirect requests as HTTP, it works just fine. The client successfully negotiates the transaction with the ISA server and the pages serve.

But when I set the Redirect requests to SSL (to establish an SSL channel from the ISA Server to the IIS Server, I get "500 Internal Server Error - The target principal name is incorrect (-2146893022). The problem seems to lie with the creation of an SSL channel between the ISA Server and the IIS server.

The default IIS server security settings are currently applied, but this error seems to generate regardless of what I set on the Web server. No authentication mechanisms are in place on the listeners or the Website.

Please help!

rg

Here is how it all works:

1. On your web server, request a certificate from your CA.

2. Export the certificate to a file, which you then transfer to your ISA box.

3. In the MMC, import the certificate from the website to the Personal certificate store on the LOCAL COMPUTER.

4. If your CA is NOT a trusted CA (if you are running your own CA and don't have a 'certificate authority certificate' installed from Verisign, et. al.) then you ALSO need to import the CA certificate into the Trusted Root certificate store on the LOCAL COMPUTER.

5. On your listener, enable "Use a server certificate to authenticate to web clients" and enter the EXACT NAME OF THE CERTIFICATE ISSUED TO THE WEB SERVER. If the names don't match, you will get the "target principal name does not match" error.

To find out the exact name of the certificate, 'Open' the certificate, go to the Details tab, and click on Subject. You should see a list of attributes of the certificate. The CN field will show you the exact name of the certificate.

6. Additionally, go to the Web Publishing Rule, on the Action tab, in the box marked "Redirect the request to this internal Web server". This box must ALSO match the EXACT NAME on the certificate, or you will get the "target principal name" error.

I have been playing with this thing for the last week, and I have finally gotten it to work!

I hope this helps everyone out there with their ISA/IIS/SSL problems....

Casey Priester

Excellent work! Those steps nicely describe how to get a trusted root certificate on the ISA Server and how to get a server certificate on the ISA Server too!

However, I've done the same things on several servers and get the same dreaded error periodically. However, if its working for you, don't change anything!

Good job!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here

In the above situation, the cert I requested for my website matched the FQDN of the box on which the site was hosted (i.e. machine.domain.com).

Unfortunately, this also lets clients know the name of your box (it's in the certificate). I haven't tried this yet, but I believe the solution to that is to create a CNAME in your internal DNS table for that box, assign it an alias, then issue the cert to that alias to 'masquerade' the true name of that box.

Hope this helps,
Casey Priester