I keep getting the following error trying to publish my OWA 2003 via SSL: Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022) when trying to access https://mail.company.eu/exchange from an external client. I do receive the HTML sign in page but after signing in with: domain\user I receive the error. On the ISA monitoring I see a failed connection attempt from the external client to the Exchange server.
I know this has something to do with the certifcate I am using, but can't find out what.
I have a Exchange 2003 domain member server of the internal domain company.local The name of the Exchange server is: SRV_EX01with an DNS aliasmail.company.local Externally the mail server is known as mail.company.eu
I have a ISA 2006 domain member server which is SRV_ISA01 this server has 2 network cards one is defined Internal and the other External.
I setup a CA on the SRV_EX01 and created a certificate with CN=SRV_EX01 I imported the certificate on the ISA server and I can access the OWA client from the ISA server via: https://srv_ex01/exchange
After that I setup a publising rule for publishing the OWA website externally with a listener. I keep getting the error 500 mentioned above.
After that I created a certificate for CN=mail.company.eu and installed it on the ISA server and changed the listener to use the new certificate, but still the same error. I even tried the same action with CN=mail.company.local
I also had some IP resolving errors but changed some DNS settings to solve these as mentioned below. I added a primary DNS zone for: company.eu in our internal dns and added the host mail to be sure the ISA server could reach the mail server internally on the external name. I changed the DNS settings on the external network card to use our internal DNS servers. And I a forwarder on our DNS server to be able to reach the Internet.
I hope somebody knows what to change because I tried so many things but can't get it to work.
On the Rule Action page, select the Redirect the request to this internal Web server (name or IP address) option. In the text box under this option, type in the FQDN of the OWA Web site that is the same as the FQDN listed in the common name of the certificate and the name the external users use to access the site. This prevents you from getting sever error 500 messages and certificate mismatch problems. The key to making this redirect work is a split DNS infrastructure or a HOSTS file entry for the FQDN of the OWA Web site that resolves to the internal address of the OWA site. We’ll cover this issue more in the DNS discussion later in the article.
I tried to set this option, but on the Rule Access page I can only choose from Allow and Deny. The option to redirect to another page is only available when I choose Deny. I therefore set the option to Deny and filled in our external FQDN to reach the OWA site, but it didn't work. So I set back the original setting.
In ISA manager in the OWA access rule in the tab To. fill in the field: Computer name or IP address (required if the internal site name is defferent or not resovable): mail.company.eu (the external FQDN)
This was probably the same item, Zabulon mentioned. But he directed me to the wrong tab.
I never expected that I had to use the external FQDN for internal name resolving. But anyway.