This is a very important and great article, but you missed a very important component.
If you use an internal certificate the AIA and CDP points to the internal resources. Unfortunately this is unsecure because the default CDP contains the full AD LDAP path and it is golden information. Best Regards, Zoltan Harmath
Interesting observation! Although not related to the "target principle is incorrect" issue, it is interesting. In the ISA Server and Beyond book I descirbe the advantages and disadvantages of using enterprise root and stand alone certificate servers, and you bring up another advantage of using the standalone certificate server. Of course, you can also change these values, which I also describe in the ISA Server and Beyond book, so you don't even have to worry about it (within the bounds of your specific implementation, of course).
Hi, All ! Happy NY ! I have 2 problems with CA server : First - my standalone root CA show me after reboot "The Certificate Service terminated with service-specific error 2148081668". This message occur second once. I don't maked backup CA. In first once I reinstall my CA server and now its damaged again. I don't find answer on this promlem on the Internet though I'm not first who asked it. Second - while my CA server was worked, I created IP xxx.xxx.xxx.xxx certificate name becouse this is the name too and it worked but it worked strange i.e. my ISA server required of "https" when I requested ssl resource by http://xxx.xxx.xxx.xxx but about 1 day ISA server don't ask me it if I don't request him during this time (i.e. I login on my Web page without https). If I restart Web proxy service ssl work again.
Hello, Tom. Just got your new book, was very helpful concerning publication of OWA. This article helped explain why it wasn't working (domain name mismatch). I'm trying to implement things in an incremental fashion, so I'm first trying to get things working without bridging SSL. Reason for this is my client must be convinced to use the same domain name as on their certificate (doesn't want to use private CA, wants to use Public CA) instead of using multiple domains for OWA mail
I am having a brain cramp at this point. I removed the bridging entry, but now, after authentication, I get a warning saying both secure and non-secure content, and then I get 403s in both OWA frames. I have the Exchange virtual directory set up to not require SSL currently. If I do not require SSL in the web publishing rule, I get a second login prompt, and then I can enter the mailbox. This problem appeared afeter the previous problem went away, which was the fact that I was unable to authenticate at all.
Any idea why this may be happening? I'm sure I'm doing something stupid. Any help would be greatly appreciated.
That's a tricky one, esp since I've never removed the SSL settings once they've been set. It's possible that you're dealing with reverse caching issues. When you bridge SSL as HTTP, the HTTP objects obtained from the site are cached before being forwarded back to the requesting client as SSL protected messages.
From: San Francisco
The article seems to address Web Publishing rules and not Server publishing. I have a system where I'm trying to publish a SSL connection to a server behind ISA. I'm publishing the server using Server publishing rules for a HTTPS server and receive the following when trying to connect with Internet Explorer 6:
500 Internal Server Error - The network logon failed. (1790)
I assume I need to set "Incoming Web Requests" to use a SSL port other than 443 (similar to HTTP Server publishing in Chapter 5 of ISA and Beyond...is this correct? (seems to solve the problem)
Hi Tom This is great article but I still had one comfusing. What if the client only type in the web browser http instead https is ther the way isa server can redirect them to https and not return the error if they just type in http. I have to used redirect.asp to make this work but i think there must be better way isa can do this. Thanks a lot you so great with all artile Frank
RE: Discussion on Solving the Dreaded "500 Interna... - 26.Jul.2004 1:02:00 AM
The article seems to confirm the settings I have in place however I am still receiving the error.
Details: Single domain environment with simple network (no internal routers). Running ISA 2000. Attempting to set up external HTTPS access to a W2K3/IIS6 web site. Many webs running on this server with external access.
I am using an Enterprise CA. The cert was gen'ed for the specific site and loaded into the site. The cert was exported, including the root, and imported into the ISA server (which was already a domain member). Am using a Server Publishing Rule with a dedicated Destination specifying the site URL (www.foo.com). The Publishing rule action redirects to the specific site URL (www.foo.com). Original host header is being sent. Action tab specifies connecting to 443 when bridging. Bridging tab specifies bridge SSL as HTTP (tried it bridging SSL as SSL as well with no change in error). Bridging tab specifies that "require SSL" is not checked. ISA server hosts file has entry for the web server IP address associated with the specific web site (www.foo.com). No client certs are involved or specified as required in the config. Incoming Web Requests specifies "Enable SSL Listeners". The sole Listener specifies the specific web cert (www.foo.com) as "use server certificate to authenticate". Listener specifies authentication as Integrated only.
Additional info: clients on the internal LAN can successfully establish an HTTPS connection to the web, it is only the external clients coming through ISA which receive the error...naturally. Tried monitoring an external request using Network Monitor however no intelligible data was collected on the internal LAN NIC (on ISA side) even when bridging as HTTP?
I have gotten something wrong somewhere but cannot seem to identify the failure point. Please advise.
RE: Discussion on Solving the Dreaded "500 Interna... - 27.Jul.2004 4:25:00 AM
Follow-up on my preceeding message.
I was able to resolve the issue by requesting a computer certificate for the ISA server. I don't recall this being a specified requirement but one of the other articles documents the acquisition of one during a setup for SSL so I gave it a shot and now external clients can access the SSL enabled web behind ISA (SSL to ISA then HTTP to the web).
Much thanks for all the documentation on this site. I do not know where I would have gotten the info to resolve this otherwise, keep it up.
You don't need a computer certificate in order to make it work. However, you do need to bind the Web site certificate to the Web listener, which means important the Web site certificate into the ISA firewall's machine certificate store.
You may not have imported the CA certificate into the Trusted Root Certification Authorities store. If you requested a computer certificate using the MMC, then that certificate was automatically added for you.
I am getting the following error on two exchange sites. 500 Internal Server Error - The network logon failed. (1790) I have searched till I'm blue in the face and can not seem to find any answers to this issue. I have had several other co-workers who are familiar with ISA2000 look into this and we are stumped. It appears to be something with OWA, ISA2000 and Exchange 2003. We have recreated the certificate several times and still does not work. Any ideas anyone?