[isalist] Re: CA
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 9 Jul 2006 09:46:06 -0500
Hi Ruba,
What the is exact name on the To tab of the Web Publishing Rule?
What is the exact name on the Public tab of the Web Publishing Rule?
What is the exact common/subject name on the Web site certificate bound
to the Web listener?
What is the exact common/subject name on the Web site certificate bound
to the Web site itself?
At the ISA firewall machine, what IP address does the name on the To tab
resolve to?
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ruba Al-Omari
Sent: Sunday, July 09, 2006 9:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: CA
Thanks Jim, I placed the certificate in the trusted root
certificate authority, still the same error (same error but differnet
reason I guess)
if I do the wizard Secure Web Server Publishing (Secure
connection to clients only) it works fine, if I do Secure Web Server
Publishing (Secure connection to clients and web server), it doesn't
work and I get the (-2146893019) error, I have seen this reply on the
forum http://forums.isaserver.org/m_60244600/tm.htm which seems
logical, but since its not mentioned any where in Tom's articles when
publishing OWA, does it apply to OWA? because I couldn't get OWA to work
with the secure connection to clients AND webserver and I wonder if this
was the reason?
In my case am using 2 certificates from one CA: one is wildcard
certificate and the other is for the web server, so it should work, 1
certificate (wildcard) between clients and ISA, and the other
certificate (webservr cert) between teh ISA and the webserver, its not
working with error (-2146893019), any ideas?
For troubleshooting I want to publish one (not multiple) secure
web site with one listener but with secure connection to clients and to
web server , one certificate will be installed at the webserver and
imported to the ISA and will be used between the webserver and ISA, but
the other certificate to be used between ISA and clients will be
installed at the ISA too, but to which server should it be obtained?
Thanks,
r.
"Hello,
I am assuming that you fixed this problem several months
ago, but I am replying for everyone else who is having the same problem.
I have had the same problem in the past and it took me a
while to figure out why it was. What I didn't realise was that if you
have encryption between the isaserver and the client and also the
isaserver and the internal server you are trying to access, is that you
require two certificates but they must be from the same certificate
authority. I had two certifcates but one from external source and
another from internal CA.
Hope this clears it up for a few people getting this
error.
Thanks
Richard"
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Saturday, July 08, 2006 5:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: CA
this is because you don't ave the issuing CA cert in the
ISA machine trusted root store.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba
Al-Omari
Sent: Sat 7/8/2006 3:34 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: CA
thanks Jim, I fixed the name, now am receiving this
error:
Error Code: 500 Internal Server Error. The certificate
chain was issued by an untrusted authority. (-2146893019)
Even though the IE is 6 sp2, I know the certificate is
not from a trust authority (cause I made it a test certificate), and I
saw a reply from Thomas to some one that the IE won't issue a 500 error,
now its issuing, any advice?
Thanks,
r.
On 7/5/06, Jim Harrison < Jim@xxxxxxxxxxxx
<mailto:Jim@xxxxxxxxxxxx> > wrote:
That's not what the error message is telling you.
What it's saying is that the common name in the
certificate does not match the destinaiton hostname specified in the
publishing rule.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba
Al-Omari
Sent: Wed 7/5/2006 9:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: CA
I checked the certificate installed on the webserver and
the one on the ISA and they match, what else should I check?
Also If I install a third NIC on the ISA that belongs to
the DMZ (that the second NIC belongs to) and create a second weblistener
there, will that work? I have avaliable public IPs on teh "hardware"
firewall (and wildcard certificates are quiet expensive.)
One last thing, does the ISA publish an Apache server?
Thanks,
r.
On 7/5/06, Jim Harrison < Jim@xxxxxxxxxxxx
<mailto:Jim@xxxxxxxxxxxx> > wrote:
That error tells you that they don't match
between the ISA and the published server.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of
Ruba Al-Omari
Sent: Wed 7/5/2006 4:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] CA
am doing this testing CA, I followed the article
from Dr. Tom (Publishing 2 websites with the same web listener), the OWA
is working ok, it listens to the wild card certificate and redirect to
the webmail certificate, but the other site, it listens to the wildcard
certificate, then get me the outlook FBA logon screen (which I don't
like, but I will check it later), then after authentication I receive
the error:
* Error Code: 500 Internal Server Error.
The target principal name is incorrect. (-2146893022)
I am sure the name on the certificate is the same
name at the public DNS and internal DNS and publishing rule, any advice?
Thanks,
r.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
