[isalist] Re: CA

  • From: "Ruba Al-Omari" <romari@xxxxxxxxx>
  • To: isalist@xxxxxxxxxxxxx
  • Date: Sun, 9 Jul 2006 18:49:51 +0300

inline for the troubleshooting enviroment am setting now, and another copy
below it for the enviroment when I was publishing 2 secure sites with one
listener which worked also but only as:
clients<-----secure---->ISA<----not secure----->webserver

but when I choose
clients <---secure--->ISA<----secure----->webserver
it doesn't work in both cases ( a single secure site with one listener, or
multiple secure sites with 1 listener)

Thanks,
r.


On 7/9/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: 

 Hi Ruba,
Toubelshooting/testing:
What the is *exact* name on the *To* tab of the Web Publishing Rule?
web.daralhekma.edu.sa

What is the *exact* name on the *Public* tab of the Web Publishing Rule? 
web.daralhekma.edu.sa
What is the *exact* common/subject name on the Web site certificate bound
to the Web listener?
web.daralhekma.edu.sa
What is the *exact *common/subject name on the Web site certificate bound
to the Web site itself?
web.daralhekma.edu.sa
At the ISA firewall machine, what IP address does the name on the *To* tab
resolve to?
the internal ip address of the webserver: 10.112.60.14


Publishing multiple secure sites with one listener:
What the is *exact* name on the *To* tab of the Web Publishing Rule?
web.daralhekma.edu.sa

 What is the *exact* name on the *Public* tab of the Web Publishing Rule?
web.daralhekma.edu.sa
What is the *exact* common/subject name on the Web site certificate bound
to the Web listener?
 *.daralhekma.edu.sa (this certificate is also imported to the ISA trusted
certificate root)

What is the *exact *common/subject name on the Web site certificate bound 
to the Web site itself?
** web.daralhekma.edu.sa
At the ISA firewall machine, what IP address does the name on the *To* tab
resolve to?
 the internal ip address of the webserver: 10.112.60.14



Note: you won't be able to test/see the error now cause I disable the rule
before going home, I can enable it tomorrow if you like to see the error
(-2146893019),

Thanks!

 Tom

*

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
*

 ------------------------------
*From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
*On Behalf Of *Ruba Al-Omari
*Sent:* Sunday, July 09, 2006 9:40 AM
*To:* isalist@xxxxxxxxxxxxx
*Subject:* [isalist] Re: CA



>   Thanks Jim, I placed the certificate in the trusted root certificate
> authority, still the same error (same error but differnet reason I guess)
>
if I do the wizard Secure Web Server Publishing (Secure connection to
clients only) it works fine, if I do Secure Web Server Publishing (Secure
connection to clients and web server), it doesn't work and I get the
(-2146893019) error, I have seen this reply on the forum 
http://forums.isaserver.org/m_60244600/tm.htm
 which seems logical, but since its not mentioned any where in Tom's
articles when publishing OWA, does it apply to OWA? because I couldn't
get OWA to work with the secure connection to clients AND webserver and I
wonder if this was the reason?

In my case am using 2 certificates from one CA: one is wildcard
certificate and the other is for the web server, so it should work, 1
certificate (wildcard) between clients and ISA, and the other certificate
(webservr cert) between teh ISA and the webserver, its not working with
error (-2146893019), any ideas?

For troubleshooting I want to publish one (not multiple) secure web site
with one listener but with secure connection to clients and to web server ,
one certificate will be installed at the webserver and imported to the ISA
and will be used between the webserver and ISA, but the other certificate to
be used between ISA and clients will be installed at the ISA too, but to
which server should it be obtained?

Thanks,
r.


>   "Hello,
>
> I am assuming that you fixed this problem several months ago, but I am
> replying for everyone else who is having the same problem.
>
> I have had the same problem in the past and it took me a while to figure
> out why it was. What I didn't realise was that if you have encryption
> between the isaserver and the client and also the isaserver and the internal
> server you are trying to access, is that you require two certificates but
> they must be from the same certificate authority. I had two certifcates but
> one from external source and another from internal CA.
>
> Hope this clears it up for a few people getting this error.
>
> Thanks
> Richard"
>
>
>  ------------------------------
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:
> isalist-bounce@xxxxxxxxxxxxx] *On Behalf Of *Jim Harrison
> *Sent:* Saturday, July 08, 2006 5:38 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* RE: [isalist] Re: CA
>
>
>
> this is because you don't ave the issuing CA cert in the ISA machine
> trusted root store.
>
>
>  ------------------------------
>
> *From:* isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba Al-Omari
> *Sent: *Sat 7/8/2006 3:34 AM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: CA
>
> thanks Jim, I fixed the name, now am receiving this error:
>
>
>
> Error Code: 500 Internal Server Error. The certificate chain was issued
> by an untrusted authority. (-2146893019)
>
>
> Even though the IE is 6 sp2, I know the certificate is not from a trust
> authority (cause I made it a test certificate), and I saw a reply from
> Thomas to some one that the IE won't issue a 500 error, now its issuing, any
> advice?
>
> Thanks,
>
> r.
>
>
> On 7/5/06, *Jim Harrison* < Jim@xxxxxxxxxxxx> wrote:
>
> That's not what the error message is telling you.
> What it's saying is that the common name in the certificate does not
> match the destinaiton hostname specified in the publishing rule.
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba Al-Omari
> Sent: Wed 7/5/2006 9:20 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: CA
>
>
> I checked the certificate installed on the webserver and the one on the
> ISA and they match, what else should I check?
>
> Also If I install a third NIC on the ISA that belongs to the DMZ (that
> the second NIC belongs to) and create a second weblistener there, will that
> work? I have avaliable public IPs on teh "hardware" firewall (and wildcard
> certificates are quiet expensive.)
>
> One last thing, does the ISA publish an Apache server?
>
> Thanks,
> r.
>
> On 7/5/06, Jim Harrison < Jim@xxxxxxxxxxxx> wrote:
>
>        That error tells you that they don't match between the ISA and
> the published server.
>
>        ________________________________
>
>        From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba Al-Omari
>        Sent: Wed 7/5/2006 4:06 AM
>        To: isalist@xxxxxxxxxxxxx
>        Subject: [isalist] CA
>
>
>        am doing this testing CA, I followed the article from Dr. Tom
> (Publishing 2 websites with the same web listener), the OWA is working ok,
> it listens to the wild card certificate and redirect to the webmail
> certificate, but the other site, it listens to the wildcard certificate,
> then get me the outlook FBA logon screen (which I don't like, but I will
> check it later), then after authentication I receive the error:
>
>        *       Error Code: 500 Internal Server Error. The target
> principal name is incorrect. (-2146893022)
>
>        I am sure the name on the certificate is the same name at the
> public DNS and internal DNS and publishing rule, any advice?
>
>        Thanks,
>        r.
>
>        All mail to and from this domain is GFI-scanned.
>
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>


Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 07-2006