[isalist] Re: CA
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 9 Jul 2006 10:55:33 -0500
Hi Ruba,
OK, that all looks correct, you're using the same name from end to end
and the certificate names all match, and the name resolution on the ISA
firewall looks correct as well.
Have you run the ISA firewall BPA on the ISA firewall yet?
Also, check the clocks on the ISA firewall and the Web site and make
sure they're sync'ed.
Double check the spelling for the common/subject name on the
certificates, it could be a simple typo.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ruba Al-Omari
Sent: Sunday, July 09, 2006 10:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: CA
inline for the troubleshooting enviroment am setting now, and
another copy below it for the enviroment when I was publishing 2 secure
sites with one listener which worked also but only as:
clients<-----secure---->ISA<----not secure----->webserver
but when I choose
clients <---secure--->ISA<----secure----->webserver
it doesn't work in both cases ( a single secure site with one
listener, or multiple secure sites with 1 listener)
Thanks,
r.
On 7/9/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
Hi Ruba,
Toubelshooting/testing:
What the is exact name on the To tab of the Web
Publishing Rule?
web.daralhekma.edu.sa
What is the exact name on the Public tab of the Web
Publishing Rule?
web.daralhekma.edu.sa
What is the exact common/subject name on the Web site
certificate bound to the Web listener?
web.daralhekma.edu.sa
What is the exact common/subject name on the Web site
certificate bound to the Web site itself?
web.daralhekma.edu.sa
At the ISA firewall machine, what IP address does the
name on the To tab resolve to?
the internal ip address of the webserver: 10.112.60.14
Publishing multiple secure sites with one listener:
What the is exact name on the To tab of the Web Publishing Rule?
web.daralhekma.edu.sa
What is the exact name on the Public tab of the Web
Publishing Rule?
web.daralhekma.edu.sa
What is the exact common/subject name on the Web site
certificate bound to the Web listener?
*.daralhekma.edu.sa (this certificate is also imported
to the ISA trusted certificate root)
What is the exact common/subject name on the Web site
certificate bound to the Web site itself?
web.daralhekma.edu.sa
At the ISA firewall machine, what IP address does the
name on the To tab resolve to?
the internal ip address of the webserver: 10.112.60.14
Note: you won't be able to test/see the error now cause I
disable the rule before going home, I can enable it tomorrow if you like
to see the error (-2146893019),
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Ruba Al-Omari
Sent: Sunday, July 09, 2006 9:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: CA
Thanks Jim, I placed the certificate in
the trusted root certificate authority, still the same error (same error
but differnet reason I guess)
if I do the wizard Secure Web Server Publishing
(Secure connection to clients only) it works fine, if I do Secure Web
Server Publishing (Secure connection to clients and web server), it
doesn't work and I get the (-2146893019) error, I have seen this reply
on the forum http://forums.isaserver.org/m_60244600/tm.htm which seems
logical, but since its not mentioned any where in Tom's articles when
publishing OWA, does it apply to OWA? because I couldn't get OWA to work
with the secure connection to clients AND webserver and I wonder if this
was the reason?
In my case am using 2 certificates from one CA:
one is wildcard certificate and the other is for the web server, so it
should work, 1 certificate (wildcard) between clients and ISA, and the
other certificate (webservr cert) between teh ISA and the webserver, its
not working with error (-2146893019), any ideas?
For troubleshooting I want to publish one (not
multiple) secure web site with one listener but with secure connection
to clients and to web server , one certificate will be installed at the
webserver and imported to the ISA and will be used between the webserver
and ISA, but the other certificate to be used between ISA and clients
will be installed at the ISA too, but to which server should it be
obtained?
Thanks,
r.
"Hello,
I am assuming that you fixed this
problem several months ago, but I am replying for everyone else who is
having the same problem.
I have had the same problem in the past
and it took me a while to figure out why it was. What I didn't realise
was that if you have encryption between the isaserver and the client and
also the isaserver and the internal server you are trying to access, is
that you require two certificates but they must be from the same
certificate authority. I had two certifcates but one from external
source and another from internal CA.
Hope this clears it up for a few people
getting this error.
Thanks
Richard"
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Saturday, July 08, 2006 5:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: CA
this is because you don't ave the
issuing CA cert in the ISA machine trusted root store.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on
behalf of Ruba Al-Omari
Sent: Sat 7/8/2006 3:34 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: CA
thanks Jim, I fixed the name, now am
receiving this error:
Error Code: 500 Internal Server Error.
The certificate chain was issued by an untrusted authority.
(-2146893019)
Even though the IE is 6 sp2, I know the
certificate is not from a trust authority (cause I made it a test
certificate), and I saw a reply from Thomas to some one that the IE
won't issue a 500 error, now its issuing, any advice?
Thanks,
r.
On 7/5/06, Jim Harrison <
Jim@xxxxxxxxxxxx <mailto:Jim@xxxxxxxxxxxx> > wrote:
That's not what the error message is
telling you.
What it's saying is that the common name
in the certificate does not match the destinaiton hostname specified in
the publishing rule.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on
behalf of Ruba Al-Omari
Sent: Wed 7/5/2006 9:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: CA
I checked the certificate installed on
the webserver and the one on the ISA and they match, what else should I
check?
Also If I install a third NIC on the ISA
that belongs to the DMZ (that the second NIC belongs to) and create a
second weblistener there, will that work? I have avaliable public IPs on
teh "hardware" firewall (and wildcard certificates are quiet expensive.)
One last thing, does the ISA publish an
Apache server?
Thanks,
r.
On 7/5/06, Jim Harrison <
Jim@xxxxxxxxxxxx <mailto:Jim@xxxxxxxxxxxx> > wrote:
That error tells you that they
don't match between the ISA and the published server.
________________________________
From:
isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba Al-Omari
Sent: Wed 7/5/2006 4:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] CA
am doing this testing CA, I
followed the article from Dr. Tom (Publishing 2 websites with the same
web listener), the OWA is working ok, it listens to the wild card
certificate and redirect to the webmail certificate, but the other site,
it listens to the wildcard certificate, then get me the outlook FBA
logon screen (which I don't like, but I will check it later), then after
authentication I receive the error:
* Error Code: 500 Internal
Server Error. The target principal name is incorrect. (-2146893022)
I am sure the name on the
certificate is the same name at the public DNS and internal DNS and
publishing rule, any advice?
Thanks,
r.
All mail to and from this domain
is GFI-scanned.
All mail to and from this domain is
GFI-scanned.
Other related posts:
