RE: ISA 2004 firewall won't start anymore
- From: "Bunting, Jeff" <BUNTING@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 27 Oct 2005 15:00:31 -0400
Thanks for the suggestion Tom, but that didn't work, assuming I understood
what you meant.
I have a certificate in the Trusted Root CA from the Enterprise CA. I have
a domain policy which puts this on domain members. This certificate show as
OK and says it is intended for "all issuance policies" and "all application
plicies".
In the personal store I have a certificate with the DNS name that I want to
use for OWA which was issued from the same root CA (it is the only machine I
have running certificate services). It says its intended purpose is
"ensures the identity of a remote computer" and says "you have a private key
that corresponds to this certificate".
what I tried was exporting the cert from the personal store and importing it
into the trusted store. I wasn't sure if that's what you meant or not.
Anyway, it didn't work.
I'm not sure if I don't have enough grasp of the certificate store concept
or if this is just a very strange problem. The trusted root certificate
isn't necessary to install ISA is it? I don't remember anything about it.
I didn't think any certificates were necessary to start the firewall service
itself. Policies or web listeners are the only thing that came to mind as
something that would look for a certificate. I just tried deleting all of
the policies I created and the one web listener, rebooted the server, and
still the same errors.
I think I'm about ready to punt.
Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, October 27, 2005 1:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 firewall won't start anymore
http://www.ISAserver.org
Hi Jeff,
Try installing the CA certificate again. Export it from the Web site
certificate you're using and put the CA cert in the Trusted Root
Certification Authorities store for the machine account.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Thursday, October 27, 2005 11:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA 2004 firewall won't start anymore
>
> http://www.ISAserver.org
>
> How true! I thought I had a fairly good idea of what I was doing
> until it broke. I'd like to believe it is a software bug, but figured
> something I did was more likely since I'm still learning this.
>
> I have a certificate for the OWA web listener in the personal store.
> The path looks OK and it says the certificate is OK. Deleting the web
> listener and firewall policy didn't correct the problem which made me
> think that it was looking for another certificate somewhere? The only
> place I recall configuring a certificate was for the web listeners.
>
> Jeff
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, October 27, 2005 11:57 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA 2004 firewall won't start anymore
>
> http://www.ISAserver.org
>
> Hi Jeff,
>
> Not being sure is the most common reason for things happening that
> we're not sure why they happened :)
>
> I know, because I'm not sure what I'm doing at least half of the time.
> And once I'm sure, I've moved on to something else that I'm not sure
> what I'm doing. Living a life of uncertainty can get unnerving, but I
> wouldn't trade it for the alternative :)
>
> Open the Certificates MMC and check what certs are installed in the
> machine's Personal certificate store. Double click on the Web site
> certs in the right pane of the console and check the cert path.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > Sent: Thursday, October 27, 2005 9:26 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA 2004 firewall won't start anymore
> >
> > http://www.ISAserver.org
> >
> > I must confess, I'm not sure. In hindsight, I wish I'd
> made notes of
> > exactly what I did when, but I didn't think I did anything worth
> > noting while I was doing it... ;-)
> >
> > I did have a couple of web listeners I deleted that I wasn't using,
> > but I didn't think that should cause this error.
> >
> > I do have a certificate from my domain CA in the cert store and one
> > for the web listener.
> >
> > I could wipe the box and reinstall since I don't have it in
> > production, but I'd like to know what is wrong to better understand
> > how all of this works.
> > I haven't messed with this stuff since Proxy 2.0; things
> have changed
> > quite a bit.
> >
> > Jeff
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Thursday, October 27, 2005 10:12 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA 2004 firewall won't start anymore
> >
> > http://www.ISAserver.org
> >
> > Wow Jeff. That's a good one. How'd you do that?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > Sent: Thursday, October 27, 2005 9:06 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] ISA 2004 firewall won't start anymore
> > >
> > > http://www.ISAserver.org
> > >
> > > Yesterday I finally got OWA publishing through ISA and
> immediately
> > > managed to break it somehow. After restarting ths ISA
> > services I got
> > > these errors in the event log
> > >
> > > 14177
> > > Some certificates cannot be initialized (error code
> > -2146885628). The
> > > Web Proxy filter could not initialize. Check that all
> certificates
> > > used by the Web Proxy filter are valid.
> > >
> > > 14060
> > > Cannot load an application filter Web Proxy Filter
> > > ({4CB7513E-220E-4C20-815A-B67BAA295FF4}). FilterInit failed
> > with code
> > > 0x80092004. To attempt to activate this application filter
> > again, stop
> > > and restart the Firewall service.
> > > 14001
> > >
> > > Firewall Service failed to initialize. Previous event log entries
> > > might help determine the proper action.
> > >
> > > Eventid.net didn't have anything useful, and the only reference I
> > > found at
> > > http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=19;
> > > t=000394
> > > had no resolution. I have not done an export or anything.
> > >
> > > How can I tell which certificates are used by the web proxy
> > filter as
> > > the message in 14177 suggests?
> > >
> > > Jeff
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > bunting@xxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bunting@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
