[isalist] Re: CA

• From: "Ruba Al-Omari" <romari@xxxxxxxxx>
• To: isalist@xxxxxxxxxxxxx
• Date: Sun, 9 Jul 2006 17:39:30 +0300

  Thanks Jim, I placed the certificate in the trusted root certificate
authority, still the same error (same error but differnet reason I guess)

if I do the wizard Secure Web Server Publishing (Secure connection to
clients only) it works fine, if I do Secure Web Server Publishing (Secure
connection to clients and web server), it doesn't work and I get the
(-2146893019) error, I have seen this reply on the forum
http://forums.isaserver.org/m_60244600/tm.htm which seems logical, but
since its not mentioned any where in Tom's articles when publishing
OWA, does it apply to OWA? because I couldn't get OWA to work with the
secure connection to clients AND webserver and I wonder if this was the
reason?

In my case am using 2 certificates from one CA: one is wildcard certificate
and the other is for the web server, so it should work, 1 certificate
(wildcard) between clients and ISA, and the other certificate (webservr
cert) between teh ISA and the webserver, its not working with error
(-2146893019), any ideas?

For troubleshooting I want to publish one (not multiple) secure web site
with one listener but with secure connection to clients and to web server ,
one certificate will be installed at the webserver and imported to the ISA
and will be used between the webserver and ISA, but the other certificate to
be used between ISA and clients will be installed at the ISA too, but to
which server should it be obtained?

Thanks,
r.

  "Hello,

I am assuming that you fixed this problem several months ago, but I am
replying for everyone else who is having the same problem.

I have had the same problem in the past and it took me a while to figure
out why it was. What I didn't realise was that if you have encryption
between the isaserver and the client and also the isaserver and the internal
server you are trying to access, is that you require two certificates but
they must be from the same certificate authority. I had two certifcates but
one from external source and another from internal CA.

Hope this clears it up for a few people getting this error.

Thanks
Richard"

 ------------------------------

*From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
*On Behalf Of *Jim Harrison
*Sent:* Saturday, July 08, 2006 5:38 PM
*To:* isalist@xxxxxxxxxxxxx
*Subject:* RE: [isalist] Re: CA

this is because you don't ave the issuing CA cert in the ISA machine
trusted root store.

 ------------------------------

*From:* isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba Al-Omari
*Sent:* Sat 7/8/2006 3:34 AM
*To:* isalist@xxxxxxxxxxxxx
*Subject:* [isalist] Re: CA

thanks Jim, I fixed the name, now am receiving this error:

Error Code: 500 Internal Server Error. The certificate chain was issued by
an untrusted authority. (-2146893019)

Even though the IE is 6 sp2, I know the certificate is not from a trust
authority (cause I made it a test certificate), and I saw a reply from
Thomas to some one that the IE won't issue a 500 error, now its issuing, any
advice?

Thanks,

r.

On 7/5/06, *Jim Harrison* <Jim@xxxxxxxxxxxx> wrote:

That's not what the error message is telling you.
What it's saying is that the common name in the certificate does not match
the destinaiton hostname specified in the publishing rule.

________________________________

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba Al-Omari
Sent: Wed 7/5/2006 9:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: CA

I checked the certificate installed on the webserver and the one on the
ISA and they match, what else should I check?

Also If I install a third NIC on the ISA that belongs to the DMZ (that the
second NIC belongs to) and create a second weblistener there, will that
work? I have avaliable public IPs on teh "hardware" firewall (and wildcard
certificates are quiet expensive.)

One last thing, does the ISA publish an Apache server?

Thanks,
r.

On 7/5/06, Jim Harrison < Jim@xxxxxxxxxxxx> wrote:

       That error tells you that they don't match between the ISA and the
published server.

       ________________________________

       From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ruba Al-Omari
       Sent: Wed 7/5/2006 4:06 AM
       To: isalist@xxxxxxxxxxxxx
       Subject: [isalist] CA

       am doing this testing CA, I followed the article from Dr. Tom
(Publishing 2 websites with the same web listener), the OWA is working ok,
it listens to the wild card certificate and redirect to the webmail
certificate, but the other site, it listens to the wildcard certificate,
then get me the outlook FBA logon screen (which I don't like, but I will
check it later), then after authentication I receive the error:

       *       Error Code: 500 Internal Server Error. The target principal
name is incorrect. (-2146893022)

       I am sure the name on the certificate is the same name at the
public DNS and internal DNS and publishing rule, any advice?

       Thanks,
       r.

       All mail to and from this domain is GFI-scanned.

All mail to and from this domain is GFI-scanned.

Other related posts:

• » [isalist] CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] Re: CA
• » [isalist] CA
• » [isalist] Re: CA

1. Home
2. isalist
3. Archive
4. 07-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---