Yes, but it was an inadvertent lie. I didn't realize I had to bind the right cert to the default website. Didn't really know how to do it either. But I did figure it out. :) Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA GM Sent: Friday, May 20, 2011 1:36 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Certificate Problem So you lied to me ;-) You weren't using the same certificate. Good that you find it. Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Friday, May 20, 2011 1:22 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Certificate Problem Looks like I got this one licked. The internal server hosting the RD Web Access role had its own internal certificate bound to the website. As soon as I changed the binding to the commercial certificate, all the errors went away. I'm not too familiar with IIS, so didn't figure that one out right away. Thanks, Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, May 20, 2011 10:00 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Certificate Problem Jerry has it right - you have to ensure that the entire trust chain is found in the TMG server local computer trusted root and intermediate stores as appropriate. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Thursday, May 19, 2011 10:57 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Certificate Problem Yep. Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA GM Sent: Thursday, May 19, 2011 12:36 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Certificate Problem R u using the same cert. On TMG and the internal server? Thanks Diego Having fun in Tech-Ed Atlanta! Sent from my Windows Phone ________________________________ From: Rob Moore Sent: Thursday, May 19, 2011 11:45 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Certificate Problem Yeah, that's how I did it-in the Computer certificate store. Thanks for the idea, though. Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Thursday, May 19, 2011 11:30 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Certificate Problem Make sure the root and intermediary certificates are installed in the Computer certificate stores, not the User certificate stores. The error is caused by some certificate in the chain not being installed on the server correctly. On Thu, May 19, 2011 at 11:06 AM, Rob Moore <RMoore@xxxxxxxx<mailto:RMoore@xxxxxxxx>> wrote: Hello All- Has anyone run into this particular problem before? I'm trying to publish an RD Web Access site using TMG. I've configured RD Web Access on an internal server and it works internally. (Although when connecting to it I get a certificate error. I can connect anyway.) I can't connect to it externally, though. I get this error: "The certificate chain was issued by an authority that is not trusted. (-2146893019<tel:%28-2146893019>)" I've tried buying a new cert (from Go Daddy). I followed the certificate installation instructions to the letter, including installation of the intermediate certificate, on both the TMG server and the internal server that is hosting the RD Web Access site. But when I do "Test Rule" on this rule, it tells me: "0x80090325 - The certificate chain was issued by an authority that is not trusted." It suggests I see go.microsoft.com/fwlink/?LinkId=115965<http://go.microsoft.com/fwlink/?LinkId=115965>. All that says, though, is that I need to "Import the CA certificate." I thought putting in the intermediate certificate did just that. I have four other Go Daddy certs on the TMG server and they all work normally. I've Googled these errors and mostly found the same advice, to install the CA certificate. Any hints? Should I talk to the Go Daddy folks? Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870<tel:215-241-7870> Helpdesk: 800-500-AFSC -- Cordially yours, Jerry G. Young II, CISSP Microsoft Certified Systems Engineer Young Consulting & Staffing Services Company - Owner www.youngcss.com<http://www.youngcss.com/>