Just to add - Target Principal Name errors usually indicate that the CN in the certificate installed on the Exchange server does not match the name being used by ISA Server to connect to the Exchange server. It's the same error you get in your browser when you go to a site and the FQDN doesn't match the name in the certificate.
Cheers Ken > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Sunday, 22 June 2008 10:37 AM > To: NT System Admin Issues > Subject: RE: OWA 2003 wildcard cert and isa 2006 > > As I mentioned in my previous posts, what are the actual names of your servers > and what's in the CN field of each certificate? > > > External User ---> (1) ISA Server ---> (2) Exchange > > Your public mail server name (owa.domain.com) would point to the external > interface of ISA Server (1). The certificate installed on ISA Server would > then need to be *.domain.com > > ISA Server then needs to bridge the SSL connection to Exchange. You need to > tell Exchange how it connect to Exchange (e.g. exchange.domain.local). The > certificate installed on Exchange must have the CN field set to > "exchange.domain.local" > > As for untrusted Starcom certs - did you install the entire certificate > heirachy into the server hosting IIS? > > Cheers > Ken > > > > > -----Original Message----- > > From: Glen Johnson [mailto:[EMAIL PROTECTED] > > Sent: Sunday, 22 June 2008 12:15 AM > > To: NT System Admin Issues > > Subject: RE: OWA 2003 wildcard cert and isa 2006 > > > > Ken. > > Here is the status. > > Wildcard cert on the ISA and standard StartCom cert on exchange and it works > > both internally and externally, although obviously internal users get > prompted > > that the cert is not trusted. > > Wildcard cert on both ISA and exchange and I get this error from external. > > > > * Error Code: 500 Internal Server Error. The target principal name is > > incorrect. (-2146893022) > > > > Internal, not going through the ISA server, it works with the wildcard cert > on > > exchange. > > > > I can live with the StartCom cert on exchange and wildcard cert on ISA as > most > > people that have complained about the cert not being trusted are external > > users anyway. > > > > Thanks for any advice. > > > > Glen. > > > > > > ________________________________ > > > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > Sent: Thu 6/19/2008 10:24 PM > > To: NT System Admin Issues > > Subject: RE: OWA 2003 wildcard cert and isa 2006 > > > > > > > > Wildcard certs work just fine on ISA Server 2006 (I'm using one myself right > > now). > > > > Service Principal Names (SPNs) have nothing to do with certs per se. > > > > What is the exact error you are getting and from where? > > > > Cheers > > Ken > > > > > -----Original Message----- > > > From: Glen Johnson [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, 19 June 2008 9:55 PM > > > To: NT System Admin Issues > > > Subject: OWA 2003 wildcard cert and isa 2006 > > > > > > The subject say it all. We've been successfully running OWA behind ISA > > > 2006 with a free cert from Startcom but for other reasons we had to > > > purchase a cert form a more widely trusted authority. > > > I installed the wildcard cert on the exchange server and tested it > > > internally and it worked fine. > > > Exported the cert from exchange and installed it on the ISA box. > > > Reconfigured the SSL listener to use the new cert but am getting an > > > error about service principal name when trying to access OWA from > > > outside the ISA server. > > > I found several references that this did not work on ISA 2004 and > > > earlier but is supported on 2006 but no info on what to troubleshoot or > > > settings to check if it doesn't. > > > Any suggestions greatly appreciated. > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
