Unable to publish CAS with ISA 2006 if certificates with subject alternative names are used
I have spent a lot of time trying to publish E2K7 Client access and outlook anywhere with ISA 2006.... to finaly conclude that ISA 2006 does not handle certificates with subject alternative names on a server to publish.All the documentation for Exchange suggests that one should create a certificate with a bunch of subject alternative names (for Netbios name, auto-discover service etc). I found that if you do this, then there is NO way you can succesfully publish your CAS server using ISA 2006 (includes KB925403). Instead I had to revert back to using a cert with NO subject alternative names to make the publishing work.The symptoms while attempting to publish E2K7 using certificate with subject alternative names on CAS server where as follows;OWA client would get "500 Internal Server Error The target principal name is incorrect" error. after logging in to form on ISA serverLog file on publishing rule shows "Failed connection attempt", with HTTP Status code 0x80090322. And the following alert is shown in ISA 2006; "Description: ISA Server could not establish an SSL connection with the published server mail.domain.com on port 443 because the name on the SSL server certificate used by the published server does not match the internal name of the Web server CAS01, as specified in the publishing rule. Verify that the internal name specified in the publishing rule is correct. If the problem persists contact the Web server administrator" And the following event message is logged on the array member: Event Type: Error Event Source: Microsoft ISA Server Web Proxy Event Category: None Event ID: 23403 Date: 1/27/2007 Time: 10:34:10 PM User: N/A Computer: ISA01 Description: ISA Server could not establish an SSL connection with the published server mail.domain.com on port 443 because the name on the SSL server certificate used by the published server does not match the internal name of the Web server CAS01, as specified in the publishing rule. Verify that the internal name specified in the publishing rule is correct. If the problem persists contact the Web server administrator Now one would think that this is an obvious thing, however I have checked and double-checked the certificate on my CAS server... It has a private key, it is issued to (CN=) mail.domain.com, and has a number of Subject Alternative Names: CAS01, CAS01.internal.com, autodiscover.domain.com, exchange.domain.com. (Essentially followed instructions from http://technet.microsoft.com/en-us/library/aa995942.aspx and took note of http://technet.microsoft.com/en-us/library/aa995982.aspx) Also triple-checked the publishing rule, and the "TO" tab contains mail.domain.com (NOT CAS01 !!) Once I replaced the cert on CAS with one without subject alternative names (just mail.domain.com as CN) the publishing rules worked !!!!.Hopefully ISA team will fix this soon, as many others will run into this same issue. Andre.
January 29th, 2007 2:34am

Am I the only one running into this ?
Free Windows Admin Tool Kit Click here and download it now
February 5th, 2007 12:07am

We are working fine with Subject Alternative Names and ISA 2006. I will check with our ISA administrator and get back with configuration details.
March 15th, 2007 9:13am

Same problem on French Version ISA 2006 & E2007 CAS
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2007 11:28am

I Finally figgured it out. On closer inspection the certificate that was generated with the new-exchangecertificate cmdlet had a yellow exclamation mark icon in front of the subject alternative name in the details tab. So the cause in my case was a bad certificate, and not ISA's fault, I suspect a glitch in the new-exchangecertificate cmdlet is the root cause. I did the following to resolve it; 1)Instead of using new-exchangecertificate cmdlet, I used the web interface to my CA and entered the follwing in theAttributes field under additional options : SAN:DNS=commonname.domain.com&DNS=altname1.domain.com&DNS=altname2.domain.com Note: you need to have executed following command on your CA in order for the attributes field to show up in web interface : certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME22) Made sure that the commonname is also the first DNS= entry in the SAN 3)Instead of usingone of the alternative names in the publishing rules I used thecommonname (and let Link translation take care of the rest) So for instance don't use autodiscover.domain.com in the "to" tab, but just mail.domain.com, and only use autodiscover.domain.com on the public names tab. G'luck, Andre.
March 15th, 2007 4:14pm

Actually you can create a cert using the Exchange cmdlet to create the certificate, you just need to specify the common name as the FIRST subject alternative name in the request so that ISA sees the first SAN entry correctly. This is all due to a bug in ISA Server where is a cert is used that has SANs ISA ignores the CN and instead only looks at the FIRST SAN entry. So, built a cert that has the CN and FIRST SAN entry the same, then followed by the rest of your SAN entries. E.g. What I used to generate my certificate request: New-ExchangeCertificate -GenerateRequest -SubjectName "DC=vircom, DC=co, DC=uk, O=Vircom, CN=mail.vircom.co.uk" -DomainName mail.vircom.co.uk, smtp.vircom.co.uk, autodiscover.vircom.co.uk, vircom.co.uk, vircom07.vircom.co.uk, vircom07 -FriendlyName "Microsoft Exchange 2007" -Path d:\mail.vircom.co.uk.req Then in my ISA publish rules I publish TO mail.vircom.co.uk (the first SAN) and all the rest of the exchange services run off of either mail.vircom.co.uk (Configured as the External host in Exchange) or vircom07.vircom.co.uk (Configured as the Internal host in Exchange). Outlook 2007 is also able to connect to the address book service over HTTPS ok as the servers host name is in the certificate too (Vircom07). My cert on the outside of ISA is from a public CA that has no SANs configured.
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2007 12:04am

Will this also work if your certificate is published by an external CA (Thawte, VeriSign) etc. I'm really struggling with this configuration? I can make RPC over HTTP work from either inside or outside the network but not both.
April 16th, 2007 4:58am

I don't agree.. We are working fine BUT first DNS name in SAN MUST be same as the CN.. Just tested it.. As for the yelow mark, this is not an issue... HTH
Free Windows Admin Tool Kit Click here and download it now
April 16th, 2007 3:13pm

The multiple subject alternative names works great internally. You can use RPC over HTTP directly to the Exchange CAS server and use OWA with no certificate warnings. However, even though publishing OWA with ISA Server works fine, ActiveSync andRPC over HTTP seem to be impossible. Is anyone publishing ACtivesync and RPC or "Anywhere" as they call it now? If so are you using a single listner or multiple listners and is it using forms auth with fallback to basic for devices that don't support forms? Also is the autodiscover.domain.com published seperately with a seperate listner or is it just part of the RPC publish rule since the path includes autodiscover/*
April 19th, 2007 7:10am

Isabel, I've got OWA and Activesync published (2separate rules)with the same listener. The listener has FBA (HTML Form Authentication) and require all users to authenticate unchecked.Both rules have Basic authentication delegation. It seems to be working fine, and mobile users can use activesync, and OWA works like a charm. I have also published Anywhere, but am using a different listener for that. Are you using a public or private CERT on ISA ? Both activesync and RPC over HTTP need to trust the CA used to issue the cert or else they will Not work. Otherwise share some symptoms that you are experiencing so we might point you in the right direction. Andre.
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2007 7:27pm

Hi everyone,I'm a little bit confused about the practise configuring the certificate for use on E2k7 and isa 2006, and this for all types of services such as smtp, activesync, owa, autodiscover and outlook anywhere.Our concerns:Is it possible at all today buying a certificate issued from an external CA, say from one of microsofts recommended authorities: Entrust http://www.entrust.net/microsoft/ (http://www.entrust.net/microsoft/)Comodo http://www.comodo.com/msexchange (http://www.comodo.com/msexchange)DigiCert http://www.digicert.com/unified-communications-ssl-tls.htmand then deploy the issued certificate (which we have prepared from the CAS server using cmd-let) to both the e2k7 servers and then for externally use on the ISA 2006? Can we issue a certificate at all to ISA 2006 that consist of several names (SAN's), or are we forced to spend a lot of money buying seperate certificate to use both internally on the e2k7 server (trusted authorites) and on the isa 2006 to support all of the services above? It would be great if there is any white paper or clarification from microsoft about this, it would be very appreciated for us who implements this solutions and for customers who pays for them. We are looking at a certificate from Entrust (a certificate authority that MS recommend for E2K7 capable handling X.509 certification) and where we can issue 10 names to the SAN'list (since our internal domain differs from external this i a great solution see http://support.microsoft.com/Default.aspx?id=929395). We have done some E2K7-solutions at customers where we don't use ISA, and letting ssl traffic through the external firewall to the CAS server and it works all fine with that type of certificate regarding OWA, Outlook Anywhere, Exchange Activesync, Autodiscover and Smtp. But of course we want to secure these connections furthermore with Microsoft recommendation of adding an ISA 2006 to the E2K7-solutions. Because we want to secure all this published services using ISA 2006, therefore the question still is if we today have to buy several certificate issued from external CA authorities to add these to the ISA 2006 externally to provide fully support for all these services? Let's say we buy a certificate that have the name of "mail.mydomain.com" and uses this for both OWA,OAW, EAS and SMTP and then buying another for "autodiscover.mydomain.com", we then also uses our bought Entrust SAN certificate published and used internally on our E2k7 server, is this a recommended and preferred solution for this type of e2k7/isa setups? Will there soon be a fix for ISA 2006 to enable handling of SAN's certificate i.e X.509 certification?Thanks in advance for any answer,KrRichard
May 15th, 2007 9:04am

I have everything working now except RPC. I gave 3 IP addresses to the Hub Servers and created three websites. (By the way don't use Server Farms. By using server farms ISA seemed to send request in using the servername.domain.com instead of the desired and specified owa.domain.com for which the servers had certificates.) IISsite1: = Servername - This site has certificate Servername.domain.com and the only Virtual directory is Autodiscover used for internal network autodiscover.domain.com Works Great. NO ISA publishing here. Autodiscover was created using the Exchange management shell. This site is on the primary IP Address of the server and used the servername.domain.com because active directory gives out the servername to Outlook clients on the network. IISsite2: = Autodiscover - This site has certificate autodiscover.domain.com and the only Virtual Directory is Autodiscover used for external network Autodiscover functionalityand published on ISA using it's own listner and webserver publishing rule for autodiscover.domain.com using HTTP basic authentication and delegating basic authentication. Autodiscover was created using the Exchange managment shell. IISsite3:= Default Site - This is the default for OWA, RPC, Active Sync and Autodiscover but I removed Autodiscover from here using the Exchange Managment Shell. This site has certificate owa.domain.com and is published via ISA. Four ISA publishing rules all with a single forms authentication listner on single IP with owa.domain.com. Rule 1&2 publishes OWA using basic delegation and NTLM delegation as outlined in appendix D of http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx Rule 3 publishes ActiveSync using basic delegation - (*Note: phones need to install the CA cert chain to trusted roots if the certificate is not from a public authority. Easy on mobile 2003 devices but see this link for mobile5 deviceshttp://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_d.mspx) Rule 4 Publishes RPC or Outllook anywhere. - NTLM auth did not seem to work so I changed to Basic on the Hub servers and since forms should fall back to basic on ISA 2006 if needed. I also delegated basic authentication. This seems to work andthe Outlook connection status shoes connected for Type MAIL and Type Public folders but usually hangs and shows status connecting for Type Directory. ISA shows Failed Connection Attempt for RPC_OUT_DATAhttp://owa.domain.com/rpc/rpcproxy.dll?servername.domain.com:6001 sometimes 6002 and sometimes 6004. I may try a seperate publishing rule for RPC soon using just basic and no forms.
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2007 2:13am

Hi guys, have you had any chance fixing the RPC problem? I do have the rpcproxy error on ISA 2006 publishing Outlook Anywhere from my CAS 2007: RPC_OUT_DATAhttp://owa.domain.com/rpc/rpcproxy.dll?servername.domain.com:6001 and 6002 and 6004 Your help is much appreciated Julien
July 1st, 2008 6:41am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics