Henrik Walther Blog RSS

All Blogs  »  Henrik Walther Blog  »  News  »  Blog article: SAN Certificates and ISA Server 2006

SAN Certificates and ISA Server 2006

Have this in mind if you’re planning to use SAN (subject alternative names) certificates with ISA Server 2006.

ISA 2006 server checks the first SAN listed in the certificate against
the Internal Site Name specified in the web publishing rule.  If there is
no match the connection will fail.  Even if the main Subject name of the
certificate is correct ISA only checks the first SAN.

Recently, we have the following workaround for this issue:

1- Change the internal site name on the publishing rule to match the first
name listed in the SAN list.

2- Change the certificate on the web server so the first SAN listed matches
the internal site name on the publishing rule

3- Use a certificate on the web server that does not include a SAN.

Sources tell me that the ISA Server team is working on a hotfix.

This entry was posted on Wednesday, March 28th, 2007 at 12:07 am and is filed under News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “SAN Certificates and ISA Server 2006”

  1. Jim Harrison Says:

    August 29th, 2007 at 12:01 pm

    Feel free to yell at your “sources”.
    No hotfix is currently planned.
    The ISA SE team is investigating the proper fix methodology.
    Watch the ISABlog on this subject for the “real word”.

  2. Henrik Walther Says:

    August 29th, 2007 at 1:29 pm

    That is really bad news… :(

    My sources are actually individuals within MS, but I guess plans have changed then?

  3. Jim Harrison Says:

    August 29th, 2007 at 2:58 pm

    No hotfix plans have “changed”; no hotfix plans ever existed.
    Your sources were “misinformed”.
    Please feel free to send them my way for gentle correcting.

  4. Henrik Walther Says:

    August 30th, 2007 at 11:49 am

    Thanks for clarifying this Jim…

  5. OCS 2007 Installation - Part 2 | Confused Amused Says:

    March 5th, 2008 at 12:41 pm

    […] Note: The reason the first SAN listed must be the same as the subject name is because of how ISA 2006 handles the reverse proxy. If we only left sip.confusedamused.com as the sole SAN entry everything would work fine internally, but we’d run into problems with the reverse proxy later. Since we’ll later tell ISA the internal site name is tap-ocs-2k7.ptown.com, but when it connects it tries to match the subject name to the first SAN listed. When it doesn’t line up ISA throws an Error 500 - Service Principal Name Incorrect. Doing the certificate this way now removes some unnecessary work later. You can read some more about this ISA issue here. […]

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 6 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly MSExchange.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an MSExchange.org member!

Discuss your Exchange Server issues with thousands of other Exchange experts. Click here to join!

Solution Center