Comments on: SAN Certificates and ISA Server 2006

by: OCS 2007 Installation - Part 2 | Confused Amused

Wed, 05 Mar 2008 18:41:31 +0000

[…] Note: The reason the first SAN listed must be the same as the subject name is because of how ISA 2006 handles the reverse proxy. If we only left sip.confusedamused.com as the sole SAN entry everything would work fine internally, but we’d run into problems with the reverse proxy later. Since we’ll later tell ISA the internal site name is tap-ocs-2k7.ptown.com, but when it connects it tries to match the subject name to the first SAN listed. When it doesn’t line up ISA throws an Error 500 - Service Principal Name Incorrect. Doing the certificate this way now removes some unnecessary work later. You can read some more about this ISA issue here. […]

by: Henrik Walther

Thu, 30 Aug 2007 17:49:29 +0000

Thanks for clarifying this Jim…

by: Jim Harrison

Wed, 29 Aug 2007 20:58:41 +0000

No hotfix plans have “changed”; no hotfix plans ever existed.
Your sources were “misinformed”.
Please feel free to send them my way for gentle correcting.

by: Henrik Walther

Wed, 29 Aug 2007 19:29:36 +0000

That is really bad news…

My sources are actually individuals within MS, but I guess plans have changed then?

by: Jim Harrison

Wed, 29 Aug 2007 18:01:44 +0000

Feel free to yell at your “sources”.
No hotfix is currently planned.
The ISA SE team is investigating the proper fix methodology.
Watch the ISABlog on this subject for the “real word”.