Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

FIX: "Page Cannot Be Displayed" error when you try to access a website that requires a client certificate authentication on a Forefront TMG client in Forefront TMG 2010 if HTTPS Inspection is enabled


View products that this article applies to.

Symptoms

Consider the following scenario:
  • You enable the HTTPS inspection feature in Microsoft Forefront Threat Management Gateway (TMG) 2010.
  • You add a website to the destination exception list for HTTPS inspection.
  • You install and configure Forefront TMG Client on a computer. Or, you configure the computer to use Forefront TMG as the default gateway.
  • You try to access a website that requires a client certificate authentication on the computer.
In this scenario, you cannot access the website, and you receive the following error message:
Page Cannot Be Displayed

↑ Back to the top


Cause

This issue occurs because the host name uses the IP address of the server instead of the URL for the certificate.

↑ Back to the top


Resolution

After you install the following update, Forefront TMG 2010 performs a reverse lookup of the host name and checks the server name for exclusion if the host name is an IP address.

Note If reverse lookup fails, this issue still occurs. If reverse lookup fails, resolve the DNS issue, or add an entry to the Windows hosts file that is located on the Forefront TMG server.

To resolve this issue, follow these steps:
  1. Run the script that is in the following Microsoft Knowledge Base (KB) article:
    982550 FIX: Error message occurs when you try to access a web server that requires a client certificate if HTTPS inspection is enabled in Forefront TMG 2010: "Error Code: 502 Proxy Error. The message received was unexpected or badly formatted. (-2146893018)"
  2. Install the software update that is described in the following Microsoft Knowledge Base (KB) article:
    2498770 Software Update 1 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1

↑ Back to the top


More Information

In a typical scenario, the subject name and the Subject Alternative Name (SAN) extension of a server certificate are used to check the HTTPS inspection exclusion list. If the SSL handshake fails, these names cannot be retrieved. However, a client certificate might be required by the server. Therefore, we use the host name to check the destination exception list for HTTPS inspection if an SSL handshake fails on a specific error. When the host name uses an IP address, an issue that is resolved by the steps in the "Resolution" section occurs.

Note The reverse lookup result of the host name must be in the destination exception list for HTTPS inspection and must be marked as No validation.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top


Keywords: kbqfe, kbfix, kbsurveynew, kbexpertiseinter, kb

↑ Back to the top

Article Info
Article ID : 2501650
Revision : 3
Created on : 11/15/2018
Published on : 11/16/2018
Exists online : False
Views : 268