Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Error message in SecureNAT clients after you configure a Web chaining rule to forward HTTP as HTTPS in ISA Server 2006 or ISA Server 2004: "The target principal name is incorrect"

Error message in SecureNAT clients after you configure a Web chaining rule to forward HTTP as HTTPS in ISA Server 2006 or ISA Server 2004: "The target principal name is incorrect"

View products that this article applies to.

Symptoms

After you configure a Web chaining rule in Microsoft Internet Security and Acceleration (ISA) Server 2006 or Microsoft Internet Security and Acceleration (ISA) Server 2004, certain clients receive the following error message when they try to connect to the destination Web site:
Error Code: 500 Internal Server Error.

The target principal name is incorrect. (-2146893022).
You experience this problem if the following conditions are true:
  • You configure the Web chaining rule to forward HTTP traffic as HTTPS traffic.

    Note This configuration is known as forward SSL bridging.
  • The client computers are configured as SecureNAT clients.

↑ Back to the top

Cause

The ISA Server Web Proxy filter verifies that the requested host name matches the common name (CN) that is specified on the SSL certificate from the destination Web server. The Web Proxy filter incorrectly verifies only the host name information that it retrieves from the URL. The Web Proxy filter does not examine the Host header field of the particular request.

This problem occurs because a SecureNAT client makes a request to an IP address. When the Web Proxy filter creates the proxy format URL, the Web Proxy filter uses the destination IP address information and not the Host header information in this request. In this situation, the certificate verification operation fails because the Web Proxy filter compares the IP address to the common name of the SSL certificate.

↑ Back to the top

Resolution

To resolve this problem, obtain the latest ISA Server Service Pack that is mentioned in the following Microsoft Knowledge Base articles:
954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack
891024 How to obtain the latest ISA Server 2004 service pack

↑ Back to the top

Workaround

To work around this problem, configure the client computer as a Web proxy client of the ISA Server computer. Then, the Web Proxy filter receives the correct URL in the request. Therefore, if the fully qualified domain name that is specified in the request matches the common name of the certificate, the certificate verification operation is successful.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

For more information about how to install ISA Server hotfixes and updates, click the following article number to view the article in the Microsoft Knowledge base:
885957 How to install ISA Server hotfixes and updates

↑ Back to the top

Keywords: kbarchive, kbtshoot, kbfirewall, kbfix, kberrmsg, kbbug, kbprb, kbnosurvey, KB923318

↑ Back to the top

Article Info
Article ID : 923318
Revision : 3
Created on : 1/16/2015
Published on : 1/16/2015
Exists online : False
Views : 273