Wildcard Certificates and ISA 2004 Warning

After speding some 10 or so hours  chasing completely the wrong issue with ISA server I thought I might save others from this fate.
 
The long and short is if you wish to use wildcard certificates with ISA Server 2004 you will need to know that using them on your internal networks is not supported. This apparently is by design. However if you do or have, you will not get any simple log stating this, but a the ever present error such as
 

Error Code:500 Internal Server Error. The target principal name is incorrect (-2146893022)



returned to your browser and a faily useless log in ISA itself, simply stating the same as above.
 
As I was trying to do an HTTPS to HTTPS bridging using the same wildcard certificate to an internal Apache server, the Apache server also gave errors in the log that through me in the wrong direction.
 
Errors such as
 

[20/Nov/2006 10:43:00 02040] [error] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
[20/Nov/2006 10:43:00 02040] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]


 
in the ssl_engine_log. When you google this you start to come up with lots of worm associated fixes etc.. The real reason is that ISA server will attempt to connect on HTTP when it fails on HTTPS.
 
The long and short of this is, that you need to use a single host certificate for internal servers or do HTTPS to HTTP bridging. This ‘feature’ is no longer the case in ISA 2006 apparently!

Leave a Reply