The target principal name is incorrect. (-2146893022)
Catalano@discussions.microsoft.com John Catalano
OWA. This is the message I recieve:
Error Code: 500 Internal Server Error. The target principal name is
incorrect. (-2146893022)
I have been trying to resolve this issue for days and have not found the
proper solution. Any help would be appreciated.
THan ks,
John
A. Feiner
What does "re-configured" means? reinstalled? restored from backup?
google the phrase "The target principal name is
incorrect. (-2146893022)", there are quite a few answers.
--
A. Feiner
Steven Banks [SBS MVP]
Are you running ISA Server on your SBS box (Premium)? If so, check out the
Microsoft KB at http://support.microsoft.com/kb/841664 (Clients may receive
an "Error Code 500 Internal Server Error" error message when they try to
visit a Web site that you publish by using ISA Server 2006 or ISA Server
2004).
Also check out the M&M's site at
http://www.smallbizserver.net/Default.aspx?tabid=53&forumid=3&postid=12024&view=topic
and see if Mariette's suggestion helps.
Thanks,
Steve
Steven Banks [SBS MVP]
Banks Consulting Northwest Inc.
http://www.banksnw.com
Puget Sound Small Business Server User Group
http://www.pssbs.org
http://msmvps.com/blogs/steveb
"John Catalano" <John Cata...@discussions.microsoft.com> wrote in message
news:2C0EF5F1-4196-45CC...@microsoft.com...
John Catalano
Thanks for your reply, Yes I am running SBS R2 Premium. Tthe prevoius system
admin bye-passed all the install wizards and and did some kind of manual
configuration that I am trying to fix. I have most of the system running now
I just need to get OWA working. I'll read the links and see if that helps. I
have tried many so called "solutions" an none have been successful.
John Catalano
installed the features he wanted. My task was to get small business server
working as it is designed to work. So far none of those posts have helped. I
believe the issue is with the way ISA is viewing the request for the
certificate but I can't seem to find a solution that resolves the issue.
Merv Porter [SBS-MVP]
Download, install, update and run a scan with the SBS 2003 BPA and also the
ISA BPA:
Microsoft Windows Small Business Server 2003 Best Practices Analyzer
http://www.microsoft.com/downloads/details.aspx?familyid=3874527A-DE19-49BB-800F-352F3B6F2922&displaylang=en
Microsoft Internet Security and Acceleration (ISA) Server Best Practices
Analyzer (BPA) Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
In addition, have you re-run CEICW, including enabling the firewall,
selecting your services, re-creating the certificate and then finishing
CEICW without any errors?
--
Merv Porter [SBS-MVP]
============================
"John Catalano" <JohnCa...@discussions.microsoft.com> wrote in message
news:FD010995-6D3D-458E...@microsoft.com...
John Catalano
I was reading about the BPA, I will give these a try. I did re-run the CEICW
a few time but I don't see a change. Is there a way to remove the rules that
were created from the past attempts and start fresh? At this point I have
very confused as to why OWA is not working. By all accounts it should be
working... something is definitely missing.
Merv Porter [SBS-MVP]
2004 configuration, then uninstall it (Add/Remove Programs). I believe ISA
will prompt you to run CEICW to initiate the RRAS firewall for your 2 NIC
SBS system. After that, reinstall ISA 2004 and bring it up to SP3 so you
have a clean ISA configuration. Then re-run CEICW, enable the firewall (to
configure ISA) and finish the rest of CEICW. Then test OWA.
Export, Import, and Backup Functionality in ISA Server 2004
http://technet.microsoft.com/en-us/library/cc302521.aspx
I'm assuming the server was using a self-signed certificate (created by
CEICW) and that OWA was working when you took over the controls.
--
Merv Porter [SBS-MVP]
============================
"John Catalano" <JohnCa...@discussions.microsoft.com> wrote in message
news:3FE3DA90-2D93-4A78...@microsoft.com...
Susan Bradley
> If neither of the BPAs finds any problems, you may want to back up your ISA
> 2004 configuration, then uninstall it (Add/Remove Programs). I believe ISA
> will prompt you to run CEICW to initiate the RRAS firewall for your 2 NIC
> SBS system. After that, reinstall ISA 2004 and bring it up to SP3 so you
> have a clean ISA configuration. Then re-run CEICW, enable the firewall (to
> configure ISA) and finish the rest of CEICW. Then test OWA.
>
> Export, Import, and Backup Functionality in ISA Server 2004
> http://technet.microsoft.com/en-us/library/cc302521.aspx
>
> I'm assuming the server was using a self-signed certificate (created by
> CEICW) and that OWA was working when you took over the controls.
>
need to reexport out the certs to those workstations/clients.
The Official SBS Blog : You Receive a “Target Principal Name is
Incorrect” Certificate Error in Outlook 2007 When Connecting to Either
POP3 or IMAP4 on SBS 2008:
http://blogs.technet.com/sbs/archive/2008/10/17/you-receive-a-target-principal-name-is-incorrect-certificate-error-in-outlook-2007-when-connecting-to-either-pop3-or-imap4-on-sbs-2008.aspx
Miles Li [MSFT]
Hello John,
Thank you for posting here.
According to your description, I understand that:
You receive the error "The target principal name is incorrect" when you
attempt to access the OWA on the SBS server.
If I have misunderstood the problem, please don't hesitate to let me know.
Yes, this issue is related to the ISA 2004 server that publish the OWA on
the SBS server. Please check the following aspects to correct the issue:
Suggestions #1:
=====================
I'd like to know whether the ISA server 2004 have the latest service pack
installed. There is a known issue on the ISA Server 2004 that will prompt
the error when forwarding HTTP as HTTPS.
923318 Error message in SecureNAT clients after you configure a
Web chaining rule to forward HTTP as HTTPS in ISA Server 2004: "The target
principal name is incorrect"
http://support.microsoft.com/kb/923318
Please download and install the ISA server 2004 SP3 on the SBS 2003 server
and then check how it works.
ISA Server 2004 Service Packs
http://technet.microsoft.com/en-us/forefront/edgesecurity/bb734832.aspx
Suggestions #2:
=====================
I'd like to know whether the issue happens when accessing OWA both from
external and internal. If the issue happens when accessing OWA from
external, please check whether the Default website can be accessed from
anywhere. To check that:
1. In the IIS mmc, right click the Default website--->Properties--->web
site tab.
2. Select "All Unassigned" in the IP address textbox.
3. In the ISA mmc, double click the SBS OWA Web Publishing Rule--->From tab.
4. Make sure that the rule allow the traffic from Anywhere.
Suggestions #3:
=====================
General speaking, this error message typically results from the unmatched
settings in the SBS OWA Web Publishing Rule. Please check whether the IIS
server (SBS server itself) is properly published with the correct
certificate. To verify that:
1. In the ISA mmc, double click the SBS OWA Web Publishing Rule--->To tab.
2. Make sure that the SBS server's FQDN is there. By default it should be
publishing.sbs.local.
3. In the DNS mmc, verify that a HOST(A) record named publishing that
points to the IP of the SBS server is in the domain zone.
4. In the Listener tab, click properties--->Preferences tab.
5. Check the certificate with domain external name is selected.
841664 Clients may receive an "Error Code 500 Internal
Server Error" error message when they try to visit a Web site that you
publish by using ISA Server 2006 or ISA Server 2004
http://support.microsoft.com/kb/841664
If you are not sure about the settings in the SBS OWA Web Publishing Rule,
you may export it to the XML file and send to me at v-mi...@microsoft.com
Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.
Best regards,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
John Catalano
Thanks for your guidance, I have followed your advise and now I have a
completely different set if issues... Most likely due the the original
install (not by me) and the changes.
Sugg 1.
I did not have the latest service packs. I downloaded and installed. Now I
get 404 NOT FOUND. both internally and externally. The only thing that does
work is the companyweb from inside the network. Exchange seems to be working
so that is good.
I know sometimes you have to make things worse before they get better so I'm
ready for things to get better! Hopefully you can help get me there...
I have recreated the virtural directories for OWA and still not working. I
have run the ISA BPA and exported the rules from the ISA server. I will be
emailing the XML files to you for your review as suggested. I need to resolve
these issues
ASAP as I am working for a non-profit and now most of their employees do not
have access to email.
Any help would be greatly appreciated.
Thanks ,
John
Miles Li [MSFT]
I checked the SBS OWA Web Publishing Rule output file. (On your server, it
is named SBS OWA). As illustrated in the extracted rule setting below, I
found that the delegation basic credentials option was is not enabled in
the SBS OWA publishing rule that will result in some authentication issues.
I also found that the error "ISA Server does not delegate Basic
credentials" is recorded in the ISA BPA log.
The following is your OWA WebPublishing settings:
----------------------
<fpc4:WebPublishingProperties StorageName="WebPublishingProperties"
StorageType="1">
<fpc4:PublishedServerType dt:dt="int">2</fpc4:PublishedServerType>
<fpc4:RedirectUrl
dt:dt="string">annanserver.annandale.local</fpc4:RedirectUrl>
<fpc4:SendAcceptEncodingHeader
dt:dt="boolean">1</fpc4:SendAcceptEncodingHeader>
<fpc4:SendOriginalHostHeader dt:dt="boolean">1</fpc4:SendOriginalHostHeader>
<fpc4:SSLRequireSecureChannel dt:dt="int">1</fpc4:SSLRequireSecureChannel>
----------------------
Please confirm that the Basic delegation is enabled in the SBS OWA rule. To
check that:
1. In the ISA mmc, double click the SBS OWA Web Publishing Rule--->Users
tab.
4. Make sure that the option "ISA Server does not delegate Basic
credentials" is selected.
If you are not sure about the settings, please rerun the CEICW to reset all
publishing rules.
Moreover, when I access the OWA from my side I receive the error "Error
Code: 500 Internal Server Error. The certificate chain was issued by an
authority that is not trusted. (-2146893019) even when I choose to ignore
the certificate that is not trusted.
John Catalano
Thank you, yes that did help. I also found that the "name" in that
publishing rule was not correct. Once I made the changes it appears that I am
able to get to the site howeve now I get "404 NOT FOUND". This happen both
internal and external. Do you have any guidence for this error? I will
continue to search for the answer...
Thanks Again,
John
John Catalano
Hi, thanks for your response. I have tried many options and still have no
solution to my issue. At this point I have installed the latest service
packs, re-created the owa directories under the Default site and adjusted my
ISA rules to no end. Now I'm recieving 404 NOT FOUND when I attempt to go to
OWA from both inside and outside the network.
I have gone through the BPA issues and I believe I have resolved any that
were warnings or configuration issues. I still can't get this to work. Any
suggestions as to how to get this server working? This is really causing some
issues for me, any addition help would be very welcome.
Thanks,
John Catalano
Miles Li [MSFT]
Thanks for the update.
From the description that the OWA can neither be accessed from internal nor
external, I think the OWA is corrupted in the IIS. I know that you have
recreated the OWA virtual directory. However, I'd like to double check
whether you have followed the methods in KB 883380 to reset the OWA.
883380 How to reset the default virtual directories that
are required to provide Outlook Web Access, Exchange ActiveSync, and
Outlook Mobile Access services in Exchange Server 2003
http://support.microsoft.com/kb/883380
Moreover, please export the IIS configurations by the Metabase Explorer
and send it to me at v-mi...@microsoft.com for further investigation:
a. Download the IIS Resource Kit tools from the following page:
http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71A-4C73-
B628-ADE629C89499&displaylang=en
b. Install it, run MBExplorer (Metabase Explorer)
c. Right click the "LM" node and choose "Export to file".
d. Specify a file name, specify the password and finish the export.
e. Gather the file and the password
John Catalano
Thanks, I did use that method but I'll try it again, maybe I didn't do
something properly... I'll send you the information if this doesn't work.
John
Miles Li [MSFT]
I have received the IIS metabase file. In the Exchange (OWA) virtual
directory, I found that the AppRoot attribute is missing in it. You can
verify it in /LM/W3SVC/1/Root/Exchange. BY default, there should be a
attribute named AppRoot that has the vaule "/LM/W3SVC/1/Root/Exchange".
The AppRoot property contains the metabase path to the application root.
However, it is missing on your SBS server.
To correct the issue, I'd like to suggest you to follow the method 1
step-by-step in the KB 883380 to reset the default Outlook Web Access
virtual directories. Hope it helps. If you have any questions or concerns,
John Catalano
the entry and value into the MetaBase. Here is the latest error...
Error Code 11001: Host not found
Background: This error indicates that the gateway or proxy server could not
find the IP address of an upstream (Web) server. This is usually due to a
DNS-related error.
Thanks again,
John
Miles Li [MSFT]
Hello John,
From the description, you receive the error "11001" while attempt to browse
the OWA from external.
I'd like to know whether you can access the OWA from the SBS domain
clients. Can you access it on the SBS server? For this issue, we should
correct the issue step by step. Could you please explain the current state
of the issue that will help us troubleshoot the issue more effectively.
1. First, please ensure that the OWA starts to work on the SBS server.
2. Then publish the OWA in ISA server to external.
I'd like to know when you receive the error 11001 when you attempt to
access the OWA. Is it when you access OWA through ISA (external) or access
OWA locally (internal)? If you receive the error while accessing OWA from
external, please try to delete the SBS OWA web publishing Rule and rerun
the CEICW to let it be recreated.
I hope these steps will give you some help. If you have any questions or
John Catalano
I went on site (a 2 hour drive each way) and uninstalled ISA server. I then
when to control panel and did a complete re-install of Small Business Server.
This time I did not re-install ISA server. I still have the SAME ISSUE!!! I
am not able to get to OWA from inside or outside the network. Going to OWA
from the network, inside, (actually in the browser on the server) I get:
HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)
I am not sure where to go from here, I'm hoping my only answer isn't to
re-format the HD and start over... that would be a complete nightmare. Can
you offer any other suggestions? Ths is a non-for-profit organization and
they don't have the money for me to call Microsoft for help. They can't even
pay me anymore for my services, I feel I have to help them somehow, Any
suggestions???
Thanks,
John Catalano
Merv Porter [SBS-MVP]
your services and then complete CEICW? If not, try that.
--
Merv Porter [SBS-MVP]
============================
"John Catalano" <JohnCa...@discussions.microsoft.com> wrote in message
news:6CFB6C17-87B3-485C...@microsoft.com...
Miles Li [MSFT]
Hello John,
Thanks for the update. I appreciate your time on this issue.
Yes, as Merv mentioned, please rerun the CEICW after you uninstall the ISA
on the SBS server.
The Error 403.6 indicates that the IP address (in the issue when you
attempt to access OWA on the SBS server the IP is 127.0.0.1 or the
internal\external NIC IP address) is not allowed to access the OWA site.
Please check Directory Security on the Exchange directory in the IIS. To do
that:
1. In the IIS MMC, right click the Exchange directory in the Default web
site.
2. Select the appropriate Directory Security--->click Edit.
3. In the IP Address and Domain Name Restrictions dialog box, make sure the
Granted Access option is selected and the exception list is empty.
4. Click OK and check whether you can access OWA on the SBS server.
More related information for your reference:
248043 Error Message: 403.6 - Forbidden: IP address
rejected
http://support.microsoft.com/kb/248043
Hope it helps. If you have any questions or concerns, please do not
John Catalano
must have been manually changed by the last administrator that is being
missed... Please keep making suggestions if you think of anything. The more
thinking on this issue the better.
John
John Catalano
I did run CEICW after the re-install. I also double checked the "Grant
Permissions" and all is set properly.
Am I supposed to see the 127.0.0.1 IP in the DNS?? If I surf to "localhost"
on the server it takes me to the template selection page
(http://localhost/_layouts/1033/templatepick.aspx) is this normal? If I add
exchange (http://localhost/exchange) I get 404 Not Found.
Please keep making some suggestions maybe we'll hit on the solution.
Thank you for spending you time and providing your knowledge on this issue.
John Catalano
Merv Porter [SBS-MVP]
--
Merv Porter [SBS-MVP]
============================
"John Catalano" <JohnCa...@discussions.microsoft.com> wrote in message
news:A4E9B0F7-03B1-4D39...@microsoft.com...
Miles Li [MSFT]
Thanks for the update.
Please also check the Directory Security settings on the Default web site.
No record with the IP 127.0.0.1 will be recorded in the DNS. The address
127.0.0.1 is the loopback address and it only can be used locally. From the
description that you are redirected to
(http://localhost/_layouts/1033/templatepick.aspx) when you attempt to
access the localhost, I'd like to know whether you have changed the
settings on the default web site. By default, you should get the SBS
welcome page when accessing localhost.
As you have rebuild the virtual directory of the OWA, could you please
collect the metabase of the IIS that contains the OWA directory settings?