The target principal name is incorrect.

The Issue:

We requested a new certificate for our website from a CA. We applied the certificate on the Internal IIS6 web server. I then exported the certificate including keys and imported onto our ISA 2006 firewall.

I then went into the publishing rule for our website and updated it with the new certificate.


When external users went to our website using https they got the following error:
Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)

Issue Analysis:
When I looked at the rule I noticed it was set to an IP under the To tab.
I opened up a command prompt and tried to ping my web server. It returned a different IP. I then tried to Ping domain.com it returned a different IP then the one that was listed in on the To tab of the publishing rule.

I knew from this MS Technet article (http://technet.microsoft.com/en-us/library/cc302619.aspx#CommonIssues) the name on the To tab had to match the common name on the Web site certificate. When a client sends a request ISA sends it to the name on the To tab therefore if ISA cannot resolve this it will produce that error.

What I did to resolve the issue:

To fix this I first changed the name on the TO tab of the publishing rule to domain.com instead of the IP address.


I then went into the host file (WINNT\system32\drivers\etc\hosts) on the ISA box and made an entry pointing the IP to domain.com. I applied the changes, tested from an external network and it worked.

Leave a Comment