none
Error publishing multiple sharepoint sites with single listener and san certificate

    Question

  • Dear all,

    we have the following scenario:

    TMG 2010  - SP 2010

    two sites should be published: projects.domain.com and portal.domain.com

    SAN certificate with projects.domain.com as CN and both as SAN.

    both sites share the same internal and external IP address and both use port 443.

    Created one web listener, 2 rules.

    Projects is working fine, portal gives me the following error from outside:

    • Error Code: 500 Internal Server Error. The message received was unexpected or badly formatted. (-2146893018)

    Testing the rule in TMG says: 

    Category: Destination server certificate error
    Error details: 0x80090326 - The message received was unexpected or badly formatted.

    both sites work fine from the inside network and from the DMZ.

    Both rules look the same.

    I don't understand why it is not working.

    Thanks in advance

    Best regards

    Markus

    Sunday, September 29, 2013 10:12 PM

Answers

  • Problem solved (and one day I will kill our Sharepoint Admin...) - had nothing to do with Network settings or TMG.

    SSL Settings for the second not working site were: Require SSL was unchecked and Client Certificates was set to "Accept".

    Changed it to Require SSL and to Ignore the Client Certificates - everything is working fine.

    Best regards,

    Markus

    Monday, October 07, 2013 8:47 AM

All replies

  • Hi,

    what do you try to publish? It could be that the published server and TMG use SSL/TLS version which doesn't match. you should figure out which version the published server uses and then set up the same on TMG.

    In most cases this could be the cause. Network traffic can also show you that ssl/tls version is used during handshake between tmg and the published server.

    Monday, September 30, 2013 4:05 PM
  • Dear Vasily,

    thanks for your reply - we want to publish 2 sharepoint sites on the same server, same (internal) IP, same Certificate.

    Is it possible that 2 sites on the same IIS use different TLS/SSL Versions?
    I tried to monitor the network traffic with network monitor while testing the rule:
    the working ssl site:

    TMG: TLS: TLS Rec Layer-1 HandShake: Client Hello.

    IIS: TLS: TLS Rec Layer-1 HandShake: Server Hello.; TLS Rec Layer-2 Cipher Change Spec; TLS Rec Layer-3 HandShake: Encrypted Handshake Message.

    non-working site:

    TMG: TLS: TLS Rec Layer-1 HandShake: Client Hello.

    IIS: TLS: TLS Rec Layer-1 HandShake: Server Hello. Certificate.

    Best regards

    Markus

    Saturday, October 05, 2013 9:15 PM
  • Problem solved (and one day I will kill our Sharepoint Admin...) - had nothing to do with Network settings or TMG.

    SSL Settings for the second not working site were: Require SSL was unchecked and Client Certificates was set to "Accept".

    Changed it to Require SSL and to Ignore the Client Certificates - everything is working fine.

    Best regards,

    Markus

    Monday, October 07, 2013 8:47 AM
  • Hi,

    Glad to hear that the issue has been resolved.

    Cheers.


    Best Regards
    Jeremy Wu

    Tuesday, October 08, 2013 5:05 AM
    Moderator