locked
UAG and Outlook Web Access on server 2003 - certificate error RRS feed

  • Question

  • Hi

    We are having problems creating an Outlook Web Access application within our UAG portal.  When I access the Portal and click on the link to Outlook Web Access I get the error : The specified target common name of the certificate is invalid

    We are using UAG with SP2 and Exchange 2003.

    In the UAG on the web servers tab, the address we have specified is : 10.x.x.x (the ip address of the OWA server)

    On the Portal link tab, the Application URL we have specified is : https://10.x.x.x/exchange. I think that this is where our problem lies.  This URL is not pointing to the location which is specified within the certificate on the OWA server. 

    To try and correct this we have changed the application URL to https://webmail.company-name.com which matches the name within the certificate, however when I do this UAG displays the following message : Application URL is invalid.  Address does not match application address.

    I don't think this is a certificate error because if I type in https://webmail.company-name.com into IE it works fine.  I just need the UAG box to accept the URL.  We do have an E-Gap box as well and the URL is pointing to https://10.x.x.x/exchange which works fine, but it was installed by a third party so not sure if they made any other changes.

    I have read similar questions on this site and many other sites but none which seem to provide the answer to our situation.

    Any help would be much appreciated.

    G

    • Moved by Nick Gu - MSFT Wednesday, January 12, 2011 5:09 AM (From:Forefront Management Consoles)
    Tuesday, January 11, 2011 4:25 PM

Answers

  • Hi G.

    I've just tested on my lab box and it works for me, so I'm inclined to believe you have some misconfiguration. To recap, you need to comply with three requirements:

    1.     The FQDN of the OWA server you entered in the Web Servers tab must match the FQDN you used on the Portal Link tab

    2.     It should be resolvable from the UAG server

    3.     It should also match the CN of the SSL cert on the OWA server

    If all the above are TRUE, then it should work without any error about “the specified target common name…”.

    If 1 and 2 above are TRUE, but 3 is FALSE, then you will get the “the specified target common name…” error.

    Anyhow, it is your decision if you wish to disable the backend certificate verification. After all, this is how your e-Gap was/is functioning.


    -Ran
    • Marked as answer by OhhAhh Wednesday, January 26, 2011 5:24 PM
    Wednesday, January 12, 2011 12:18 PM

All replies

  • Hi,

    I'm assuming you are using UAG with Update 2 (SP2 does not exist yet :) ).

    The reason you’re seeing a difference in behavior between UAG and e-Gap is that UAG implements a verification that was not done in e-Gap or IAG: when UAG communicated over HTTPS with a backend web server, it verifies the validity of the SSL certificate presented by that backend web server. This includes verifying that the certificate’s Common Name matches the hostname/FQDN by which UAG is accessing this site.

     

    In your case, you have configured UAG to access the backend via its IP address: 10.x.x.x, and that probably does not match the CN of the SSL certificate installed on your OWA server. You have two options:

    a)    Change the configuration of the OWA application on the UAG server to use, instead of the IP address, a FQDN that matches the backend’s SSL certificate Common Name, and which is resolvable by the UAG server. For example, if the SSL certificate on the OWA server was issued for webmail.company.com, then enter webmail.company.com on the OWA application properties dialog, in the Addresses list on the Web Servers tab

    b)    Disable this verification. For more information, you have a bunch of links in this UAG Forum thread: UAG2010 - OWA Error - "The specified target common name of the certificate is invalid."

     

     


    -Ran
    Wednesday, January 12, 2011 9:00 AM
  • Hi Ran

    Thanks for the reply.  Yes Update 2 as opposed to SP2

    I thought that was the problem however I wasn't sure exactly how to solve it.

    I have done the following :

    In the address list of the web servers tab I have entered : webmail.company-name.com

    In the portal link I have entered : https://webmail.company-name.com/exchange/

    webmail.company-name.com matches the CN of the certificate on the OWA server.  Most of the other settings for the Application are default settings so not sure if there is something else i might have missed.  I have activated the config but am still getting the same The specified target common name of the certificate is invalid. error message.

    Is there anything else I can try or shall I go down the disable the verification route ?

    Thanks

    G

    Wednesday, January 12, 2011 11:04 AM
  • Hi G.

    I've just tested on my lab box and it works for me, so I'm inclined to believe you have some misconfiguration. To recap, you need to comply with three requirements:

    1.     The FQDN of the OWA server you entered in the Web Servers tab must match the FQDN you used on the Portal Link tab

    2.     It should be resolvable from the UAG server

    3.     It should also match the CN of the SSL cert on the OWA server

    If all the above are TRUE, then it should work without any error about “the specified target common name…”.

    If 1 and 2 above are TRUE, but 3 is FALSE, then you will get the “the specified target common name…” error.

    Anyhow, it is your decision if you wish to disable the backend certificate verification. After all, this is how your e-Gap was/is functioning.


    -Ran
    • Marked as answer by OhhAhh Wednesday, January 26, 2011 5:24 PM
    Wednesday, January 12, 2011 12:18 PM
  • Hi Ran

    Requirement 1 :  The entry under the web servers tab is webmail.company-name.com the portal link is https://webmail.company-name.com/exchange/ so the link includes the https:// and the /exchange/ which is required or I get told that the URL does not match the application address.

    Requirement 2: If I try https://webmail.company-name.com from IE on the UAG box it takes me to the login page for webmail so this works fine.

    Requirement 3: When I get to the login page for OWA and I check the certificate properties it has the CN as webmail.company-name.com

    As far as I can tell it looks OK.  I don't want to turn off the cert verification if it can be helped so I might persevere for now.

    Thanks for all your help.

    G

    Wednesday, January 12, 2011 4:14 PM