Error details: 0x80090322 - The target principle name is incorrect.

 

This is one of the very common issues we face when we are publishing websites, OWA or other exchange related services on ISA or TMG.

Consider below scenario. We have published OWA on TMG and getting error “The target principal name is incorrect.”

 

The public name of the site is “mail.woodgrovebank.com.”

The internal site name is “webmail.woodgrovebank.com”.

We have mentioned the same on the OWA publishing rule and on Exchange management console.

I have checked “Forward the original host header instead on the actual one” option on the publishing rule.

On exchange we have mentioned the external URL correctly. So here the question arises, even when we have the Internal and external URL set correctly on Exchange and on TMG why are we getting the error “Target principal name is incorrect.”

The answer lies in the certificate which has been assigned to the listener of the publishing rule and ideally the same certificate is bound on the Exchange server as well.

 

 

The certificate is issued to: mail.woodgrovebank.com.

If we check the SAN- Subject alternative name, we do not have an entry for the internal site name “webmail.woodgrovebank.com”.

This is the reason why we are getting the error “0x80090322 - The target principal name is incorrect.”

With this setup you will be getting certificate error for the internal users accessing outlook.

Resolution:-

1)      Add the internal name to the SAN of the certificate.

2)      You can take an existing SAN on the certificate and assign that as your internal name on exchange management console.

3)      Internally even when you get the certificate error the Outlook will continue to function. If you want a temporary workaround for this setup to work for external user, create a “hosts” file entry on TMG server for your internal name"webmail.woodgrovebank.com"  pointing it to the IP address of the CAS/ Exchange server.