Error "the specified target common name of the certificate is invalid" when launching an application from UAG

When publishing a new application on UAG, you might find yourself receiving this error when launching the application. Even though this is a certificate error, it doesn’t mean that the certificate on UAG is bad. It actually refers to the certificate that the backend server is presenting to UAG.

While this can indicate a bad cert, the real reason is usually a simple misunderstanding of the application configuration. When you configure an application on UAG, you need to specify a web server name here:

clip_image002

The name you type there will be used by UAG to contact the backend server. UAG would resolve it to an IP address, and send the request to that IP. If UAG is configured to talk to the backend server over HTTPS, then the backend server would respond with its certificate, which would prompt UAG to compare the name on the certificate to what it tried to contact (just like a browser does!). If there’s a mismatch, the error above would be displayed to the user.

A common mistake that leads to this is specifying a short-name on the address tab, while the certificate has an FQDN (or vice-versa). Another common error is specifying an IP address instead of a host-name. The simplest solution would typically be to correct the name in the Addresses tab to the same name that the certificate itself contains. If that hostname isn’t actually resolvable to that server, then you have two potential work-arounds:

1. Configure a static entry on the UAG’s HOSTS file (in c:\windows\system32\drivers\etc) to resolve that name to the right IP

2. Configure UAG to not check the certificate. This is, of course, not the most secure option, so consider your organizations’ security policy before implementing it. The steps are:

a. Open the Registry editor on your UAG server

b. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL

c. Set the value of ValidateRwsCert to 0 (if the value doesn’t exist, create it as a DWORD32 value and set it to 0)

d. Exit the registry editor

e. Activate the configuration*

f. Use the Services tool to restart the W3SVC service.

* when running through these steps, make sure you follow them with the exact order I listed above!