Certificates Issued to Windows 2008 Machines Can Cause Problems in ISA 2006

  • Article

I recently ran into an interesting issue when I needed to renew the certificates in my lab on my ISA 2006 Enterprise Edition. The certificates I used for OWA, Outlook Anywhere, and Activesync were all expired and needed to be renewed. Since I also have a Forefront TMG Server in my lab environment I figured I'd kill two birds with one stone and renew the certificates on that machine as well. This was the start of my problem.

When I set my Certificate Authority (CA) up on a Windows 2003 Domain Controller I also installed the Web Enrollment to make this process easier. By doing this I can just browse to my Domain Controller and request whatever certificate I may need. It doesn't require any approval and I can install it right away. I requested the new certificates by opening up IE on my Forefront TMG server (Windows 2008 64 bit OS)  and navigating to my Web Enrollment site. I requested the necessary Server Authentication certificates and installed them into the certificate store on my TMG server. After importing them I went into the corresponding listeners and chose the updated certificate, applied, and everything was fine.

Where I ran into a problem was when I tried to use those same certificates on my ISA Server 2006 machine. After importing the newly created certificates into the certificate store, then choosing them on my listener, I got an error when my ISA Server tries to sync with the Configuration Storage Server. (See Figure 1).

Figure 1.

The Configuration Status message tells me that the "Server is unable to update the configuration". It also tells me to see the Alerts tabs.

Looking at the Alerts tab I see a message regarding "Upload New Configuration to Server Failed". The description for the error is "The ISA Server configuration agent was unable to upload the configuration to the ISA Server services. This could be due to a corrupt configuration. The ISA Server configuration agent is reverting the configuration back to the last known configuration. The service that failed to load the configuration is: fwsrv. The failure is due to error: 0x8007030d"

Sounds pretty bad and at this point my configuration never updates.

I also looked in the Event Viewer under system and see and Event ID 36871. The source is Schannel and it tells me "A fatal error occurred while creating an SSL server credential." (See Figure 2)

 Figure 2.

Through troubleshooting I realized that the defaul Cryptographic Service Provider (CSP)  used when requesting a certificate is different between a Windows 2003 Server and a Windows 2008 Server. The default for Windows 2003 is "Microsoft Enhanced Cryptographic Provider v1.0". The default for Windows 2008 is "Microsoft Enhanced RSA and AES Cryptographic Provider".

I resolved the issue by requesting the certificates from the Windows 2003 machine. Next I imported them into the certificate store and chose them on my listener. After choosing the proper certificate and applying I restarted the Microsoft Firewall Service. My configuration was again synching after this. (See Figure 3)

 Figure 3.

Conclusion: 

I posted this blog because I know that if I can do this in a lab someone will do it in real life and it will be helpful to know the causes and the resolution.