The Wild Limitation

This post is about a case that I recently worked here in CSS. The problem was that customer has an ISA Server 2004 publishing OWA from Exchange 2007 and he was getting the error below:


500 Internet Server Error – The target principal name is incorrect


Everything was running just fine until they changed the certificate in both places (ISA and Exchange). The certificate used to be and it was changed to *  After this change this issue started to happen when it try to access the OWA from outside. Looks familiar? I guess so right, this is known issue explained here:


I am using wildcard certificates and getting the error: 500 Internet Server Error – The target principal name is incorrect .


ISA Server 2004 only supports wildcard certificates on the ISA Server computer. ISA Server 2006 also supports use of wildcard certificates on the published Web server. When using HTTPS to HTTPS bridging, you cannot use wildcard certificates to authenticate the back-end Web server. Instead, on the internal Web server, create a new certificate that matches the name of the internal Web server, as specified on the To tab in the Web publishing rule.




The reason why I’m bring this up now is because people are starting to renew some certificates and are planning on what path to choose as far as certificate type is concern. Wildcard certificate is good, but be aware of the above limitation on ISA and also that Exchange 2007 has some limitations on that too, such as this one below:


Wildcard Certificate Causes Client Connectivity Issues for Outlook Anywhere


Note: Exchange Team strongly recommends using SAN Certificate and now with ISA Server 2006 SP1 being able to read the SAN Certificate we have the perfect match.


For more info on Certificate for Exchange read this cool article on the Exchange Team Blog site:



Comments (0)

Skip to main content