Getting error "Authentication over SSL encrypted channel with the configuration storage server could
not be verified. To apply the configuration to ISA server computers, a certificate named ISAserver4.contoso.com must be installed on the configuration storage server"

You might see this error when you enable ssl authentication in the CSS tab of the array properties to enable ssl authentication. And in this case CSS name is "ISAserver4.contoso.com" and the server authentication certificate used on the CSS server is issued to "Isaserver4". So we need to use certificate which is issued to ISAserver4.contoso.com.

After using certificate which is issued to "ISAserver4.contoso.com" it shall work fine.

Let us say you have CSS on Isaserver1.contoso.com which also has firewall service on it i.e. its acting both as CSS server and firewall node and you have another node isaserver2.contoso.com which is acting as firewall node only. This ISA server array is part of a domain called contoso.com. We plan to configure CSS replica on Isaserver2.contoso.com, but when we do that and start the installation on the Isaserver2.contoso.com for css replica we get error "setup failed to install ADAM in replica mode (0x80074e46)"

We will get this error if we have not added new css replica i.e. Isaserver2.contoso.com in the replicate CSS server group in the system policy at the enterprise level So we need to edit the system policy at the enterprise level , add the FQDN and the IP of the new CSS replica in replicate CSS server group save and apply the settings Then install the css replica and it shall install it successfully as shown below. 

Friends, starting a different series on the installation issues when ISA server is part of the domain, although work group part is not over as that is ongoing series and i would keep on adding to that. I wanted to discuss some interesting issues when you install ISA server in domain.

I would welcome your views and comments regarding this...

Take care

Suraj singh

Scenario is same as mentioned in the post for installation of ISA server in workgroup.

Getting error " An attempt to establish an SSL channel with the Configuration Storage server computer failed."

 Error code=0x8007003a

Error description= The specified server cannot perform the requested operation.

This can happen if you have not installed the root certificate of the Issuing Authority i.e Certification Authority in the trusted CA computer store on the server. So the first thing to check in this scenario is if rootCA certificate is installed on the trusted CA certificate store or not? If yes then check if its correct and not expired.

 If CA certificate is correct then we can use a tool called ldp that comes along with windows support tools, install windows support tools on Isaserver2.contoso.com  and then open ldp and connect to  Isaserver1.contoso.com (i.e. css server) on port 2172 with ssl.

 if the above mentioned test fails then repeat the ldp connect steps from the CSS server i.e.  Isaserver1.contoso.com to itself and see if you can connect using port 2172 with ssl .If yes then the server authetication certificate is correct and ssl part is functional ,if not then issue could be related to the certificates. . Things that you would like to check regarding the certificates on the CSS server are:

a. Check the server authentication certificate first.

b. To whom this certificate is issued  and does it match the name of the CSS server i.e. is it issued to Isaserver1.contoso.com?

c. Is this certificate expired? what's the validity period for this certificate?

d. Does this certificate have the private key?

e. Who is the Issuing Certificate Authority?

f. Then check the certificate of the  Issuing Certificate Authority and its validity period.

Will discuss variations to this scenario in my coming posts.

Regards, 

Suraj singh

After discussing the installation of the ISA server 2006 in work group scenario. I am starting the installation issues of isa server 2006 enterprise edition in workgroup scenario.

Let us assume we have two servers with windows 2003 sp2 and we will have CSS on one and firewall services on both of them exactly as per my post on the installation of isa server in workgroup scenario.

But let say when we are about to join the second node Isaserver2.contoso.com into the array then we get error " Connection to specified Configuration storage could not be established"  with error code 0x8007203a Error description= The server is not operational.

Then Best thing to do is to check the steps mentioned in my article, has anyone of those steps been skipped or missed while installation,

 if not sure then

1. You can use a tool called ldp that comes along with windows support tools, install windows support tools on Isaserver2.contoso.com  and then open ldp and connect to  Isaserver1.contoso.com (i.e. css server) on port 2172  check the box that say ssl . If this test fails then try to connect on port 2171 without ssl. If this test fails then we can rule out the possiblity of certificates causing the issue and focus more towards the connectivity between the two nodes.

2. While checking the connectivity, we can start with name resolution. We can start with pinging the Isaserver1.contoso.com from the Isaserver2.contoso.com and see if name gets resolved to the IP address of  Isaserver1.contoso.com. In above scenario, I removed the entry in host file  for Isaserver1.contoso.com on Isaserver2.contoso.com so  I got host name not found as result of the ping. So after putting this entry back in the host file Isaserver2.contoso.com was able to resolve the name of Isaserver1.contoso.com and was able to connect to CSS server and I was able to join the node to array and complete its installation. In variation to this sometimes its also possible that name resolution is working but connectivity between the two nodes is missing. Then we have to follow different appraoch altogether to get the connectivity back and then move on( would talk about the connectivity variation on a different post).

3.  There are situations when you are able to connect using ldp on port 2171 from Isaserver2.contoso.com but you are not able to connect using port 2172 with ssl. In that case repeat the ldp connect steps from the CSS server i.e.  Isaserver1.contoso.com to itself and see if you can connect using port 2172 with ssl .If yes then the server authetication certificate is correct and ssl part is functional ,if not then issue could be related to the certificates. . Things that you would like to check regarding the certificates on the CSS server are:

a. Check the server authentication certificate first.

b. To whom this certificate is issued  and does it match the name of the CSS server i.e. is it issued to Isaserver1.contoso.com?

c. Is this certificate expired? what's the validity period for this certificate?

d. Does this certificate have the private key?

e. Who is the Issuing Certificate Authority?

f. Then check the certificate of the  Issuing Certificate Authority and its validity period.

There are variations to this issue depending upon which component got missing or was not configured as required will discuss that either by adding on to this post or by creating a new one. Till Then

Take care guys

Suraj singh