Error message when you configure an Active Directory repository to use SSL in IAG 2007: "Invalid alternate server. Make sure the settings are correct, the server is functioning, and the access to server is not blocked by the firewall"

Article translations Article translations
Article ID: 960248 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When you configure an Active Directory repository to act as an alternate server in Microsoft Intelligent Application Gateway (IAG) 2007, the following error message is returned to the IAG administrator when the repository configuration is completed:
The server connection settings are invalid.
Error Message: Invalid alternate server. Make sure the settings are correct, the server is functioning, and the access to server is not blocked by the firewall.
This problem occurs if the Secure Port check box is selected to enable Secure Sockets Layer (SSL) for the alternate server.

Note The error occurs even if the settings are correct.

CAUSE

This problem occurs because IAG requires that the server is defined by using a fully qualified domain name (FQDN) when you use an SSL connection for a repository server verification. However, for an alternate server, IAG 2007 translates an FQDN to an IP address. Therefore, a server verification failure occurs.

RESOLUTION

Update information

To resolve this problem, install Update 1 for Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2). This update is described in the following Microsoft Knowledge Base article:
968384 Description of Update 1 for Intelligent Application Gateway 2007 Service Pack 2

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

Steps to reproduce the behavior

  1. In IAG 2007, create a new authentication repository.
  2. Select the Active Directory type for the authentication repository.
  3. Configure the primary server to an invalid server name, and configure the secondary server to a valid server name.
  4. Click to enable the Secure Port check box for both the primary server and the secondary server to enable SSL authentication.
  5. Complete the rest of the repository configuration.
  6. Click OK to save the configuration.
In this situation, you receive the error message that is mentioned in the "Symptoms" section.

Additionally, a schannel event shows that an error occurs for the IP address that corresponds to the host name that is used for the secondary server setting. This error occurs because SSL negotiation uses the IP address instead of the host name. However, because the connection is using SSL, the certificate does not match the IP address and causes a failure. The schannel event resembles the following:

Event ID 36884
Source schannel

The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is <x.x.x.x>. The SSL connection request has failed. The attached data contains the server certificate.

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 960248 - Last Review: May 5, 2009 - Revision: 3.0
APPLIES TO
  • Microsoft Intelligent Application Gateway 2007
Keywords: 
kbautohotfix kbexpertiseinter kbfix kbsurveynew kbqfe KB960248

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com