Error message when you configure an Active Directory repository to use SSL in IAG 2007: "Invalid alternate server. Make sure the settings are correct, the server is functioning, and the access to server is not blocked by the firewall"
This article has been archived. It is offered "as is" and will no longer be updated.
When you configure an Active Directory repository to act as an alternate server in Microsoft Intelligent Application Gateway (IAG) 2007, the following error message is returned to the IAG administrator when the repository configuration is completed:
The server connection settings are invalid. Error Message: Invalid alternate server. Make sure the settings are correct, the server is functioning, and the access to server is not blocked by the firewall.
This problem occurs if the Secure Port check box is selected to enable Secure Sockets Layer (SSL) for the alternate server.
Note The error occurs even if the settings are correct.
This problem occurs because IAG requires that the server is defined by using a fully qualified domain name (FQDN) when you use an SSL connection for a repository server verification. However, for an alternate server, IAG 2007 translates an FQDN to an IP address. Therefore, a server verification failure occurs.
To resolve this problem, install Update 1 for Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2). This update is described in the following Microsoft Knowledge Base article:
968384 Description of Update 1 for Intelligent Application Gateway 2007 Service Pack 2
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Steps to reproduce the behavior
In IAG 2007, create a new authentication repository.
Select the Active Directory type for the authentication repository.
Configure the primary server to an invalid server name, and configure the secondary server to a valid server name.
Click to enable the Secure Port check box for both the primary server and the secondary server to enable SSL authentication.
Complete the rest of the repository configuration.
Click OK to save the configuration.
In this situation, you receive the error message that is mentioned in the "Symptoms" section.
Additionally, a schannel event shows that an error occurs for the IP address that corresponds to the host name that is used for the secondary server setting. This error occurs because SSL negotiation uses the IP address instead of the host name. However, because the connection is using SSL, the certificate does not match the IP address and causes a failure. The schannel event resembles the following:
Event ID 36884 Source schannel
The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is <x.x.x.x>. The SSL connection request has failed. The attached data contains the server certificate.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates