Home | Site Map | Cisco How To Net How To | Wireless | Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Track user web activity with GFI WebMonitor™. Download free trial!

 

How to fix Error code: 500 Internal Server Error in ISA

One of the most difficult errors to troubleshoot when using ISA or TMG is the 500 Internal Server Error. It’s so difficult because it is one of the most generic responses yet it has a number of possible causes. We’ll look at a few of the most common ones in this post, along with what to do to verify the cause and fix the problem.

Look closely at the response message to see what supporting details are in place, and consider what is going on between the client and the ISA/TMG or between your ISA/TMG and the internal server.

Are certificates in use?

Check the ISA/TMG logs to see if you find: “A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)” in the logs. If there are certificates in use, check the ISA/TMG server’s certificate store to make sure that the root certificate authority and any intermediate certificate authority are trusted. This includes both the certificates securing HTTPS communications and any client certificates used to authenticate the user. Importing the root and intermediate CA certificates into the ISA/TMG server’s operating system store if they are not already present will resolve most certificate issues. If you are unable to do this immediately, use HTTP to communicate to the internal server and a different form of authentication for the client.

Not supported?

When the client makes a request that is not supported by the ISA/TMG, or the response from the destination server is not supported, the ISA/TMG may return “Error Code: 500 Internal Server Error. The request is not supported. (50)” to the client. Often, this is caused when a client request doesn’t specify content encoding but the published server responds with a content-encoding specified in the HTTP response header. This is most likely to happen when compression filters are disabled on the ISA/TMG. To fix this for client proxy situations, follow the steps in KB927263. For secure publishing, set the SendAcceptEncodingHeader property using the VBScript found on this MSDN article.

Target principal name is incorrect

I have only encountered this error with secure web publishing (reverse proxying) and ISA or TMG. This error can be caused either by Kerberos authentication errors, or a name mismatch between what is listed in the CN or SAN attributes of a certificate and what is being requested by the client. To troubleshoot Kerberos errors, first use NTLM authentication or allow the client to authenticate directly to the internal server. If you are successfully able to authenticate and access the site, check to make sure that the ISA/TMG server is trusted for delegation and that the SPNs are correctly registered for the internal website. 

With certificates in play and a response saying: “target principal name is incorrect”, you need to check first to make sure that the name of the internal site that ISA/TMG is requesting matches the certificate.  If you can, switch to HTTP temporarily to make sure everything else works properly. If it does, check the value of the ‘To’ tab in your publishing rule to see if the name listed matches a name on the certificate.

 

 

If it does not, revise the “This rule applies to this published site:” field, or obtain a new certificate that lists that name in either the CN or SAN values. When I generate a CSR, I usually try to include every possible value in the SAN, including www.example.com, example.com, the IP address of the host, and the hostname and internal FQDN of the web server to make sure all bases are covered.
While this covers the most common 500 errors you may encounter and how to fix them, feel free to ask about any other situations in the comments, and I will get back to you promptly with some advice.
This guest post was provided by Ed Fischer on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI web filtering solution

All product and company names herein may be trademarks of their respective owners.

 

 

 

 

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics

 

 

 

 

  This web is provided "AS IS" with no warranties.
Copyright © 2002-2017 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.