ADWS and TMG Listener

By SuperG - Last updated: Tuesday, April 3, 2012 - Save & Share - Leave a Comment

Certificate Errors ADWS and TMG

Ran into a problem when trying to setup a Web Listener on TMG.

Exported the SSL Certificate from the IIS server (with private key)

Imported the SSL Certificate to the TMG server

Created the Web Listener

When choosing the SSL Certificate to use for the Web Listener I would get:

Incorrect key type for the Private Key

This is NOT a Cryptography Next Generation (CNG) certificate because TMG (and ISA) don’t support CNG (V3 Certificates). So that is not the problem.

After digging around and looking at manual certificate requests, I noticed that the KeySpec was not set the same.

It seems that by default KeySpec is set to 2 when doing a manual certificate request on Windows 2008R2.

The trouble is caused by the KeySpec=2 (Signature)

This should be changed to KeySpec=1 (Exchange)

On a similar note, the above “Default” seems to also be a problem when doing custom Certificate request for Domain Controllers that are running the Active Directory Web Services.

In the Event Viewer you see:

Active Directory Web Services could not initialize its endpoints. A networking error could have occurred

Event ID: 1002

Source: ADWS

And you may see:

An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Event ID: 36874

Source: Schannel

Computer: {This will be the Domain Controller}

So looking at this, the ADWS is failing because the server can not make a SSL connection with itself.

If you set the KeySpec=1 for the DC certificate or install a separate SSL certificate with the KeySpec set to 1 ADWS will start to work and the 2 above event logs will no longer be generated

Taken from an old Certificate request text file:



Posted in Uncategorized • • Top Of Page

Write a comment

You need to login to post comments!