‘Target Principle Name is incorrect’ error with ISA 2006 using a certificate with a SAN

I recently put together a PKI and I decided it was time to experiment with certificates with subject alternative names (SANs) today. I immediately fell into an easy trap!

If you make a certificate with a SAN, you MUST have the address you use for the CN in the SAN field too. It seems if you have a SAN then ISA server will see this and only look for the DNS identity of the website it’s going to in the SAN field, instead of looking in the CN field too.

This leaves you with a “500 Internal Server Error – The target principal name is incorrect” error which is somewhat confusing!

So say you want a certificate that is valid for the following addresses:
site1.com
site2.com
site3.co.uk

What you must do is ensure you have the following field entries in your certificate:

cn=site1.com
san:dns=site1.com&dns=site2.com&dns=site3.co.uk

In that way the CN is used as an identifier, and the san’s are used in the validity verification checks by ISA. Note however that IE and Firefox will still use the CN for validity checking as well.