Error Code: 500 Internal Server Error. The target principal name is incorrect

After moving (i.e., an actual physical move to a brand new building) the Windows SBS server from one location to another, accessing OWA or Remote no longer work.  Now this used to work (for several months).  When I moved the SBS server, the only two things I changed were the WAN IP address and the Gateway address in the SonicWall (which is the external firewall we are also using with ISA 2004) because we rec’d new addresses.  (BACKGROUND information on setup:  using a Netopia router which the Sonicwall is connected to and have an SBS server (with the Blackberry server installed on it - but that is not causing this problem because it was working prior).

As mentioned, this used to work for several months so what would cause this “now” to not work?  Creating the certificates and creating the publishing rules were actually done by someone else so I do not know how he did a lot of things.  However, I have tried several things.  In another forum someone suggested I re-run CEICW and I did but it still does not work.  Could the certificate be looking for the old ip addresses?  Can a certificate be modified?  How do I delete the old certificate(s)?  Do I have re-create it and if so, how??  I have checked the publishing rules in ISA and all show that certificate that he created and I do not see where it is looking for the old "static" IP address (I changed the static IP address in the Sonicwall for the WAN IP address).  There is also a hosts file on C:\ and in that file, it shows the server internal IP address which that did not change.  

Also for the CEICW, it states “create a web server certificate named “ISAcert.cer” in \sbcert folder and to also create an additional web server certificate named “sbscert.cer” and install this certificate in IIS.  How is all of this done?  

Since I am not even close to being an expert here, there’s a lot I do not know how to do but can definitely follow detailed instructions.  So if anyone can just tell me what I need to look for, how to create certificates (or use the snap-in?) and anything else, I would truly appreciate it!  I have been working on this for over 2 months now and if I was not confused at the beginning, I am definitely confused now!  I have read and printed out so much information off of the internet about the “500 error message”, “publishing rules”, etc., that I do not know where to start anymore.  PLEASE help!!!!!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1. The certificate is based on the FQDN, not the IP address

2.  Did someone update the external DNS records to point to the new WAN IP addresses you were assigned by the ISP?  Go to and run a report on your domain name.  Also go to and do DNS lookups (right side of the page) on the external name of your OWA.

3.  Can you connect internally to OWA?  Use the outside http address, and also try http://IPaddress/exchange (or whatever is your internal IP of the OWA server plus whatever the /exchange is...for instance you may be using
jackee99Author Commented:

For #2:  for "":  everything passed except there was a FAIL for "Reverse DNS entries for MX records" and it shows "The problem MX records are:".  What is this?  I have never seen that address before.

I also ran "" and it shows the domain name, type of record and the ip address of my external firewall (Sonicwall).  So this is good - right?

For #3:  When I go the customer's site this weekend, I will try and connect internally to OWA.  I think the last time I tried it, it worked.  I also tried the "http://ipaddress/exchange" and that did not work.

I guess if I knew what changed or how something changed, then this probably would not be so difficult to figure out but I am clueless!  If the only two things that changed was the IP address for the WAN for the Sonicwall and the Gateway for the Sonicwall, then why would this not work anymore?  Now when we also moved, I got a new Netopia router from the ISP and I did have to go into it and put in the static ip address (which is the one in the Sonicwall).  Could this be affecting it?
Things I can think of that may be it:

1.  The WAN IP address was changed and the NATing rules / firewall rules weren't updated correctly.

2.  The sonicwall cannot see the OWA server (can you test from the Sonicwall?)

3.  Reverse DNS is handled by the ISP that owns 205.178.x.x, they should have a reverse entry for that "hostname" (usually dynamic).

4.  In ISA check the "external web listener" address.

Are you double NATing?

In other words is the setup:

Internet IP >>> Sonicwall >>> DMZ addresses  >>> External IP of ISA (like a 192 address)>>>> Internal network

or is it a single NAT:

Internet IP >>> Sonicwall >>> External IP of ISA (same subnet as your Internet IP) >>>> internal network

jackee99Author Commented:

1.  For #1 (the WAN IP address was changed and the NATing rules / firewall rules weren't updated correctly):  then how do I fix it?

2.  For #2 (The sonicwall cannot see the OWA server (can you test from the Sonicwall?) - How would I test from the Sonicwall?

3.  For #3 (Reverse DNS is handled by the ISP that owns 205.178.x.x, they should have a reverse entry for that "hostname" (usually dynamic) - So I have to contact SBC?

4.  For #4 (In ISA check the "external web listener" address) - will check again but do not know what I am looking for.

5.  (Are you double NATing?) - what is this?  Would the router (which is a Netopia router from the ISP - SBC) be affecting this?  Maybe there's something in there that is set up which is causing this problem now whereas before when they had a different router (even though it was a Netopia provided by SBC, SBC set that one up so I do not know what he may have set in that one and maybe this one is set wrong?)

Even though I may know some things (I am more of a software/trainer type person than a true and blue network person) so I have no idea what to look for here?  I know I have read about NAT but would have to go and check to see how it was set up.

I may have set up the SBS 2003 system but I did not do the certificate or the publishing rules.  Those were done by someone else so I have no clue how he did this.  I do not even know how the certificate got created or imported.  I know you may not have a lot of time and are extremely busy, but can you give me the exact steps to create a certificate and then import? it into ISA?

Sorry to be so dense here and I really appreciate all of your help!  I am going out to the customer site again tomorrow so hopefully I can resolve it but unfortunately I do not have faith in my ability for this!  :(


If you aren't quite sure then I'd bring in an expert personally, no sense in beating your head against the wall for days, and having users upset.

To go back over the #s you posted:

1.  You'll need to check your ISA setup.  Again you'll probably need someone onsite that knows ISA

2.  That I don't know.  I've had a Sonicwall in the past, but I'm not familiar with them now.  There may be some diagnostics tabs or logging that you could use to help troubleshoot if the traffic is getting past the Sonicwall or not.

3.  No, I'm simply stating that Reverse DNS zones are typically controlled by the companies that own that IP block.  You can contact whoever gave you that IP range and ask them about the reverse lookups and if there are entries for that IP or not.

4.  Again, probably need an expert.  But a quick way is to first check the TCP/IP properties on the external NIC of the ISA server and see what IPs are assigned to it.  Then inside ISA, look on the right for "Web Listeners".  This is very generic what I'm telling you, but a walkthrough is pretty long and detailed.

5.  Basically double natting is when the NAT address changes twice.  For instance if your internal ISA IP is then that's your internal IP range.  The external IP on ISA could be, that's your "DMZ range".  Then the internal IP of the Sonicwall is, and it's external is some IP that SBC gave you.  That would be "double natting" you are essentially changing your twice, first into a 192.168 address, and then again by the Sonicwall into an external SBC address.  Things start to get sticky then.  It could be even worse if you are again Natting from the Sonicwall to the Netopia and then out to SBC.  That would be pretty wild!

Again, it's not that I don't mind helping, but troubleshooting on EE isn't easy, and we could go in circles for days since I can't actually see the setup.  Hiring an ISA consultant to swing in and work it out may be your best option.

I would also suggest going to and getting the ISA 2004 book, it's a great resource if you are going to be using ISA.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.