The configuration is Exchange 2010/2013, ISA 2006, and Server 2003 hosting 2006.

We got expired certifcates of Exchange 2010, when replace it with new one, we are running into an error below on external client computers: 
Error :
0x80096004 the signature of the certificate cannot be verified

A good read with this:
I have verified most of the configurations are right and still got this error, so after a little bit more research, I found that windows 2003 that hosting ISA 2006 is not supporting new certificates with 2048 bits,
Thanks for this post:

Go download and installed

The error 0x80096004 is gone, YAY, BUT


I got a new error:

Testing URL https://xxxxxxx:443/OWA/
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to

done some research, I decide to use the same internal and external name for exchange. As well as the ISA settings.
EMC->ServerConfiguration->Client Access->OWA-> Change the internal access name
I am asked to change ECP virtual directory settings:
EMC->ServerConfiguration->Client Access->ECP-> Change the internal access name

Then I found another article similar to my case:

Now I can login, YAY, BUT,


I can log in but there is an empty screen. Then I realized that I forgot to do this:

Reset OWA virutal Directory

The emails are loaded, YAY, BUT, 


Now the internal and exteranl are both request username and password,

so I went back to OWA settings and find it is been changed. Change it back to windows and basic authencation then reset IIS.



And finally, it works! YAY! THEN, HOWEVER<

I found only administrators can login the OWA and for other users, they got another error:

you could not be logged on to isa server

So research again, found this:

Change the web listener to LDAP other than windows since the ISA server is not domain computer, problem finally solved!


YAY! It is great to learn something. I should pay Google other than pay tax.



Wrap up:

there are several things you need take care when replace certificate:

1. Certificate can not be verified?
1.1 If the certificate is up to date.
1.2 If the ISA server can pick up the certificate.

2. Certificate The target principal name is incorrect?
2.1. If the certificate including all the related domain names.
2.2. IF OWA settings, ECP settings,and ISA matching each other,

3. logged in but there is an empty screen?
3.1 OWA Vritual directory reset after change settings?

4. Internal OWA ask for password?
4.1 Check OWA settings, AGAIN.

Great to learn something today, since certifate expiration is not happening every day.

5. you could not be logged on to isa server

5.1 Check the web listener, if ISA server is not domain computer use LDAP other than domain authentication. Cheers!

About Lei

I am an IT specialist with over 10 year experience - years on Automation, on-Premise or Azure.

I am happy to develop however never want be a full time developer. Only do what I have to do. If it has to be PowerShell,HTML, PHP, CSS, C#, VBS or JS, front end or backend, so be it, doesn't matter!

Spent years with Windows, SCCM, SharePoint, SQL and Exchange servers. For last several years, I have been actively working under On Premise > Azure environment.


Current Certificates:
    Microsoft® Certified-
  • -Enterprise Administrator
  • -Database Administrator
  • -SharePoint Administrator
  • -Administering and Deploying SCCM 2012
Red Hat Certified Technician
ITIL V3 Foundation - Practitioner

Working on Azure Certificates now and hopefully they can stop upgrading their questions one day! GIVE ME A BREAK!

Contact Lei

Name *
Email *
Comments *

Traffic since 10/08/2016

This week517
This month2590

Visitor Info

  • IP:
  • Browser: Unknown
  • Browser Version:
  • Operating System: Unknown

Who Is Online