Issue: Not Synced Server Configuration does not match with stored configuration
Cause: FF TMG 2010 Array certificates expired.
Solutions: The following steps will fix the issue. Please note that I am explaining the situation where my TMG 2010 enterprise Array is deployed in workgroup.
Step1: Run ISA BPA on TMG 2010 Array Member
Step2: Verify certificate expiry date
1. From the Start menu, click Run. Type MMC, and then click OK.
2. In MMC, click File, and then click Add/Remove Snap-in.
3. Click Add to open the Add Standalone Snap-in dialog box.
4. From the list of snap-ins, select Certificates, and then click Add.
5. Select the service account and click Next.
6. Click Next.
7. Select ISASTGCTRL and click Finish.
8. Browse to ADAM_ISASTGCTRL\Personal > Certificates.
9. Open the certificate to see if it is expired.
Step3: Create a Request.inf file. Open notepad and copy the following and paste into notepad. modify CN and domain details as per your own requirement. rename the file as request.inf. An example of the inf file is:
[Version]
Signature=”$Windows NT$
[NewRequest]
Subject = “CN=myTMG.mydomain.com”
EncipherOnly = FALSE
Exportable = TRUE
KeyLength = 1024
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC
; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[RequestAttributes]
CertificateTemplate = WebServer
Step4: request Certificate to the Root/Subordinate CA
Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:
certreq -new –f request.inf certnew.req
Important! This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.
Step5:Submit the request and obtain certificate
Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:
certreq -submit certnew.req certnew.cer
Important! certnew.req is generated in the previous command. certnew.cer is the certificate you are looking for.
An alternative way of submitting certificate to CA
- Open Certificate Authority
- Right Click on CA Server>All Task>Submit a New request
- Point to the location of certnew.req file
- Save Certificate As certnew.CER file into the preferred location
Step6:Convert certificate into .pfx format
Import the certificate certnew.cer into a server or an admin workstation
1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.
2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
3. In Available snap-ins, click Certificates, and then click Add.
4. Select Computer account, and then click Next.
5. Select Local computer, and then click Finish.
6. If you have no more snap-ins to add to the console, click OK.
7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.
8. In the details pane, click the certificate you want to manage.
9. On the Action menu, point to All Tasks, and then click Import. The Certificate Export Wizard appears. Click Next.
10. Browse to location of certnew.cer file
11. Import Certificate
To export a certificate in PFX format using the Certificates snap-in
1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.
2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
3. In Available snap-ins, click Certificates, and then click Add.
4. Select Computer account, and then click Next.
5. Select Local computer, and then click Finish.
6. If you have no more snap-ins to add to the console, click OK.
7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.
8. In the details pane, click the certificate you want to manage.
9. On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.
10. On the Export Private Key page, click Yes, export the private key. Click Next.
11. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.
12. On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.
13. Follow the pages of the wizard to export the certificate in PFX format.
Step7: Import Certificate into TMG Array
Log on to the TMG Server
Open FF TMG 2010 Console
Click on System>Click Server that is one of the array member>Click Import Server Certificate from the task pan>Browse location of the certificate import certnew.PFX format certificate
Click Ok.
Click refresh on the systems
Step8: Repeat the entire steps into all array members
Step9: Refresh Array members and check system
Check TMG related services.
Special thanks to Raihan Al-Beruni