The target principal name is incorrect

Question
When I try to connect to the host, I get the error The target principal name is incorrect. What does this mean?

Answer
This error appears on Windows systems during host certificate validation. The TLS protocol includes a step where the client (the emulator) inspects the certificate presented by the server (the host). Part of that inspection is verifying that the name in the host's certificate matches the name used to connect to the host. Windows refers to the name in the host's certificate as the target principal name.

Easy, but insecure workaround
The easiest way to fix this is to disable host certificate validation. The downside to doing this is that you lose the protection of this part of the TLS protocol.

In wc3270, use the Session Wizard to modify your session. Select the option Verify host certificates and change the value from Yes to No.

In s3270 and pr3287, add the Y prefix to the hostname.

In wx3270, edit the host connection and uncheck the option labeled Verify host certificate.

More complex, but more secure workaround
The better way to fix this is to specify a particular name to match in the host certificate. This is much more secure, but takes a couple of steps to complete.

First, you must discover the names that the host is including in its certificate. To do this, perform the step above to (temporarily) turn off host certificate validation. Then connect to the host.

In wc3270, hit the Esc key to break to the wc3270> prompt. Then enter the command show tlsCertInfo. The output should include a line that begins with Subject: and includes a field that starts with CN=. What follows after the CN= is the name. For example: wc3270> show tlsCertInfo Subject: C=US S="South Dakota", L="Pierre", O="Hosts R Us", OU=xyz, CN=myhost.hostsrus.com ...

In wx3270, right-click on the the actions button on the main window and select wx3270> prompt. When the wx3270> prompt appears, enter the show tlscertInfo command as described above.