The target principal name is incorrect

From The x3270 Wiki

Question

When I try to connect to the host, I get the error The target principal name is incorrect. What does this mean?

Answer

This error appears on Windows systems during host certificate validation. The TLS protocol includes a step where the client (the emulator) inspects the certificate presented by the server (the host). Part of that inspection is verifying that the name in the host's certificate matches the name used to connect to the host. (Windows refers to the name in the host's certificate as the target principal name.) They do not match.

Easy, but insecure workaround

The easiest way to fix this is to disable host certificate validation. The downside to doing this is that you lose the protection of this part of the TLS protocol.

In wc3270, use the Session Wizard to modify your session. Select the option Verify host certificates and change the value from Yes to No.

In wx3270, edit the host connection and uncheck the option labeled Verify host certificate.

In s3270 and pr3287, add the Y: prefix to the hostname.

More complex, but more secure workaround

The better way to fix this is to specify a particular name to match in the host certificate. This is much more secure, but takes a couple of steps to complete.

Step 1: Find the name in the host certificate

First, you must discover the name that the host is including in its certificate. To do this, perform the step above to (temporarily) turn off host certificate validation. Then connect to the host.

In wc3270, hit the Esc key to break to the wc3270> prompt. Then enter the command show tlsCertInfo. The output should include a line that begins with Subject: and includes a field that starts with CN=. What follows after the CN= is the name. For example: 

wc3270> show tlsCertInfo
Subject: C=US S="South Dakota", L=Pierre, O="Hosts R Us", OU=xyz, CN=myhost.hostsrus.com
...

In wx3270, right-click on the the actions button on the main window and select wx3270> prompt. When the wx3270> prompt appears, enter the show tlscertInfo command as described above.

Don't forget to turn host name validation back on (reversing the "simple" instructions above) and adding the name to match.

Step 2: Specify that name when connecting to the host

In wc3270, use the Session Wizard to modify your session. Select the option Edit miscellaneous resources with Notepad. In Notepad, go to the bottom of the file and add the following line, changing myhost.hostsrus.com to the CN= name (without the CN= part) displayed earlier. 

wc3270.acceptHostname: myhost.hostsrus.com

In wx3270, edit the host connection and enter the CN= name (without the CN= part) displayed earlier into the Accept hostname field.

In s3270 and pr3287, add the CN= name (without the CN= part) displayed earlier to the hostname, for example: 

s3270 somexternalname.legtimatebusiness.com=myhost.hostsrus.com
Retrieved from "https://x3270.miraheze.org/wiki/The_target_principal_name_is_incorrect?oldid=5296"