Solved

Exchange 2010 self Cert

Posted on 2012-03-19
9
623 Views
Last Modified: 2012-08-13
I'm getting the following error and I'm not sure how to fix it.:

Microsoft Exchange could not find a certificate that contains the domain name MSG.schulershook.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MSG with a FQDN parameter of MSG.domain.loca. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
0
Comment
Question by:Darth_mark67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 40

Expert Comment

by:Adam Brown
ID: 37738719
If you only have a Self-Signed certificate, you'll want to modify your send and receive connectors so they are using just <servername> and not <servername.domain.local> as the response for EHLO HELO. If you have a cert that matched the domain name you have configured, configure your server so that cert is used for SMTP.
0
 

Author Comment

by:Darth_mark67
ID: 37739081
I have a digi cert but we deleted the self created cert.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 37739113
Okay, so make sure your connectors have the website host name defined in the cert as their FQDN for HELO. You can do this by going to Organization Config\Hub Transport then right click on your Send connector and click Properties. The line there asking for an FQDN should match the FQDN defined on the cert. Do the same at Server Config\Hub Transport for your Receive Connectors.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Darth_mark67
ID: 37739268
send connector has mail.domain.com
 both receive connectors (client and default) have mail.domain.com

initially the client had the msg.domain which I changed to our exchange cert (mail.domain.com).

but I'm still getting the error message.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 37739296
Open the Exchange Management Shell and run get-exchangecertificate | fl

Make sure that the Services section for the Certificate you're using has SMTP in it.
0
 

Author Comment

by:Darth_mark67
ID: 37739322
Here it is, looks ok.


         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #77:

Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are p
eople who manage your organization or perform special tasks, like mailbox searches for compliance reasons.
If you want to manage permissions for end users, use management role assignment policies.

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>Get-Exchangecertificate |fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.schulershook.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
NotAfter           : 6/27/2012 7:00:00 AM
NotBefore          : 4/19/2011 7:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 0F0405297F2B509183D6DA70BB642499
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail.schulershook.com, OU=IT, O=Schuler Shook, L=Chicago, S=Illinois, C=US
Thumbprint         : A46B4DF3B2BE16D63AF8AE9FEAF8F0BD77B825AF



[PS] C:\>
0
 

Author Comment

by:Darth_mark67
ID: 37740597
Is this correct?


         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #84:

When you are creating a new Edge subscription, you need to run the New-EdgeSubscription cmdlet first on your Edge Transp
ort server, and then on an administrator console that is connected to your internal Exchange organization. However, beca
use Exchange 2010 uses remote Windows PowerShell, you can no longer use the Path parameter when importing an Edge subscr
iption file. Instead you need to use the Get-Content cmdlet to first retrieve and encode the data, and then pass it to t
he New-EdgeSubscription cmdlet, like so:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)
) -Site "Default-First-Site"

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>get-outlookprovider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                        msstd:<mail.domain.com> 1
EXPR                                                        msstd:<mail.domain.com> 1
WEB                                                         msstd:<mail.domain.com> 1


[PS] C:\>
0
 

Author Comment

by:Darth_mark67
ID: 37740638
Here is something else

The subject alternative name (SAN) of SSL certificate for https://msg.schulershook.net/Autodiscover/Autodiscover.xml does not appear to match the host address. Host address: msg.schulershook.net. Current SAN: DNS Name=mail.domain.com.
0
 

Author Comment

by:Darth_mark67
ID: 37740648
I also set this back to default.

         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #77:

Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are p
eople who manage your organization or perform special tasks, like mailbox searches for compliance reasons.
If you want to manage permissions for end users, use management role assignment policies.

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>get-outlookprovider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1


[PS] C:\>
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video discusses moving either the default database or any database to a new volume.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question