Solved

Installation of Client Access role fails on Windows 2012

Posted on 2012-12-22
5
1,600 Views
Last Modified: 2013-01-01
I know Exchange 2010 (prior to SP3) is not fully supported on Win2012, but I read that it might just work.
I am getting the following error contstantly:

[12/22/2012 15:21:22.0145] [2] Unexpected Error
[12/22/2012 15:21:22.0191] [2] Could not grant Network Service access to the certificate with thumbprint 5A442CC0A9ED647E03DE0C1BCFD7321AEDF296EF because a cryptographic exception was thrown.
[12/22/2012 15:21:22.0192] [2] Access is denied.

[12/22/2012 15:21:22.0194] [2] Ending processing.
[12/22/2012 15:21:22.0195] [1] The following 1 error(s) occurred during task execution:
[12/22/2012 15:21:22.0195] [1] 0.  ErrorRecord: Could not grant Network Service access to the certificate with thumbprint 5A442CC0A9ED647E03DE0C1BCFD7321AEDF296EF because a cryptographic exception was thrown.
[12/22/2012 15:21:22.0196] [1] 0.  ErrorRecord: Microsoft.Exchange.Management.SystemConfigurationTasks.AddAccessRuleCryptographicException: Could not grant Network Service access to the certificate with thumbprint 5A442CC0A9ED647E03DE0C1BCFD7321AEDF296EF because a cryptographic exception was thrown. ---> System.Security.Cryptography.CryptographicException: Access is denied.

   at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
   at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.AddAccessRule(X509Certificate2 certificate, AccessRule rule)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.ManageExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services, Boolean requireSsl, ADSystemConfigurationSession dataSession, Server server, List`1 warningList, Boolean allowConfirmation, Boolean forceNetworkService)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Management.SystemConfigurationTasks.ManageExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services, Boolean requireSsl, ADSystemConfigurationSession dataSession, Server server, List`1 warningList, Boolean allowConfirmation, Boolean forceNetworkService)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
[12/22/2012 15:21:22.0196] [1] The following error was generated when "$error.Clear(); Install-ExchangeCertificate -services "IIS, POP, IMAP" -DomainController $RoleDomainController" was run: "Could not grant Network Service access to the certificate with thumbprint 5A442CC0A9ED647E03DE0C1BCFD7321AEDF296EF because a cryptographic exception was thrown.".
[12/22/2012 15:21:22.0196] [1] Could not grant Network Service access to the certificate with thumbprint 5A442CC0A9ED647E03DE0C1BCFD7321AEDF296EF because a cryptographic exception was thrown.
[12/22/2012 15:21:22.0196] [1] Access is denied.

I tried the following which I found many times over:
Fire up MMC, add the Local Computer Certificate store into the console, located the certificate for the computers DNS name when you first went to install Exchange 2010 Beta/RC, (It will be in the personal store if you are getting this error), move it into the Trusted Root Certification Authorities. Now you can install, enjoy :).

Still, it keeps giving that error. What to do?
0
Comment
Question by:redworks
  • 2
  • 2
5 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38715672
Its unsupported. Stop trying to get something to work that hasn't been documented, tested or is a supported configuration. Hearing something "might" work isn't really a good reason to do it.

Deploy it on a supported OS and wait until the service pack is released.

Simon.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 38715709
Wait.

For Service Pack 3.

Do you really think it's a GOOD idea to run a mail service in a known unsupported configuration?  I don't know your organization, but all the organizations I've worked for/with find mail pretty critical these days - doing this doesn't just seem unwise... it seems HORRIBLY unwise.

If you need to install Exchange 2010, then use the downgrade rights from 2012 to install a 2008 R2 server and install Exchange 2010 on that.
0
 

Author Comment

by:redworks
ID: 38715717
I understand your point. I would prefer Exchange 2013 to be honest, but I want it all combined (for many reasons, which dont really matter at the time) on a remote-desktop-server. This setup (RDS+Exchange 2013) is not possible. It won't install.
So its either Exchange 2010 with Win2012, or Win2012 with RDS and Exchange 2013...
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38715819
What you want and what you can have are not always the same thing.
RDS should be deployed on its own server.
Exchange should be deployed on its own server.
You aren't going to get Exchange 2010 to run on Windows 2012, even if you can make it install. That is because Windows 2012 uses PowerShell 3.0 which will not run Exchange 2010 commandlets with the current release.

You are going to have to rethink what you want to do, because I don't think either of your options are possible.

Simon.
0
 

Author Closing Comment

by:redworks
ID: 38734555
Seems this really does not work
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
how to add IIS SMTP to handle application/Scanner relays into office 365.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now