Exchange certificate problem

Hello

I just purchased and installed my new exchange certificate. Because internal domain names will be banned in 2015, I ordered a cert only with 2 names: mail.external.com and autodiscover.external.com. My internal domain is different so I had to use split DNS for external email name to resolve to internal IP.
 Installation went fine, I tested various access methods, all cool.

Then I opened the event viewer and now I get this:

Event 12014, MSExchangeTransport

Microsoft Exchange could not find a certificate that contains the domain name EXCHANGE.internal.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Exchange with a FQDN parameter of EXCHANGE.internal.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

No single article regarding new approach to certificates mentioned the problem.

How can I fix it ?
LVL 1
tp-it-teamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
Follow this
http://msexchangeguru.com/2011/06/22/event12014/

Or just ignore it.
0
tp-it-teamAuthor Commented:
Thank link is a solution when cert is not properly enabled for SMTP. Mine is fine.
Ignoring is not an option I would like to consider.
There must be a proper fix, otherwise, that whole 'no internal names on exchange certificates' would be simply ridiculous.
0
AmitIT ArchitectCommented:
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

tp-it-teamAuthor Commented:
These articles were written when people didn't know about new requirements for cert and to be honest they are not very helpful.  They were written to deal with the situation when there was something wrong with the certificate and FQDN was missing. In my case its missing by design.
0
achaldaveCommented:
Depending your topology either on hub transport or edge transport server change the send connector and receive connector's FQDN to mail.external.com
look for set-sendconnector and set-receiveconnecor in exchange help.

You can also disable TLS on the connectors.
0
tp-it-teamAuthor Commented:
When I'm trying to change it on my Default receive connector, I get
--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

set-receiveconnector
Failed
Error:
When the AuthMechanism parameter on a Receive connector is set to the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server "EXCHANGE.internal.co.uk", the NetBIOS name of the transport server "EXCHANGE", or $null.

I guess its because of default Authentication methods but then they are there for a reason, right ?
0
achaldaveCommented:
You cannot change default receive connector FQDN without breaking exchange to exchange communication, if you want to use TLS on receive connectors you need to create new receive connector and enable TLS only on that connector
These links explains TLS configuration, if you don't need it disable it.

http://technet.microsoft.com/en-us/library/ee428172.aspx
http://www.msexchange.org/articles-tutorials/exchange-server-2007/security-message-hygiene/Securing-SMTP-Message-Flow-between-different-Exchange-Server-2007-organizations.html
0
tp-it-teamAuthor Commented:
How will that help with the existing connector and lack of fqdn in my exchange cert ?
0
Simon Butler (Sembee)ConsultantCommented:
The only way to deal with this error is to have an internal certificate for SMTP email as well as your trusted certificate. That is perfectly acceptable - multiple certificates can be bound to the SMTP server service.
Just run new-exchangecertificate (no other parameters) and Exchange will create a suitable certificate. It will have just the SMTP service on it and will not affect anything that you are doing.

If you then get a client that wants to use TLS and see a trusted certificate, then create a NEW Receive Connector, with the FQDN that matches your SSL certificate common name.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tp-it-teamAuthor Commented:
Sambee2, thanks a lot for sharing your knowledge. So far, you are the only one who knows the answer. Surprisingly for me, I'm one of like 3-4 people in the whole world who actually asks the question ! Shocking ! I still can't get my head around it. I was certain that there should be more people like me trying to comply with new certificate rules and having 2 exchange 2007 servers. Apparently not...

Anyway, what I did was: after assigning my SSL certificate with my external name I was getting these errors. Then, I just run a command you mentioned, I was asked if I want to overwrite the cert for SMTP and I said 'No'. So now, when I run the command  Get-ExchangeCertificate on the server, there are two certificates listed, my commercial one is
enabled for  IP.WS and internal with just ....S.

So effectively, I have 2 certificates assigned to SMTP.
It just works !

I'm not sure if I understand what you said there:

'If you then get a client that wants to use TLS and see a trusted certificate, then create a NEW Receive Connector, with the FQDN that matches your SSL certificate common name. '

but so far everything is OK. I managed to install second Exchange server, I did the same on that new server (export cert from old server, import into new, and run new-exchangecertificate), they can talk to each other, I'm not getting errors, all clients I checked so far are working: outlook, Macs, owa, mobile phones...

Does it look like a correct config ? Can you please explain me your last sentence.

Thanks very much again !!!
0
Simon Butler (Sembee)ConsultantCommented:
"I was asked if I want to overwrite the cert for SMTP and I said 'No'."

You should have said Yes there. That would have resolved the problems as well.
However if it is working for you then fine.

The last sentance means what it says. If a remote site says that will only communicate with you over TLS (usually involved with finance) then you would need to configure mutual TLS (see Technet) and use a new Receive Connector to ensure the correct SSL certificate is used for the transport.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.