Solved

Exchange 2010 IMAP SSL Certificate Error in a DAG

Posted on 2013-12-06
4
167 Views
Last Modified: 2015-02-05
I run 2 server2008r2 Exchange servers in a DAG.  they are phyiscally located on the same site so no WAN connection between them
Failover between the to servers work just fine for Outlook / OWA connectivity.  HOWEVER some mobile users connect via IMAP.  
I have a UCC, 5 domain exchange certificate from GoDaddy.com
IMAP works just fine ONLY on one of the servers.  IMAP users can connect and view their email folders however we get this error on the other server.  keep in mind, everything else works just fine regardless of which server is active.

Exchange 2010 certificate screenshot

Microsoft Exchange could not find a certificate that contains the domain name vancouver-info-chip.com in the personal store on the ocal computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector icc relay (photocopier, etc) with a FQDN parameter of vancouver-info-chip.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
0
Comment
Question by:infochip
  • 2
4 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 100 total points
ID: 39704255
Most Exchange servers will now have two SSL certificates on them, the trusted one and the self signed one. You cannot really operate with a single certificate because internal names on the SSL certificate are not allowed.

To resolve the error about SMTP and StartTLS, just run new-exchangecertificate from EMS, no command switches or anything. Exchange will generate a self signed certificate which will be fine for SMTP traffic. If you get a question about replacing the default certificate, accept it.

For IMAP, this can be more difficult. I would strongly encourage you to drop it if possible, and have users on Outlook Anywhere or EWS (Mac).
IMAP clients can get funny over the SSL certificate and for most compatibility you need to use the Common Name on the SSL certificate as the host name for the clients to connect to. This also means the X.509 address is configured to match.

If the two servers are on the same WAN, I would look at using a load balancer, so that you don't have to think about which server the clients connect to.

Simon.
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39706196
You can see from the screenshot above that IMAP is still being secured by the self signed certificate, if this works on the other node of the cluster ok then it's likely the other node has the IMAP service bound to this certificate. You can assign the IMAP service either in Exchange Management Console or Shell.

As for Secure SMTP, self signed certificates are used by default to secure communication between transport nodes, if you wish to secure SMTP externally then remove SMTP from the self signed certificate just leaving the 3rd party cert bound to smtp
0
 
LVL 1

Author Comment

by:infochip
ID: 40592344
dg
0
 
LVL 1

Author Comment

by:infochip
ID: 40592346
tgerteg
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now