Solved

Event ID 12014 Certificate issue with personal store

Posted on 2014-04-07
8
3,928 Views
Last Modified: 2014-04-15
I'm having issues between two Exchange 2007 SP3 hub transport servers sending/receiving email to each other.  The hub transport server that seems to be having the issue is complaining about certificate in the personal store. This HT server can send and receive email from external mail servers.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      TransportService
Event ID:      12014
Date:            4/7/2014
Time:            12:43:07 PM
User:            N/A
Computer:      EXCH07FNTS2
Description:
Microsoft Exchange could not find a certificate that contains the domain name Exch07FNTS2.neirelocation.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of Exch07FNTS2.neirelocation.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

However, the certificate is listed in the personal store on the server and it is registered to SMTP.  I've removed all expired and invalid certificates.  Any suggestions?

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                       em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                       curity.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {email.neirelo.com, autodiscover.neirelo.com, emaildr.ne
                       irelo.com, exch07fnts2.neirelocation.com, norm.neireloca
                       tion.com}
CertificateRequest   :
IisServices          : {IIS://Exch07FNTS2/W3SVC/1}
IsSelfSigned         : False
KeyIdentifier        : B36E4939EBEABBA0258913F85EC177304F70A525
RootCAType           : ThirdParty
Services             : IMAP, POP, IIS, SMTP
Status               : Valid
PrivateKeyExportable : True
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                       ography.Oid, System.Security.Cryptography.Oid, System.Se
                       curity.Cryptography.Oid, System.Security.Cryptography.Oi
                       d, System.Security.Cryptography.Oid, System.Security.Cry
                       ptography.Oid, System.Security.Cryptography.Oid, System.
                       Security.Cryptography.Oid}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
NotAfter             : 4/17/2015 6:59:59 PM
NotBefore            : 4/16/2012 7:00:00 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 6, 31, 48, 130, 5, 7, 160, 3, 2, 1, 2, 2, 17,
                       0...}
SerialNumber         : 00C06DC6134AA8818B6E0EF8338471FE78
SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : A5C7C58B56012ADA4333727ACF3127746E99F4A1
Version              : 3
Handle               : 466205968
Issuer               : CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Ne
                       twork, L=Salt Lake City, S=UT, C=US
Subject              : CN=email.neirelo.com, OU=Unified Communications, OU=Issu
                       ed through NEI Global Relocation Company E-PKI Manager,
                       O=NEI Global Relocation, STREET=8701 W Dodge Rd, L=Omaha
                       , S=Nebraska, PostalCode=68114, C=US
0
Comment
Question by:npdodge
  • 3
  • 3
  • 2
8 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39984236
Pay specific attention to these lines

Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

It may be the connector is not configured with the same fwdn as the certificate or the service does not have access to the private key of the certificate.
0
 

Author Comment

by:npdodge
ID: 39984287
I've already tried this:
Enable-ExchangeCertificate -Services SMTP

As you can see, the certificate is registered for IIS, IMAP, and SMTP.  This is the intra-organization connector.  I didn't see a way to confirm the FQDN for this connector.  The FQDN is correct on all the other connectors and you can see in my output that the domain is listed in the certificate.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39984759
Here is some info on connectors and setting properties
http://technet.microsoft.com/en-us/library/aa998662(v=exchg.141).aspx

When my flight lands I'll test this on my lab servers to repro and resolve.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39988191
For SMTP traffic, I would just create an internal certificate, it will work fine.

new-exchangecertificate

No other commands. When you get the prompt to replace the default certificate, accept.

The reason for doing this is that you cannot put internal server names on external trusted certificates that expire after November 2014. Therefore most platforms will need to run with two certificates - the trusted one for web services etc and an internal one for SMTP traffic.

Exchange needs to use the internal server's name for TLS communication, hence the need for an internal certificate.

Simon.
0
 

Author Comment

by:npdodge
ID: 39989822
How does this affect TLS communication with external SMTP servers?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39989839
You configure the send connector with the same fqdn as your external endpoints.


Also you will be able to use the same SSL certificate since the CN is the same as the external endpoint name.

Info on configuring your connectors (If needed)
http://technet.microsoft.com/en-us/library/bb629503%28v=exchg.141%29.aspx
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39992076
It will have no effect on external TLS communications.

Simon.
0
 

Author Closing Comment

by:npdodge
ID: 40002472
That worked!  Thanks Simon.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question