Solved

Event ID 12014 Certificate issue with personal store

Posted on 2014-04-07
8
3,531 Views
Last Modified: 2014-04-15
I'm having issues between two Exchange 2007 SP3 hub transport servers sending/receiving email to each other.  The hub transport server that seems to be having the issue is complaining about certificate in the personal store. This HT server can send and receive email from external mail servers.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      TransportService
Event ID:      12014
Date:            4/7/2014
Time:            12:43:07 PM
User:            N/A
Computer:      EXCH07FNTS2
Description:
Microsoft Exchange could not find a certificate that contains the domain name Exch07FNTS2.neirelocation.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of Exch07FNTS2.neirelocation.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

However, the certificate is listed in the personal store on the server and it is registered to SMTP.  I've removed all expired and invalid certificates.  Any suggestions?

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                       em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                       curity.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {email.neirelo.com, autodiscover.neirelo.com, emaildr.ne
                       irelo.com, exch07fnts2.neirelocation.com, norm.neireloca
                       tion.com}
CertificateRequest   :
IisServices          : {IIS://Exch07FNTS2/W3SVC/1}
IsSelfSigned         : False
KeyIdentifier        : B36E4939EBEABBA0258913F85EC177304F70A525
RootCAType           : ThirdParty
Services             : IMAP, POP, IIS, SMTP
Status               : Valid
PrivateKeyExportable : True
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                       ography.Oid, System.Security.Cryptography.Oid, System.Se
                       curity.Cryptography.Oid, System.Security.Cryptography.Oi
                       d, System.Security.Cryptography.Oid, System.Security.Cry
                       ptography.Oid, System.Security.Cryptography.Oid, System.
                       Security.Cryptography.Oid}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
NotAfter             : 4/17/2015 6:59:59 PM
NotBefore            : 4/16/2012 7:00:00 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 6, 31, 48, 130, 5, 7, 160, 3, 2, 1, 2, 2, 17,
                       0...}
SerialNumber         : 00C06DC6134AA8818B6E0EF8338471FE78
SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : A5C7C58B56012ADA4333727ACF3127746E99F4A1
Version              : 3
Handle               : 466205968
Issuer               : CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Ne
                       twork, L=Salt Lake City, S=UT, C=US
Subject              : CN=email.neirelo.com, OU=Unified Communications, OU=Issu
                       ed through NEI Global Relocation Company E-PKI Manager,
                       O=NEI Global Relocation, STREET=8701 W Dodge Rd, L=Omaha
                       , S=Nebraska, PostalCode=68114, C=US
0
Comment
Question by:npdodge
  • 3
  • 3
  • 2
8 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 39984236
Pay specific attention to these lines

Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

It may be the connector is not configured with the same fwdn as the certificate or the service does not have access to the private key of the certificate.
0
 

Author Comment

by:npdodge
ID: 39984287
I've already tried this:
Enable-ExchangeCertificate -Services SMTP

As you can see, the certificate is registered for IIS, IMAP, and SMTP.  This is the intra-organization connector.  I didn't see a way to confirm the FQDN for this connector.  The FQDN is correct on all the other connectors and you can see in my output that the domain is listed in the certificate.
0
 
LVL 28

Expert Comment

by:becraig
ID: 39984759
Here is some info on connectors and setting properties
http://technet.microsoft.com/en-us/library/aa998662(v=exchg.141).aspx

When my flight lands I'll test this on my lab servers to repro and resolve.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39988191
For SMTP traffic, I would just create an internal certificate, it will work fine.

new-exchangecertificate

No other commands. When you get the prompt to replace the default certificate, accept.

The reason for doing this is that you cannot put internal server names on external trusted certificates that expire after November 2014. Therefore most platforms will need to run with two certificates - the trusted one for web services etc and an internal one for SMTP traffic.

Exchange needs to use the internal server's name for TLS communication, hence the need for an internal certificate.

Simon.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:npdodge
ID: 39989822
How does this affect TLS communication with external SMTP servers?
0
 
LVL 28

Expert Comment

by:becraig
ID: 39989839
You configure the send connector with the same fqdn as your external endpoints.


Also you will be able to use the same SSL certificate since the CN is the same as the external endpoint name.

Info on configuring your connectors (If needed)
http://technet.microsoft.com/en-us/library/bb629503%28v=exchg.141%29.aspx
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39992076
It will have no effect on external TLS communications.

Simon.
0
 

Author Closing Comment

by:npdodge
ID: 40002472
That worked!  Thanks Simon.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video discusses moving either the default database or any database to a new volume.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now