Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange 2013 FQDN Certificate Error

Posted on 2014-11-06
7
325 Views
Last Modified: 2014-11-20
Hello weve put mail.ville.xxx.qc.ca for the FQDN of the Default Frontend NAMESERVER but im not sure if it's ok

Because we use TMG and we use owa.ville.xxx.qc.ca for OWA

mail.ville.xxx.qc.ca is a nat to our exchange server directly

we are receiving this error

Microsoft Exchange could not find a certificate that contains the domain name mail.ville.xxx.qc.ca in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Frontend NAMESERVER with a FQDN parameter of mail.ville.xxx.qc.ca. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

What FQDN i should use ?

If mail.ville.xxx.qc.ca is ok how to add it to the certificate

Thanks !
0
Comment
Question by:jfguenet
  • 4
  • 3
7 Comments
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40426315
Run the following:

Get-ExchangeCertificate | FL

Let us know the output. Most likely what has occurred is that you should change the FQDN of the send connector to something that is common on the certificate. That should resolve the issue.

Also.. I don't think TMG plays into this as you most likely do not have a web rule for it.
0
 

Author Comment

by:jfguenet
ID: 40426462
[PS] C:\Windows\system32>Get-ExchangeCertificate | FL


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {owa.xxx.xxx.qc.ca, www.owa.xxx.xxx.qc.ca}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
                     O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 2015-10-01 07:13:26
NotBefore          : 2014-09-23 13:35:19
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 2B503D0F61C656
Services           : None
Status             : Valid
Subject            : CN=owa.xxx.xxx.qc.ca, OU=Domain Control Validated
Thumbprint         : 62821EE9FFC4C0FF41AA86E1A9A8DDC9BC6688ED

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server_name.xxx.xxx.qc.ca, AutoDiscover.xxx.xxx.qc.ca,
                     AutoDiscover.xxx.ca, server_name, xxx.xxx.qc.ca, xxx.ca}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=AC-Racine, DC=ville, DC=xxx, DC=qc, DC=ca
NotAfter           : 2016-09-15 15:47:43
NotBefore          : 2014-09-16 15:47:43
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 535F5FB8000000000679
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=server_name.xxx.xxx.qc.ca, OU=TI, O=xxx, L=xxx, S=QC, C=CA
Thumbprint         : 0D911213DE4A8B565F185A8E3E28AF5B80AC5893

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {owa.xxx.xxx.qc.ca, server_name.xxx.xxx.qc.ca,
                     AutoDiscover.xxx.xxx.qc.ca, AutoDiscover.xxx.ca, server_name,
                     xxx.xxx.qc.ca, xxx.ca}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=AC-Racine, DC=ville, DC=xxx, DC=qc, DC=ca
NotAfter           : 2016-09-15 13:23:11
NotBefore          : 2014-09-16 13:23:11
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 52DB0EDA000000000678
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=owa.xxx.xxx.qc.ca, OU=TI, O=xxx, L=xxx, S=Québec, C=CA
Thumbprint         : 867EAB32807A54ACEFF53BF0850434FED0DAC903
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40426475
Change the EHLO name to match the OWA namespace on the certificate and this will fix the STARTTLS issue. If you do not want that namespace there, then you would need a certificate that has the mail.xxx.xxx.xxx.com namespace.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jfguenet
ID: 40426595
if i put owa.xxx.qc.ca it's not the same public ip address as mail.xxx.qc.ca

owa is for my TMG server
mail is for my exchange server

The EHLO name must me mail no ?

Will i have problem if i put owa ?
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40426640
You should not have an issue putting OWA. The name has to be listed on the SSL certificate. I would increase SMTP logging like you did before and check again, but it should resolve your issue.
0
 

Author Comment

by:jfguenet
ID: 40426844
And if i put the server name instead is it better ?
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 500 total points
ID: 40427009
The context of the EHLO FQDN must match the Certificate Domains if you would like TLS to work. I would recommend either rekeying the certificate (since you missed AutoDiscover anyways) and keep the name or change the EHLO FQDN to what is listed on your certificate.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question