ccornish
asked on
Failure to Authenticate - MSExchange Web Services on a Exchange Server 2010 SP3
The mail delivery failures which relate only to iOS users of our Blackberry 12 Server started after an upgrade of that server to version 12.2
The actual log file of the authentication failure is bellow. This error results in a delay delivery notice being issued for the email's of iOS users and which eventually turns into a no delivery notice.
Any help would be appreciated
Chris Cornish
Log Name: Application
Source: MSExchange Web Services
Date: 06/09/2015 2:20:53 PM
Event ID: 7
Task Category: Core
Level: Error
Keywords: Classic
User: N/A
Computer: our server
Description:
After 6 unsuccessful attempts to send a notification for subscription [GwBtZTQtc2VydmVyLnRvcm9ud G8uY2x1bnk uY2EQAAAAw xD81M4QqEu wMFO2Gffxz 94cLanlttI I] against endpoint [https://Our BES12 Server:8091/asg/apis/ewsNo tification /hannah.gi ll@suneeva .com/2/exc hange_1], the subscription has been removed. Details: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Status: TrustFailure at System.Net.HttpWebRequest. EndGetResp onse(IAsyn cResult asyncResult)
at Microsoft.Exchange.Service s.Core.Not ificationS erviceClie nt.HandleR esponse(IA syncResult responseAsyncResult)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange Web Services" />
<EventID Qualifiers="49152">7</Even tID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000 </Keywords >
<TimeCreated SystemTime="2015-09-06T18: 20:53.0000 00000Z" />
<EventRecordID>892715</Eve ntRecordID >
<Channel>Application</Chan nel>
<Computer>Our mail Server</Computer>
<Security />
</System>
<EventData>
<Data>GwBtZTQtc2VydmVyLnRv cm9udG8uY2 x1bnkuY2EQ AAAAwxD81M 4QqEuwMFO2 Gffxz94cLa nlttII</Da ta>
<Data>https://our BES12-server:8091/asg/apis /ewsNotifi cation/xxx @zzz.com/2 /exchange_ 1</Data>
<Data>6</Data>
<Data>WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Status: TrustFailure at System.Net.HttpWebRequest. EndGetResp onse(IAsyn cResult asyncResult)
at Microsoft.Exchange.Service s.Core.Not ificationS erviceClie nt.HandleR esponse(IA syncResult responseAsyncResult)</Data >
</EventData>
</Event>
The actual log file of the authentication failure is bellow. This error results in a delay delivery notice being issued for the email's of iOS users and which eventually turns into a no delivery notice.
Any help would be appreciated
Chris Cornish
Log Name: Application
Source: MSExchange Web Services
Date: 06/09/2015 2:20:53 PM
Event ID: 7
Task Category: Core
Level: Error
Keywords: Classic
User: N/A
Computer: our server
Description:
After 6 unsuccessful attempts to send a notification for subscription [GwBtZTQtc2VydmVyLnRvcm9ud
at Microsoft.Exchange.Service
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange Web Services" />
<EventID Qualifiers="49152">7</Even
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-09-06T18:
<EventRecordID>892715</Eve
<Channel>Application</Chan
<Computer>Our mail Server</Computer>
<Security />
</System>
<EventData>
<Data>GwBtZTQtc2VydmVyLnRv
<Data>https://our BES12-server:8091/asg/apis
<Data>6</Data>
<Data>WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Status: TrustFailure at System.Net.HttpWebRequest.
at Microsoft.Exchange.Service
</EventData>
</Event>
ASKER
Thank you for your questions and comments.
As a step prior to posting this question, we change the certificate on the BES12 Server from a Exchange 2010 certificate to the Digicert certificate we use for public access to our exchange server. The certificate contains multiple ip addresses including the internal fQDN of the exchange server and its ip4v address. I believe both the exchange server and the BES12 server are using the same certificate.
We get a informational notice in the Windows' Application Log relating the the BES12 Secure Connect Plus Service which we think relates to low usage on the weekend by iOS users
We have check the BES12 services and the Exchange Services and they all appear to be running and with the appropriate credentials.
As a step prior to posting this question, we change the certificate on the BES12 Server from a Exchange 2010 certificate to the Digicert certificate we use for public access to our exchange server. The certificate contains multiple ip addresses including the internal fQDN of the exchange server and its ip4v address. I believe both the exchange server and the BES12 server are using the same certificate.
We get a informational notice in the Windows' Application Log relating the the BES12 Secure Connect Plus Service which we think relates to low usage on the weekend by iOS users
We have check the BES12 services and the Exchange Services and they all appear to be running and with the appropriate credentials.
Double check whether the certificate has the correct attributes/use/function. You can not use a certificate even with SAN that is a web site identification certificate. Exchange requires additional attributes/use/function authorized by the certificate or it will be rejected.
Check on the exchange side where the be12 connection is coming from whether it requires a client cert from be12...
There are too many possible variations. .......
Check on the exchange side where the be12 connection is coming from whether it requires a client cert from be12...
There are too many possible variations. .......
ASKER
Thank you Arnold
We have a single 2010 Exchange Server with which the BES12 server communicates.
BES12 has a SMTP connection with the Exchange Server which uses the certificate. Emails can be sent using this service and a AD connection to our DC which is active and is synchronized.
BES12 also has a BlackBerry Work Connect Notification Service which uses the certificate. This service is pointed at the following URL on the Exchange Server https://exchange server/ews/exchange.asmx.
Where would I check on the Exchange Server to see if it requires a certificate from the BES12 Server and if so what is the certificate's correct configuration?
We have a single 2010 Exchange Server with which the BES12 server communicates.
BES12 has a SMTP connection with the Exchange Server which uses the certificate. Emails can be sent using this service and a AD connection to our DC which is active and is synchronized.
BES12 also has a BlackBerry Work Connect Notification Service which uses the certificate. This service is pointed at the following URL on the Exchange Server https://exchange server/ews/exchange.asmx.
Where would I check on the Exchange Server to see if it requires a certificate from the BES12 Server and if so what is the certificate's correct configuration?
The error points to the failure to establish/negotiate a secure connection from the web service.
Can you revert the internal side, and setup on the web service/be12/exchange transport connection to use the prior certificate to see if that fixes the issue.
I am unclear what causes the SSL connection failure.
On the exchange transport rule where this connection comes in, check the log/certificate/client requirements.
It sounds as though you took advantage of one down time for upgrading be, to update other things at the same time.
Often, the recomendation is always to make one change at a time. Verify that it works without issues, and then make the next modification, check and repeat as needed.....
At this point the only issue you have is related to the interaction between the web service and the exchange connection.
Correct?
Can you revert the internal side, and setup on the web service/be12/exchange transport connection to use the prior certificate to see if that fixes the issue.
I am unclear what causes the SSL connection failure.
On the exchange transport rule where this connection comes in, check the log/certificate/client requirements.
It sounds as though you took advantage of one down time for upgrading be, to update other things at the same time.
Often, the recomendation is always to make one change at a time. Verify that it works without issues, and then make the next modification, check and repeat as needed.....
At this point the only issue you have is related to the interaction between the web service and the exchange connection.
Correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What error if any do you see for the bbservices
Check the configuration guides and compare whether the services start with the correct credentials.