Failure to Authenticate - MSExchange Web Services on a Exchange Server 2010 SP3

The mail delivery failures which relate only to iOS users of our Blackberry 12 Server started after an upgrade of that server to version 12.2

The actual log file of the authentication failure is bellow. This error results in a delay delivery notice being issued for the email's of iOS users and which eventually turns into a no delivery notice.  

Any help would be appreciated

Chris Cornish

Log Name:      Application
Source:        MSExchange Web Services
Date:          06/09/2015 2:20:53 PM
Event ID:      7
Task Category: Core
Level:         Error
Keywords:      Classic
User:          N/A
Computer:   our server
After 6 unsuccessful attempts to send a notification for subscription [GwBtZTQtc2VydmVyLnRvcm9udG8uY2x1bnkuY2EQAAAAwxD81M4QqEuwMFO2Gffxz94cLanlttII] against endpoint [https://Our BES12 Server:8091/asg/apis/ewsNotification/], the subscription has been removed. Details: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Status: TrustFailure    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at Microsoft.Exchange.Services.Core.NotificationServiceClient.HandleResponse(IAsyncResult responseAsyncResult)
Event Xml:
<Event xmlns="">
    <Provider Name="MSExchange Web Services" />
    <EventID Qualifiers="49152">7</EventID>
    <TimeCreated SystemTime="2015-09-06T18:20:53.000000000Z" />
    <Computer>Our mail Server</Computer>
    <Security />
    <Data>https://our BES12-server:8091/asg/apis/ewsNotification/</Data>
    <Data>WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Status: TrustFailure    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at Microsoft.Exchange.Services.Core.NotificationServiceClient.HandleResponse(IAsyncResult responseAsyncResult)</Data>
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The error points to a failure during the negotiation of a secure connection.  Double check the client certificate on one side to make sure that is the correct certificate expected on the exchange side.

What error if any do you see for the bbservices

Check the configuration guides and compare whether the services start with the correct credentials.
ccornishAuthor Commented:
Thank you for your questions and comments.

As a step prior to posting this question, we change the certificate on the BES12 Server from a Exchange 2010 certificate to the Digicert certificate we use for public access to our exchange server. The certificate contains multiple ip addresses including the internal fQDN of the exchange server and its ip4v address. I believe both the exchange server and the BES12 server are using the same certificate.

We get a informational notice in the Windows' Application Log relating the the BES12 Secure Connect Plus Service which we think relates to low usage on the weekend by iOS users

We have check the BES12 services and the Exchange Services and they all appear to be running and with the appropriate credentials.
Double check whether the certificate has the correct attributes/use/function.  You can not use a certificate even with SAN that is a web site identification certificate. Exchange requires additional attributes/use/function authorized by the certificate or it will be rejected.

Check on the exchange side where the be12 connection is coming from whether it requires a client cert from be12...

There are too many possible variations. .......
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

ccornishAuthor Commented:
Thank you Arnold

We have a single 2010 Exchange Server with which the BES12 server communicates.

BES12 has a SMTP connection with the Exchange Server which uses the certificate. Emails can be sent using this service and a AD connection to our DC which is active and is synchronized.

BES12 also has a BlackBerry Work Connect Notification Service which uses the certificate. This service is  pointed at the following URL on the Exchange Server  https://exchange server/ews/exchange.asmx.  

Where would I check on the Exchange Server to see if it requires a certificate from the BES12 Server and if so what is the certificate's correct configuration?
The error points to the failure to establish/negotiate a secure connection from the web service.  

Can you revert the internal side, and setup on the web service/be12/exchange transport connection to use the prior certificate to see if that fixes the issue.

I am unclear what causes the SSL connection failure.

On the exchange transport rule where this connection comes in, check the log/certificate/client requirements.

It sounds as though you took advantage of one down time for upgrading be, to update other things at the same time.

Often, the recomendation is always to make one change at a time. Verify that it works without issues, and then make the next modification, check and repeat as needed.....

At this point the only issue you have is related to the interaction between the web service and the exchange connection.

Here is a blackberry document that may help you troubleshoot/resolve your issue.

Deals with the certificate and credential/identity masquerade ........
ccornishAuthor Commented:
Thank you for sending me this link which related to BES5.

Prior to posting this request for assistance, we had contacted BES Support who had no record of the Error message we were receiving. BES Support after some time working on the problem were  convinced that the error was the result of a problem generated in the Exchange Server.  

You BES article caused me to rethinking our authentication problem which started after a failed upgrade and subsequent re-install of our BES Server from BES12.0 to BES12.2. Our BES Server has been previously upgraded from BES10 to BES12.0. One of the changes in BES12.0 was the use of an Exchange Account "BES12Impersionation" with special permissions to the setup of Work Connect Notification (Settings\External Integration). See link to KB article below: 

When I carried out the login required to complete the Work Connect Notification in accordance to this KB all of the error messages cleared.

Thank you for your help.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.