Solved

exchange 2013 Receive connector Transport Service certificate problem after migration from ex2007 to 2013

Posted on 2016-10-16
10
42 Views
Last Modified: 2016-11-07
Hi,

i'm getting the eventID 12014 Transport-service - with a certificate which isn't in the list of of exchange certificates in EX2013.
Error Message: Exchange could not find a certificate which is not in the personal information store of local computer.
This is the root-certificate of the internal Trusted CA.

The root certificate isn't assigned to smtp services but the affected connector does not have a certificate assigned for start_TLS.

The standard certificate in ex2013 has all services included also smtp,  but not assigned to connectors

The standard certificate in ex2013 is missing one domain on alternate names which is in the root certificate

The affected connector has starttls=false. Is it enough to set it to $true?


it's really confusing for me. In the past i tried to install new certificate and add tls to all connectors=true and all users getting problems in outlook. they have to install the certificate.
Some important mails are passing the firewall but not arriving to client mailboxes. I think thats depends on the certificate problem
with receive connectors.


thanks in advance for your help
0
Comment
Question by:Mandy_
  • 5
  • 4
10 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41846023
With a domain one normally adds the CA root certificate to the users trusted root providers store via group policy
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 41846030
Root certificate usually don't cause any trouble

the receive connector of the FQDN must match the certificate, then TLS will work.

if you provide your receive connector in question with |fl
0
 
LVL 2

Author Comment

by:Mandy_
ID: 41846462
ok . how could i match the receive connector with the certificate?
0
 
LVL 36

Assisted Solution

by:Jian An Lim
Jian An Lim earned 500 total points (awarded by participants)
ID: 41847413
if you type
get-receiveconnector | fl identity,fqdn, tlscertificatename

paste it as result

get-exchangecertificate | where {$_.RootCAType -like "ThirdParty"}| fl
0
 
LVL 2

Author Comment

by:Mandy_
ID: 41847781
Thanks,  the tlscertificate is the root_certificate of our trustedCA and it's assigned to the connector.
This root CA is not an Exchange certificate. I think we have to assign the Exchange cert instead
to this connector but how we can do that?

the important strings:

RequireTLS                              : False
Bindings                                : {[::]:25, 0.0.0.0:25}
SuppressXAnonymousTls : False
TlsCertificateName : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.uk, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK

AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {[::]:25, 0.0.0.0:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
SmtpUtf8Enabled                         : False
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : True
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
ProxyEnabled                            : False
AdvertiseClientSettings                 : False
Fqdn                                    : VX01.bctk.lokal
ServiceDiscoveryFqdn                    :
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.de, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : Unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 128 KB (131,072 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 5
MaxLogonFailures                        : 3
MaxMessageSize                          : 36 MB (37,748,736 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : Verbose
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : VX01
TransportRole                           : FrontendTransport
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:00
MaxAcknowledgementDelay                 : 00:00:00
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default Frontend VX01
DistinguishedName                       : CN=Default Frontend VX01,CN=SMTP Receive
                                          Connectors,CN=Protocols,CN=VX01,CN=Servers,CN=Exchange Administrative Group
                                          (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=bctk,CN=Microsoft
                                          Exchange,CN=Services,CN=Configuration,DC=bctk,DC=lokal
Identity                                : VX01\Default Frontend VX01
Guid                                    : 9aef83a0-692d-417c-a2ab-662f46fa6ec2
ObjectCategory                          : bctk.lokal/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
OrganizationId                          :
Id                                      : VX01\Default Frontend VX01
OriginatingServer                       : VSRV01.bctk.lokal
IsValid                                 : True
ObjectState                             : Unchanged

Open in new window

0
 
LVL 36

Assisted Solution

by:Jian An Lim
Jian An Lim earned 500 total points (awarded by participants)
ID: 41849151
your FQDN do not match your certificate, which is the first problem

FQDN = VX01.bctk.lokal
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.de, OU=Technik, O=BCT GM, L=GEL, S=Brownsword, C=UK

you have 2 option,
change your FQDN to match the certificate (easiest)
or get a certificate that match the FQDN.

Usually I will just use a 3rd party certificate like the one you use to access your webmail
that will just work.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 41849230
The certificate is the root-cert of the internal CA but is not an Exchange certificate
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 500 total points (awarded by participants)
ID: 41849274
OKay.
So you will use option 1

run the following command
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn <webmail.domain.de>

To Roll back
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn VX01.bctk.lokal
0
 
LVL 2

Author Comment

by:Mandy_
ID: 41849632
thanks
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 41876850
provide script to solve this issue
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now