exchange 2013 Receive connector Transport Service certificate problem after migration from ex2007 to 2013

Posted on 2016-10-16
Last Modified: 2016-11-07

i'm getting the eventID 12014 Transport-service - with a certificate which isn't in the list of of exchange certificates in EX2013.
Error Message: Exchange could not find a certificate which is not in the personal information store of local computer.
This is the root-certificate of the internal Trusted CA.

The root certificate isn't assigned to smtp services but the affected connector does not have a certificate assigned for start_TLS.

The standard certificate in ex2013 has all services included also smtp,  but not assigned to connectors

The standard certificate in ex2013 is missing one domain on alternate names which is in the root certificate

The affected connector has starttls=false. Is it enough to set it to $true?

it's really confusing for me. In the past i tried to install new certificate and add tls to all connectors=true and all users getting problems in outlook. they have to install the certificate.
Some important mails are passing the firewall but not arriving to client mailboxes. I think thats depends on the certificate problem
with receive connectors.

thanks in advance for your help
Question by:Mandy_
  • 5
  • 4
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41846023
With a domain one normally adds the CA root certificate to the users trusted root providers store via group policy
LVL 36

Expert Comment

by:Jian An Lim
ID: 41846030
Root certificate usually don't cause any trouble

the receive connector of the FQDN must match the certificate, then TLS will work.

if you provide your receive connector in question with |fl

Author Comment

ID: 41846462
ok . how could i match the receive connector with the certificate?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 36

Assisted Solution

by:Jian An Lim
Jian An Lim earned 500 total points (awarded by participants)
ID: 41847413
if you type
get-receiveconnector | fl identity,fqdn, tlscertificatename

paste it as result

get-exchangecertificate | where {$_.RootCAType -like "ThirdParty"}| fl

Author Comment

ID: 41847781
Thanks,  the tlscertificate is the root_certificate of our trustedCA and it's assigned to the connector.
This root CA is not an Exchange certificate. I think we have to assign the Exchange cert instead
to this connector but how we can do that?

the important strings:

RequireTLS                              : False
Bindings                                : {[::]:25,}
SuppressXAnonymousTls : False
TlsCertificateName : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK

AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {[::]:25,}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
SmtpUtf8Enabled                         : False
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : True
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
ProxyEnabled                            : False
AdvertiseClientSettings                 : False
Fqdn                                    : VX01.bctk.lokal
ServiceDiscoveryFqdn                    :
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : Unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 128 KB (131,072 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 5
MaxLogonFailures                        : 3
MaxMessageSize                          : 36 MB (37,748,736 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : Verbose
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : VX01
TransportRole                           : FrontendTransport
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:00
MaxAcknowledgementDelay                 : 00:00:00
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default Frontend VX01
DistinguishedName                       : CN=Default Frontend VX01,CN=SMTP Receive
                                          Connectors,CN=Protocols,CN=VX01,CN=Servers,CN=Exchange Administrative Group
                                          (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=bctk,CN=Microsoft
Identity                                : VX01\Default Frontend VX01
Guid                                    : 9aef83a0-692d-417c-a2ab-662f46fa6ec2
ObjectCategory                          : bctk.lokal/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
OrganizationId                          :
Id                                      : VX01\Default Frontend VX01
OriginatingServer                       : VSRV01.bctk.lokal
IsValid                                 : True
ObjectState                             : Unchanged

Open in new window

LVL 36

Assisted Solution

by:Jian An Lim
Jian An Lim earned 500 total points (awarded by participants)
ID: 41849151
your FQDN do not match your certificate, which is the first problem

FQDN = VX01.bctk.lokal
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>, OU=Technik, O=BCT GM, L=GEL, S=Brownsword, C=UK

you have 2 option,
change your FQDN to match the certificate (easiest)
or get a certificate that match the FQDN.

Usually I will just use a 3rd party certificate like the one you use to access your webmail
that will just work.

Author Comment

ID: 41849230
The certificate is the root-cert of the internal CA but is not an Exchange certificate
LVL 36

Accepted Solution

Jian An Lim earned 500 total points (awarded by participants)
ID: 41849274
So you will use option 1

run the following command
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn <>

To Roll back
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn VX01.bctk.lokal

Author Comment

ID: 41849632
LVL 36

Expert Comment

by:Jian An Lim
ID: 41876850
provide script to solve this issue

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question