Go Premium for a chance to win a PS4. Enter to Win


exchange 2013 Receive connector Transport Service certificate problem after migration from ex2007 to 2013

Posted on 2016-10-16
Medium Priority
Last Modified: 2016-11-07

i'm getting the eventID 12014 Transport-service - with a certificate which isn't in the list of of exchange certificates in EX2013.
Error Message: Exchange could not find a certificate which is not in the personal information store of local computer.
This is the root-certificate of the internal Trusted CA.

The root certificate isn't assigned to smtp services but the affected connector does not have a certificate assigned for start_TLS.

The standard certificate in ex2013 has all services included also smtp,  but not assigned to connectors

The standard certificate in ex2013 is missing one domain on alternate names which is in the root certificate

The affected connector has starttls=false. Is it enough to set it to $true?

it's really confusing for me. In the past i tried to install new certificate and add tls to all connectors=true and all users getting problems in outlook. they have to install the certificate.
Some important mails are passing the firewall but not arriving to client mailboxes. I think thats depends on the certificate problem
with receive connectors.

thanks in advance for your help
Question by:Mandy_
  • 5
  • 4
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 41846023
With a domain one normally adds the CA root certificate to the users trusted root providers store via group policy
LVL 37

Expert Comment

by:Jian An Lim
ID: 41846030
Root certificate usually don't cause any trouble

the receive connector of the FQDN must match the certificate, then TLS will work.

if you provide your receive connector in question with |fl

Author Comment

ID: 41846462
ok . how could i match the receive connector with the certificate?
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41847413
if you type
get-receiveconnector | fl identity,fqdn, tlscertificatename

paste it as result

get-exchangecertificate | where {$_.RootCAType -like "ThirdParty"}| fl

Author Comment

ID: 41847781
Thanks,  the tlscertificate is the root_certificate of our trustedCA and it's assigned to the connector.
This root CA is not an Exchange certificate. I think we have to assign the Exchange cert instead
to this connector but how we can do that?

the important strings:

RequireTLS                              : False
Bindings                                : {[::]:25,}
SuppressXAnonymousTls : False
TlsCertificateName : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.uk, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK

AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {[::]:25,}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
SmtpUtf8Enabled                         : False
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : True
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
ProxyEnabled                            : False
AdvertiseClientSettings                 : False
Fqdn                                    : VX01.bctk.lokal
ServiceDiscoveryFqdn                    :
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.de, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : Unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 128 KB (131,072 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 5
MaxLogonFailures                        : 3
MaxMessageSize                          : 36 MB (37,748,736 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : Verbose
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : VX01
TransportRole                           : FrontendTransport
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:00
MaxAcknowledgementDelay                 : 00:00:00
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default Frontend VX01
DistinguishedName                       : CN=Default Frontend VX01,CN=SMTP Receive
                                          Connectors,CN=Protocols,CN=VX01,CN=Servers,CN=Exchange Administrative Group
                                          (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=bctk,CN=Microsoft
Identity                                : VX01\Default Frontend VX01
Guid                                    : 9aef83a0-692d-417c-a2ab-662f46fa6ec2
ObjectCategory                          : bctk.lokal/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
OrganizationId                          :
Id                                      : VX01\Default Frontend VX01
OriginatingServer                       : VSRV01.bctk.lokal
IsValid                                 : True
ObjectState                             : Unchanged

Open in new window

LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41849151
your FQDN do not match your certificate, which is the first problem

FQDN = VX01.bctk.lokal
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.de, OU=Technik, O=BCT GM, L=GEL, S=Brownsword, C=UK

you have 2 option,
change your FQDN to match the certificate (easiest)
or get a certificate that match the FQDN.

Usually I will just use a 3rd party certificate like the one you use to access your webmail
that will just work.

Author Comment

ID: 41849230
The certificate is the root-cert of the internal CA but is not an Exchange certificate
LVL 37

Accepted Solution

Jian An Lim earned 2000 total points (awarded by participants)
ID: 41849274
So you will use option 1

run the following command
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn <webmail.domain.de>

To Roll back
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn VX01.bctk.lokal

Author Comment

ID: 41849632
LVL 37

Expert Comment

by:Jian An Lim
ID: 41876850
provide script to solve this issue

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question