exchange 2013 Receive connector Transport Service certificate problem after migration from ex2007 to 2013

Posted on 2016-10-16
Medium Priority
Last Modified: 2016-11-07

i'm getting the eventID 12014 Transport-service - with a certificate which isn't in the list of of exchange certificates in EX2013.
Error Message: Exchange could not find a certificate which is not in the personal information store of local computer.
This is the root-certificate of the internal Trusted CA.

The root certificate isn't assigned to smtp services but the affected connector does not have a certificate assigned for start_TLS.

The standard certificate in ex2013 has all services included also smtp,  but not assigned to connectors

The standard certificate in ex2013 is missing one domain on alternate names which is in the root certificate

The affected connector has starttls=false. Is it enough to set it to $true?

it's really confusing for me. In the past i tried to install new certificate and add tls to all connectors=true and all users getting problems in outlook. they have to install the certificate.
Some important mails are passing the firewall but not arriving to client mailboxes. I think thats depends on the certificate problem
with receive connectors.

thanks in advance for your help
Question by:Mandy_
  • 5
  • 4
LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 41846023
With a domain one normally adds the CA root certificate to the users trusted root providers store via group policy
LVL 38

Expert Comment

by:Jian An Lim
ID: 41846030
Root certificate usually don't cause any trouble

the receive connector of the FQDN must match the certificate, then TLS will work.

if you provide your receive connector in question with |fl

Author Comment

ID: 41846462
ok . how could i match the receive connector with the certificate?
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

LVL 38

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41847413
if you type
get-receiveconnector | fl identity,fqdn, tlscertificatename

paste it as result

get-exchangecertificate | where {$_.RootCAType -like "ThirdParty"}| fl

Author Comment

ID: 41847781
Thanks,  the tlscertificate is the root_certificate of our trustedCA and it's assigned to the connector.
This root CA is not an Exchange certificate. I think we have to assign the Exchange cert instead
to this connector but how we can do that?

the important strings:

RequireTLS                              : False
Bindings                                : {[::]:25,}
SuppressXAnonymousTls : False
TlsCertificateName : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.uk, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK

AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {[::]:25,}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
SmtpUtf8Enabled                         : False
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : True
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
ProxyEnabled                            : False
AdvertiseClientSettings                 : False
Fqdn                                    : VX01.bctk.lokal
ServiceDiscoveryFqdn                    :
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.de, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : Unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 128 KB (131,072 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 5
MaxLogonFailures                        : 3
MaxMessageSize                          : 36 MB (37,748,736 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : Verbose
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : VX01
TransportRole                           : FrontendTransport
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:00
MaxAcknowledgementDelay                 : 00:00:00
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default Frontend VX01
DistinguishedName                       : CN=Default Frontend VX01,CN=SMTP Receive
                                          Connectors,CN=Protocols,CN=VX01,CN=Servers,CN=Exchange Administrative Group
                                          (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=bctk,CN=Microsoft
Identity                                : VX01\Default Frontend VX01
Guid                                    : 9aef83a0-692d-417c-a2ab-662f46fa6ec2
ObjectCategory                          : bctk.lokal/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
OrganizationId                          :
Id                                      : VX01\Default Frontend VX01
OriginatingServer                       : VSRV01.bctk.lokal
IsValid                                 : True
ObjectState                             : Unchanged

Open in new window

LVL 38

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41849151
your FQDN do not match your certificate, which is the first problem

FQDN = VX01.bctk.lokal
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>CN=webmail.domain.de, OU=Technik, O=BCT GM, L=GEL, S=Brownsword, C=UK

you have 2 option,
change your FQDN to match the certificate (easiest)
or get a certificate that match the FQDN.

Usually I will just use a 3rd party certificate like the one you use to access your webmail
that will just work.

Author Comment

ID: 41849230
The certificate is the root-cert of the internal CA but is not an Exchange certificate
LVL 38

Accepted Solution

Jian An Lim earned 2000 total points (awarded by participants)
ID: 41849274
So you will use option 1

run the following command
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn <webmail.domain.de>

To Roll back
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn VX01.bctk.lokal

Author Comment

ID: 41849632
LVL 38

Expert Comment

by:Jian An Lim
ID: 41876850
provide script to solve this issue

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
The Exchange database may sometimes fail to mount owing to various technical reasons. A dismounted EDB file can be the source of many Exchange errors including mailbox inaccessibility for users. Resolving the root cause of mounting problems becomes …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question