Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Third party cert install on EBS
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Third party cert install on EBS - 2.Dec.2010 8:25:18 AM
|
|
|
mats
Posts: 8
Joined: 2.Dec.2010
Status: offline
|
Hi guys,
one of my customers has a Microsoft EBS (Essential Business Server) which has the exchange role split to two servers per default:
HT, CAS and MB on one server and Edge Transport on the second one.
Though I read through several Microsoft KB - articles it is not clear to me how I have to install our Entrust cert on the exchange.
I have to correct myself: I already installed the cert, and it works in principle but I get errors in the eventlog because I installed the official Entrust cert on both servers (and obviously I am not supposed to do that). The errors are 10104 and 1024 from MSExchange EdgeSync.
So how am I supposed to do it right? Install the Entrust cert for the services IIS,POP and IMAP on the HT, CAS and MB server and generate a self signed cert for SMTP which I install on both servers (for the SMTP service)? Or does the Entrust cert has to be installed on the Edgetransport server (which runs Microsoft TMG as firewall by the way)?
Thank you in advance,
Regards
Michael
|
|
|
|
|
RE: Third party cert install on EBS - 7.Jan.2011 3:06:21 AM
|
|
|
mats
Posts: 8
Joined: 2.Dec.2010
Status: offline
|
Hi,I have to bring this up again (it seems like I can't get it to work).
I tried your suggestions and also referred to article
http://technet.microsoft.com/en-us/library/cc671171(EXCHG.80).aspx
because I have the exact same error messages/behavior. So I removed the third party cert from the Edge Transport Server, created an New self signed cert (by cloning the old default self signed one) on the server hosting the CAS,HT and MB role and imported that new cert on the Edge Transport server.
Than I enabled this new self signed cert for SMTP on the Edge Transport server and wanted to enable it for SMTP on the CAS,HT and MB server to but this doesn't work (I get the following error message:
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'msg.aet.local' because the CA-signed certificate with thumbprint
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' takes precedence. The following
connectors match that FQDN: Default MSG, Client MSG.
This warning mentions the third party cert.
So still, Edgesync between the servers does not work because of an certificate mismatch, I see errors 10104 (source Synchronization) and 1024 (source Topology) in the event logs. "Normal" mailflow works but I run into troubles when I want to create a new mailbox - external senders can't send mails to it, internal mailflow for this new mailbox works, however. I guess this is because the EdgeSync doen't work?!
Ideas?
|
|
|
|
|
RE: Third party cert install on EBS - 7.Jan.2011 8:35:11 AM
|
|
|
mats
Posts: 8
Joined: 2.Dec.2010
Status: offline
|
OK - I finally solved the problem.
Seems like YOU CANNOT run the same certificate on the Edge and den HT server (doesn't matter if its a third party certificate or a self signed one).
So I installed the third party cert on the Edge and generated an new self signed one on the HT server, recreated the EdgeSubscription and the EdgeSync finally worked again.
Thanks anyhow!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
