Outlook Anywhere Cert Problems (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Installation



Message

AlexPyle -> Outlook Anywhere Cert Problems (9.Feb.2007 4:55:56 PM)

I purchased a SSL Cert from RapidSSL for the server rather than deal with the issues of self certing.
OWA works fine.
I turned on Outlook Anywhere but I'm getting event ID 12014:

Microsoft Exchange couldn't find a certificate that contains the domain name server.domain.local in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of server.domain.local. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

And event id 12013:

Microsoft Exchange couldnΓÇÖt find a certificate with a thumbprint of 16107BAF190F1A8C493F4D2318B728A4FE668691 in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 16107BAF190F1A8C493F4D2318B728A4FE668691 ΓÇôservices SMTP to resolve the issue. If the certificate doesnΓÇÖt exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by using New- ExchangeCertificate ΓÇôdomainname serverfqdn ΓÇôservices SMTP.
 
 
Any ideas?



t0ta11ed -> RE: Outlook Anywhere Cert Problems (9.Feb.2007 9:03:08 PM)

I've had the same error since I removed the installed cert and replaced it with our own from RapidSSL as well. I haven't addressed it since my server isn't in production yet. I'm assuming all of your connectors are using the FQDN the cert is configured for. So are mine, so in that case it's a matter of the cert being in the "personal store", which I've never heard of in relation to a certificate. I don't get the 12013 event. I did  attempt to run the cmdlets referred to in the Post-Install page at first though, but ran into errors. After that I turned around and did it using IIS..and things like OWA,etc. are using the cert just fine.Did you remove the original cert as well? That is probably our problem if so.



Henrik Walther -> RE: Outlook Anywhere Cert Problems (10.Feb.2007 10:18:13 PM)

By default the Hub Transport server uses TLS (secure SMTP) to communicate with other Hub Transport servers in the organization. In order to use TLS a certificate is required, and the Hub Transport server uses a self-signed certificate for TLS communication. If you remove this certifcate you'll get this error.

The reason why mail flow still works is because Hub Transport servers will fall back to a less secure SMTP comminication method (anonymous in this case).



t0ta11ed -> RE: Outlook Anywhere Cert Problems (11.Feb.2007 2:41:51 AM)

Is there anyway to restore the self signed cert? 



Henrik Walther -> RE: Outlook Anywhere Cert Problems (11.Feb.2007 2:59:09 AM)

Well it's actually simple to create a new one, you just use the New-ExchangeCertificate cmdlet.

For steps see:
http://technet.microsoft.com/en-us/library/72048bc1-6d01-4279-8d21-4282b86b522c.aspx

But when that's said the default self-signed certificate should still be in the local store, although you removed it in the IIS Manager. So you should still be able assign it to a web site in the IIS Manager.



t0ta11ed -> RE: Outlook Anywhere Cert Problems (11.Feb.2007 1:33:30 PM)

I  ran the Get-ExchangeCertificate cmdlet, but it didn't fully display the services using the listed certs. It outputs two certs, one for mail.kobie.com and one for the server name, MX1. One is using service "...w" and the other shows "...SIP". Using the | format-list switch, I can see more info but services aren't listed. Blah. This output shows both the self-signed and the installed cert however.

I know the cert I installed is working on OWA, but in order to address the mentioned TLS issue I need to either:

A) Restore the original one so it works with TLS or
B) Get TLS to use the one I installed.

When I attempted to do Import-ExchangeCertificate on the one I installed, it of course said one with that thumbprint already exists.

That being said though, this is the only Exchange server in the organization and it will not be communicating with any other Hub Transports in the organization.However, if it is showing both certificates in use I'm not sure why I'm getting this error in the event log:

Event Type:    Error
Event Source:    MSExchangeTransport
Event Category:    TransportService
Event ID:    12014
Date:        2/11/2007
Time:        2:17:32 PM
User:        N/A
Computer:    MX1
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name mail.kobie.com in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of mail.kobie.com. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

Update:

Using Enable-ExchangeCertificate -Path c:/your.cert -Serivice SMTP, it would appear that Exchange has accepted this after entering the thumbprint. I haven't seen the event in the logs for the last three hours.



AlexPyle -> RE: Outlook Anywhere Cert Problems (12.Feb.2007 3:39:38 PM)

So you were able to use your new self Cert or another cert for this problem (i.e. a 3rd party cert)?



t0ta11ed -> RE: Outlook Anywhere Cert Problems (12.Feb.2007 4:12:02 PM)

Using the Enable-ExchangeCertficate command, I was able to use my RapidSSL cert for the SMTP service. This cleared up the event error I was recieving. You should be able to run the same command for yours and apply it to the services you want.

Once this is done you can verify by telnetting to the server and sending the ehlo command. The response should include STARTTLS in the list.



DrShinder -> RE: Outlook Anywhere Cert Problems (21.Mar.2007 1:06:18 PM)

Any clues when they'll bring security into the GUI? What happened to SD3+C? Did the new Exchange group forget about this? Security should be made as easy and seamless as possible, not hidden in Edlin for Exchange 2007 [:)]

Tom



t0ta11ed -> RE: Outlook Anywhere Cert Problems (21.Mar.2007 1:37:29 PM)

quote:

ORIGINAL: DrShinder

Any clues when they'll bring security into the GUI? What happened to SD3+C? Did the new Exchange group forget about this? Security should be made as easy and seamless as possible, not hidden in Edlin for Exchange 2007 [:)]

Tom


It seems alot of what is in the Management Shell is what didn't make it into the GUI before release. Perhaps forthcoming SPs and updates will address some of that.



Page: [1]