Exchange Server - MSExchangeTransport Event ID 12014
Asked By un1c0rn
25-Jan-10 01:24 AM
Hi,
Currently we are running exchange 2007 on Server 2003 R2 64bit.
Can anyone please help with the following error:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Date: 25/01/2010
Time: 7:53:25 AM
User: N/A
Computer: IBBNE02
Description:
Microsoft Exchange could not find a certificate that contains the domain name
mail.implicitbioscience.com.au in the personal store on the local computer.
Therefore, it is unable to support the STARTTLS SMTP verb for the connector
Exchange default with a FQDN parameter of mail.implicitbioscience.com.au. If
the connector's FQDN is not specified, the computer's FQDN is used. Verify
the connector configuration and the installed certificates to make sure that
there is a certificate with a domain name for that FQDN. If this certificate
exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the
Microsoft Exchange Transport service has access to the certificate key.
System.Security.AccessControl.CryptoKeyAccessRule
(1)
System.Security.AccessControl.Crypt
(1)
Microsoft Exchange
(1)
IIS
(1)
MSExchangeTransport
(1)
RootCAType
(1)
OKeyAccessRule
(1)
PublicKeySize
(1)
Ed Crowley [MVP] replied to un1c0rn
The way I read it, your Exchange server wants to send SMTP mail with other
Exchange servers using TLS, but it cannot do that because you do not have a
proper certificate installed that matches your domain. You can fix that by
installing a certificate.
--
Ed Crowley MVP
.
Rich Matheisen [MVP] replied to Ed Crowley [MVP]
Or by adding SMTP as one of the services the cert is used for.
Use get-exchangecertificate and see if there is a "S" beneath the
to change the services if it is not there.
---
Rich Matheisen
MCSE+I, Exchange MVP
un1c0rn replied to Ed Crowley [MVP]
Thanks but I have tried this with no success.
un1c0rn replied to Rich Matheisen [MVP]
Tried that and seems to go without issue but the same error appears in the
event log.
Rich Matheisen [MVP] replied to un1c0rn
What does "go without issue" mean? Does the "S" show up beneath the
How many certificates show up in that get-exchangecertificate output?
For the one that you /think/ you are using, do this:
get-exchangecertificate <thumbprint> | fl
In the "CertificateDomains", what names do you see?
Is the certificate "Status" valid?
---
Rich Matheisen
MCSE+I, Exchange MVP
un1c0rn replied to Rich Matheisen [MVP]
Yes, the S is showing. I have pasted the results below:
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.Crypt
oKeyAccessRule}
CertificateDomains : {ibbne02.implicitbioscience.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=ibbne02.implicitbioscience.com
NotAfter : 25/01/2011 4:34:57 PM
NotBefore : 25/01/2010 4:34:57 PM
PublicKeySize : 1024
RootCAType : None
SerialNumber : 0B904E42A8BF7497442B5D0C996F10DA
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=ibbne02.implicitbioscience.com
Thumbprint : EE6A8770B794FA4A820C3F007D6FF48C921A629D
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.Crypt
oKeyAccessRule}
CertificateDomains : {ibbne02.implicitbioscience.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=ibbne02.implicitbioscience.com
NotAfter : 25/01/2011 12:58:13 PM
NotBefore : 25/01/2010 12:58:13 PM
PublicKeySize : 1024
RootCAType : None
SerialNumber : A042EAACF8B7AE9E442AAD4DED8A2114
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=ibbne02.implicitbioscience.com
Thumbprint : A4F371262BBE4361E26AC31CBEE50B129C332FB0
Rich Matheisen [MVP] replied to un1c0rn
Both certificates have the same name. Neither of them are for
mail.implicitbioscience.com -- so the error message is correct,
there is no certificate that matches the name.
Have you changed the FQDN on the Send or Receive Connectors from
ibbne02.implicitbioscience.com to mail.implicitbioscience.com?
You can get a certificate with multiple names (a "SAN" or "UC")
certificate. You'll need one if you are going to use different names
for different things (OWA, autodoscover, email, etc.).
---
Rich Matheisen
MCSE+I, Exchange MVP
un1c0rn replied to Rich Matheisen [MVP]
Thankyou Rich, That worked! You are a genius! :-)
create a new certificate. For more information, see Help and Support Center at http: / / go.microsoft.com / fwlink / events.asp. My Exchange 2007 environment is: 1 Mailbox server, 1 Hub Transport list I get: [PS] C: \ Documents and Settings \ jcurtiss \ Desktop> Get-ExchangeCertificate | format-list AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.empirenow.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN = VeriSign Class 3 Secure
be made to the IMAP service. running Get-ExchangeCertificate | fl gives me following result: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {www.eu.company.com, autodiscover.eu.company.com, mail.eu
I am wondering what might happen when those certificates expire? I have 3 certificates: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {host.eu.company.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN = euca, DC = eu, DC