Microsoft Exchange Admin Discussions
 
System.Security.AccessControl.CryptoKeyAccessRule
(1)
System.Security.AccessControl.Crypt
(1)
Microsoft Exchange
(1)
IIS
(1)
MSExchangeTransport
(1)
RootCAType
(1)
OKeyAccessRule
(1)
PublicKeySize
(1)

MSExchangeTransport Event ID 12014

Asked By un1c0rn
25-Jan-10 01:24 AM
Reply
Hi,

Currently we are running exchange 2007 on Server 2003 R2 64bit.
Can anyone please help with the following error:

Event Type:        Error

Event Source:    MSExchangeTransport

Event Category:                TransportService

Event ID:              12014

Date:                     25/01/2010

Time:                     7:53:25 AM

User:                     N/A

Computer:          IBBNE02

Description:

Microsoft Exchange could not find a certificate that contains the domain name
mail.implicitbioscience.com.au in the personal store on the local computer.
Therefore, it is unable to support the STARTTLS SMTP verb for the connector
Exchange default with a FQDN parameter of mail.implicitbioscience.com.au. If
the connector's FQDN is not specified, the computer's FQDN is used. Verify
the connector configuration and the installed certificates to make sure that
there is a certificate with a domain name for that FQDN. If this certificate
exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the
Microsoft Exchange Transport service has access to the certificate key.

The way I read it, your Exchange server wants to send SMTP mail with

Ed Crowley [MVP] replied to un1c0rn
25-Jan-10 02:29 AM
Reply
The way I read it, your Exchange server wants to send SMTP mail with other
Exchange servers using TLS, but it cannot do that because you do not have a
proper certificate installed that matches your domain.  You can fix that by
installing a certificate.
--
Ed Crowley MVP
.

Or by adding SMTP as one of the services the cert is used for.

Rich Matheisen [MVP] replied to Ed Crowley [MVP]
25-Jan-10 10:17 AM
Reply
Or by adding SMTP as one of the services the cert is used for.

Use get-exchangecertificate and see if there is a "S" beneath the
to change the services if it is not there.
---
Rich Matheisen
MCSE+I, Exchange MVP

Thanks but I have tried this with no success.

un1c0rn replied to Ed Crowley [MVP]
27-Jan-10 12:58 AM
Reply
Thanks but I have tried this with no success.
Tried that and seems to go without issue but the same error appears in
un1c0rn replied to Rich Matheisen [MVP]
27-Jan-10 12:59 AM
Reply
Tried that and seems to go without issue but the same error appears in the
event log.
wrote:What does "go without issue" mean?
Rich Matheisen [MVP] replied to un1c0rn
27-Jan-10 11:42 AM
Reply
What does "go without issue" mean? Does the "S" show up beneath the

How many certificates show up in that get-exchangecertificate output?
For the one that you /think/ you are using, do this:

get-exchangecertificate <thumbprint> | fl

In the "CertificateDomains", what names do you see?

Is the certificate "Status" valid?
---
Rich Matheisen
MCSE+I, Exchange MVP
Yes, the S is showing.
un1c0rn replied to Rich Matheisen [MVP]
28-Jan-10 06:24 PM
Reply
Yes, the S is showing.  I have pasted the results below:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.Crypt
oKeyAccessRule}
CertificateDomains : {ibbne02.implicitbioscience.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=ibbne02.implicitbioscience.com
NotAfter           : 25/01/2011 4:34:57 PM
NotBefore          : 25/01/2010 4:34:57 PM
PublicKeySize      : 1024
RootCAType         : None
SerialNumber       : 0B904E42A8BF7497442B5D0C996F10DA
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=ibbne02.implicitbioscience.com
Thumbprint         : EE6A8770B794FA4A820C3F007D6FF48C921A629D

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.Crypt
oKeyAccessRule}
CertificateDomains : {ibbne02.implicitbioscience.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=ibbne02.implicitbioscience.com
NotAfter           : 25/01/2011 12:58:13 PM
NotBefore          : 25/01/2010 12:58:13 PM
PublicKeySize      : 1024
RootCAType         : None
SerialNumber       : A042EAACF8B7AE9E442AAD4DED8A2114
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=ibbne02.implicitbioscience.com
Thumbprint         : A4F371262BBE4361E26AC31CBEE50B129C332FB0
wrote:Both certificates have the same name. Neither of them are formail.
Rich Matheisen [MVP] replied to un1c0rn
28-Jan-10 09:36 PM
Reply
Both certificates have the same name. Neither of them are for
mail.implicitbioscience.com -- so the error message is correct,
there is no certificate that matches the name.


Have you changed the FQDN on the Send or Receive Connectors from
ibbne02.implicitbioscience.com to mail.implicitbioscience.com?

You can get a certificate with multiple names (a "SAN" or "UC")
certificate. You'll need one if you are going to use different names
for different things (OWA, autodoscover, email, etc.).
---
Rich Matheisen
MCSE+I, Exchange MVP
Thankyou Rich, That worked! You are a genius! :-)
un1c0rn replied to Rich Matheisen [MVP]
01-Feb-10 01:03 AM
Reply
Thankyou Rich, That worked!  You are a genius! :-)
Previous Discussion:  Exchange 2007 typical CPU utilization (store.exe)
Post Question To EggHeadCafe