locked
Exchange 2010: Self-signed certificate problem RRS feed

  • Question

  • Hello,

    I've Exchange 2010 SP2 with self-signed certificate with properties:

    Subject:     CN = EXCH
    Subject Alternative Name:      DNS Name=EXCH
                                                DNS Name=EXCH.mycompany.intra

    Because  Test-ActiveSyncConnectivity didn't pass, displaying error:
    [System.Net.WebException]: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
                                               Inner error [System.Security.Authentication.AuthenticationException]:
                                               The remote certificate is invalid according to the validation procedure.

    I added this certificate to Trusted Root Certificatation Authorities.
    [ perhaps other tasks were performed, my notes are short ].

    Now Test-ActiveSyncConnectivity passed, but every change made by EMC gives me warning:
    ------------------------------------------------------------------------------------------------------------------------------------------
    Warning:
    The cmdlet extension agent with the index 0 has thrown an exception in OnComplete(). The exception is:

    System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the

    SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is

    invalid according to the validation procedure.
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest

    asyncRequest, Exception exception)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest

    asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest

    asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest

    asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest

    asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Threading.ExecutionContext.runTryCode(Object userData)
       at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode

    backoutCode, Object userData)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object

    state)
       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.ConnectStream.WriteHeaders(Boolean async)
       --- End of inner exception stack trace ---
       at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.<Invoke>b__3()
       at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T]

    (SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
       at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol

    client, AuthenticateAndExecuteHandler`1 handler)
       at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.FindFolder(FindFolderType FindFolder1)
       at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
       at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer..ctor(OrganizationId organizationId,

    ADUser adUser, ExchangePrincipal principal)
       at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.Create(OrganizationId organizationId, ADUser

    mailbox, ExchangePrincipal principal)
       at Microsoft.Exchange.ProvisioningAgent.AdminLogAgentClassFactory.ConfigWrapper.get_MailboxLogger()
       at Microsoft.Exchange.ProvisioningAgent.AdminLogProvisioningHandler.OnComplete(Boolean succeeded, Exception e)
       at Microsoft.Exchange.Provisioning.ProvisioningLayer.OnComplete(Task task, Boolean succeeded, Exception

    exception)
    ------------------------------------------------------------------------------------------------------------------------------------------

    I guess that this is DNS & certificate related error,
    but what is wrong ?


    best regards Janusz Such


    • Edited by Janusz Such Tuesday, November 13, 2012 11:19 AM
    Tuesday, November 13, 2012 11:17 AM

Answers

  • I hope you are not planning to use the Self-Signed certificate in production.

    You can still test ActiveSyncConnectivity with the parameter TrustAnySSLCertificate.

    Example:

    Test-ActiveSyncConnectivity  -TrustAnySSLCertificate


    Remove the certificate from Trusted Root and install a Trusted Certificate. It could be from your own CA or a Third-Party (=Recommended)

    See: Understanding Digital Certificates and SSL


    Martina Miskovic


    • Edited by Martina_Miskovic Tuesday, November 13, 2012 11:31 AM Added Link
    • Proposed as answer by Andy DavidMVP Tuesday, November 13, 2012 12:12 PM
    • Marked as answer by Janusz Such Wednesday, November 14, 2012 12:08 PM
    Tuesday, November 13, 2012 11:27 AM

All replies

  • I hope you are not planning to use the Self-Signed certificate in production.

    You can still test ActiveSyncConnectivity with the parameter TrustAnySSLCertificate.

    Example:

    Test-ActiveSyncConnectivity  -TrustAnySSLCertificate


    Remove the certificate from Trusted Root and install a Trusted Certificate. It could be from your own CA or a Third-Party (=Recommended)

    See: Understanding Digital Certificates and SSL


    Martina Miskovic


    • Edited by Martina_Miskovic Tuesday, November 13, 2012 11:31 AM Added Link
    • Proposed as answer by Andy DavidMVP Tuesday, November 13, 2012 12:12 PM
    • Marked as answer by Janusz Such Wednesday, November 14, 2012 12:08 PM
    Tuesday, November 13, 2012 11:27 AM
  • Hi Janusz,

    The self-signed certificate was designed to help secure communications between Exchange 2007 servers inside an organization and also provide a temporary method to encrypt client communications until an alternative certificate is obtained and installed.

    It is recommended to use trusted certificate instead of Self-signed certificate.

    Refer to:

    http://technet.microsoft.com/en-us/library/bb851554(v=exchg.80).aspx


    Fiona Liao

    TechNet Community Support

    Wednesday, November 14, 2012 8:26 AM
  • Hello,

    thank you all for your answers !

    Installing PKI on DC and issuing certificate to Exchange Server solved my problem.

    From link:
    Understanding Digital Certificates and SSL:
    http://technet.microsoft.com/en-us/library/dd351044(v=exchg.141).aspx
    I
     found sentence:
    Outlook Anywhere won't work with a self-signed certificate.
    which strongly discouraging from using self-signed certificate !

    With self-signed certificate Test-OutlookConnectivity cannot even complete successfully.


    best regards Janusz Such

    Wednesday, November 14, 2012 12:07 PM