none
MSExchangeTransport EID 12013

    Question

  • We keep getting this error on our Exchange server:

    Event Type:    Error
    Event Source:    MSExchangeTransport
    Event Category:    TransportService
    Event ID:    12013
    Date:        9/24/2008
    Time:        9:51:28 AM
    User:        N/A
    Computer:    MERCURY
    Description:
    Microsoft Exchange couldnGÇÖt find a certificate with a thumbprint of 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9 in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9 GÇôservices SMTP to resolve the issue. If the certificate doesnGÇÖt exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by using New- ExchangeCertificate GÇôdomainname serverfqdn GÇôservices SMTP.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    The 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9 thumbprinted certificate was a self-generated one that I made with an improper flag that I later deleted.  I did not actually *attach* it to anything (never set it in IIS or whatnot) or generally use it, at all.  I made it in the console and later deleted it in the console.  After deleting it, these errors have been flooding our logs.  How do I make them go away?  We have no internal or external mailflow problems, just a very annoying error log. Sad

    We do have a new certificate in place to replace it, as well, and it seems to be working just fine...

    Any ideas?

    Thanks!


    EDIT: P.S., I've rebooted and that didn't help!
    Wednesday, September 24, 2008 2:13 PM

Answers

  • Dear customer:

     

    Thanks for your reply. The screenshots that you sent to me looks normal.

     

    Try the following steps and send the result to me for analyze,

     

    1. Create a custom script by copying the text below and save it as certlib.ps1 and
    then follow the instructions below to install it.

     

    **********The Script Text**********

    $tmp =
    [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices");
    $tmp = [System.Reflection.Assembly]::LoadWithPartialName("System.Text");
    $tmp = [System.Reflection.Assembly]::LoadWithPartialName("System.Security");

    function Compute-Hash {

    Param ([Byte[]] $bytes = $null)
    $hasher = new-object System.Security.Cryptography.SHA256Managed;
    $hasher.ComputeHash($bytes);
    }

    function Write-Bytes
    {
    Param ([Byte[]] $bytes = $null)
    $str = $null;
    foreach($byte in $bytes)
    {
    $str = $str + [System.String]::Format("{0:X2} ",$byte);
    }
    $str;
    }

    function FromBase64
    {
    Param ([String] $instr = $null)
    [System.Convert]::FromBase64String($instr)
    }

    function ToBase64
    {
    Param ([Byte[]] $inbytes = $null)
    [System.Convert]::ToBase64String($inbytes)
    }

    function GetMachineName
    {
    (Get-WmiObject Win32_ComputerSystem).Name;
    }


    function GetLDAPPrefix
    {
    $machineName = GetMachineName;
    $exserver = get-ExchangeServer $machineName;

    if($exserver.IsEdgeServer)
    {
    $ldapprefix = "LDAP://localhost:50389/"
    write-host "Running on an Edge Server - pulling cert details from Adam";
    }else
    {
    $ldapprefix = "LDAP://";
    write-host "Not running on Edge - getting cert details from AD";
    }
    $ldapprefix;
    }

    function GetRootDSE
    {
    $ldapprefix = GetLDAPPrefix;
    $rootdse = new-object System.DirectoryServices.DirectoryEntry ($ldapprefix +
    "RootDSE");

    $rootdse;
    }

    function GetExchangeServerObject
    {
    Param ([System.String] $machinename = $null)
    $rootdse = GetRootDSE;
    write-host $rootdse;


    $ds = new-object System.DirectoryServices.DirectorySearcher;
    $ldapprefix = GetLDAPPrefix;


    $ds.SearchRoot = new-object System.DirectoryServices.DirectoryEntry ($ldapprefix +
    $rootdse.ConfigurationNamingContext);
    $ds.Filter = "(&(objectclass=msExchExchangeServer)cn=$machinename)";

    write-host $ds.Filter;

    $ds.SearchScope = [System.DirectoryServices.SearchScope]:Tongue Tiedubtree;
    $server = $ds.FindOne();

    $server;
    }

    function GetTLSCertFromAD
    {
    Param ([System.String] $server = $null)
    if($server -eq $null)
    {
    write-error "GetTLSCertFromAD - Must provide server parameter";
    $null;
    }

    $serverobj = GetExchangeServerObject $server

    write-host "Getting Prop"
    $tlscert = [System.Security.Cryptography.X509Certificates.X509Certificate2]
    $serverobj.Properties["msexchserverinternaltlscert"][0];
    $tlscert;

    }

    function GetCertforThumbprint
    {
    Param ([String] $print = $null)
    if($print -eq $null)
    {
    write-error "GetCertforThumbprint";
    $null;
    }
    $certstore = new-object System.Security.Cryptography.X509Certificates.X509Store
    My,LocalMachine;
    $certstore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly
    );
    foreach($curCert in ($certstore.certificates))
    {
    if($curCert.Thumbprint -eq $print)
    {
    $curCert;
    }
    }

    $certstore.Close();
    }

     

    **********End Of Script Text**********

     

    2. Run the following steps to check the msExchServerInternalTLSCert value in AD:

     

    a. Save the attached file to the c:\ drive


    b. In the Exchange management shell change to the c:\ directory and run the
    command: . c:\certlib.ps1

     

    Note: In Step b, the command is period space c:\certlib.ps1

     

    c. Run the following command: GetTLSCertfromAD "server name" | fl >c:GetTLSCertfromAD.txt

     

    replace "server name" with your Exchange server name.

     

    d. Make a note of the thumbprint for the certificate displayed.

     

    e. send the GetTLSCertfromAD.txt file to me.

     

    In addition, please help collect the following information:

     

    1. When did you install Exchange server 2007? Is it before 9/11/2008?

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    Monday, October 13, 2008 1:19 PM

All replies

  • Hi,

     

    Try this:

     

    - generate a new certificate useing the New-ExchangeCertificate Powershell command

    - then check this technet article

    - export the new certificate

    - import it in the Trusted Root Certification Authority in your certificate store

     

    Regards,

     

    Johan

     

    blog: www.johanveldhuis.nl

     

     

    Wednesday, September 24, 2008 6:01 PM
  • I just tried your steps and I have continued to see the errors coming in.  Should I need to do anything else, such as restart a particular service?

    Thanks.
    Wednesday, September 24, 2008 6:25 PM
  •  

    Dear customer:

     

    In order to better troubleshoot the issue, please help collect the following information:

     

    1.       Did you install Exchange server 2007 SP1?

    2.       How many Exchange 2007 servers did you deploy? Did you install Edge transport server?

    3.       On Exchange server 2007, open EMS, run the following command and post the result into the forum for analyze.

     

    Get-exchangecertificate | fl *

     

    4.       I made it in the console and later deleted it in the console. Does it mean that you delete the self-signed certificate from Certificates MMC snap-in?

    5.       On the problematic Exchange server 2007, perform the following steps:

    a)      Click Start, click Run, type mmc, and then click OK.

    b)      In the File menu, click Add/Remove Snap-in.

    c)       In the Add/Remove Snap-in box, click Add.

    d)      In the Available Standalone Snap-ins list, click Certificates, and then click Add.

    e)      Click Computer Account, and then click Next.

    f)       Click the Local computer (the computer this console is running on) option, and then click Finish.

    g)      Click Close, and then click OK.

    h)      Navigate to personal-certificate, double click a certificate in the right pane, click detail tab, check “thumbprint” section, record the thumbprint,

    i)        Repeat step h for each certificate, and until you find a certificate whose thumbprint equal to 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9,

    j)        If you didn’t find a certificate whose thumbprint equal to 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9, it means that you delete the certificate.

    6.       On the problematic Exchange server 2007, run the following command, and wait for the issue reproduce and save application log as .evt file and send it to v-rocwan@microsoft.com for analyze,

     

    Set-EventLogLevel MSExchangeTransport\TransportService -Level 7

     

    Thanks for your cooperation.

     

    Note: when you send e-mail to me, please add the subject of the post.

     

    Rock Wang - MSFT

    Thursday, September 25, 2008 6:18 AM
  • Dear customer:

     

    Please run the following command and send the txt file to me for analyze.

     

    Get-exchangeCertificate | fl  * >c:\cer.txt

     

    Your information is important for me to troubleshoot the issue.

     

    In addition, did you enable SMTP service for the new self-signed certificate?

     

    You can upload your application log into the following location, I have sent password to you.

     

    https://sftasia.one.microsoft.com/choosetransfer.aspx?key=1ffb0cf8-d8db-46ca-b871-d71e8cbd4248

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

     

    Friday, September 26, 2008 12:15 PM
  • Dear customer:

     

    Sorry for inconvenience, I haven’t received your log file; please upload it to the following location again. I have sent the password to you.

     

    URL: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=e256fa2a-b0ce-45f2-9472-53d390f2df08

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    Monday, October 06, 2008 8:49 AM
  •  

    Dear customer:

     

    Please run the following command and send the txt file to me for analyze.

     

    Get-exchangeCertificate | fl  * >c:\cer.txt

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    Thursday, October 09, 2008 8:38 AM
  •  

    Dear customer:

     

    I received your log file. According to your txt file, it seems ok.

     

    In order to better troubleshoot the issue, please help collect the following information:

     

    1.       On the problematic Exchange server 2007, perform the following steps:

     

    a)      Click Start, click Run, type mmc, and then click OK.

    b)      In the File menu, click Add/Remove Snap-in.

    c)      In the Add/Remove Snap-in box, click Add.

    d)      In the Available Standalone Snap-ins list, click Certificates, and then click Add.

    e)      Click Computer Account, and then click next.

    f)       Navigate to certificate (local computer) – personal – certificates, navigate to far right pane and send the screenshot of it to me.

    g)      Select a certificate, double click it, and click details, select thumbprint, send the screenshot of it to me.

    h)      Repeat step g for each certificate; send the screenshot of it to me.

     

    Note: when you send e-mail to me, please let me know the subject of the post.

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    Monday, October 13, 2008 12:14 PM
  • Dear customer:

     

    Thanks for your reply. The screenshots that you sent to me looks normal.

     

    Try the following steps and send the result to me for analyze,

     

    1. Create a custom script by copying the text below and save it as certlib.ps1 and
    then follow the instructions below to install it.

     

    **********The Script Text**********

    $tmp =
    [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices");
    $tmp = [System.Reflection.Assembly]::LoadWithPartialName("System.Text");
    $tmp = [System.Reflection.Assembly]::LoadWithPartialName("System.Security");

    function Compute-Hash {

    Param ([Byte[]] $bytes = $null)
    $hasher = new-object System.Security.Cryptography.SHA256Managed;
    $hasher.ComputeHash($bytes);
    }

    function Write-Bytes
    {
    Param ([Byte[]] $bytes = $null)
    $str = $null;
    foreach($byte in $bytes)
    {
    $str = $str + [System.String]::Format("{0:X2} ",$byte);
    }
    $str;
    }

    function FromBase64
    {
    Param ([String] $instr = $null)
    [System.Convert]::FromBase64String($instr)
    }

    function ToBase64
    {
    Param ([Byte[]] $inbytes = $null)
    [System.Convert]::ToBase64String($inbytes)
    }

    function GetMachineName
    {
    (Get-WmiObject Win32_ComputerSystem).Name;
    }


    function GetLDAPPrefix
    {
    $machineName = GetMachineName;
    $exserver = get-ExchangeServer $machineName;

    if($exserver.IsEdgeServer)
    {
    $ldapprefix = "LDAP://localhost:50389/"
    write-host "Running on an Edge Server - pulling cert details from Adam";
    }else
    {
    $ldapprefix = "LDAP://";
    write-host "Not running on Edge - getting cert details from AD";
    }
    $ldapprefix;
    }

    function GetRootDSE
    {
    $ldapprefix = GetLDAPPrefix;
    $rootdse = new-object System.DirectoryServices.DirectoryEntry ($ldapprefix +
    "RootDSE");

    $rootdse;
    }

    function GetExchangeServerObject
    {
    Param ([System.String] $machinename = $null)
    $rootdse = GetRootDSE;
    write-host $rootdse;


    $ds = new-object System.DirectoryServices.DirectorySearcher;
    $ldapprefix = GetLDAPPrefix;


    $ds.SearchRoot = new-object System.DirectoryServices.DirectoryEntry ($ldapprefix +
    $rootdse.ConfigurationNamingContext);
    $ds.Filter = "(&(objectclass=msExchExchangeServer)cn=$machinename)";

    write-host $ds.Filter;

    $ds.SearchScope = [System.DirectoryServices.SearchScope]:Tongue Tiedubtree;
    $server = $ds.FindOne();

    $server;
    }

    function GetTLSCertFromAD
    {
    Param ([System.String] $server = $null)
    if($server -eq $null)
    {
    write-error "GetTLSCertFromAD - Must provide server parameter";
    $null;
    }

    $serverobj = GetExchangeServerObject $server

    write-host "Getting Prop"
    $tlscert = [System.Security.Cryptography.X509Certificates.X509Certificate2]
    $serverobj.Properties["msexchserverinternaltlscert"][0];
    $tlscert;

    }

    function GetCertforThumbprint
    {
    Param ([String] $print = $null)
    if($print -eq $null)
    {
    write-error "GetCertforThumbprint";
    $null;
    }
    $certstore = new-object System.Security.Cryptography.X509Certificates.X509Store
    My,LocalMachine;
    $certstore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly
    );
    foreach($curCert in ($certstore.certificates))
    {
    if($curCert.Thumbprint -eq $print)
    {
    $curCert;
    }
    }

    $certstore.Close();
    }

     

    **********End Of Script Text**********

     

    2. Run the following steps to check the msExchServerInternalTLSCert value in AD:

     

    a. Save the attached file to the c:\ drive


    b. In the Exchange management shell change to the c:\ directory and run the
    command: . c:\certlib.ps1

     

    Note: In Step b, the command is period space c:\certlib.ps1

     

    c. Run the following command: GetTLSCertfromAD "server name" | fl >c:GetTLSCertfromAD.txt

     

    replace "server name" with your Exchange server name.

     

    d. Make a note of the thumbprint for the certificate displayed.

     

    e. send the GetTLSCertfromAD.txt file to me.

     

    In addition, please help collect the following information:

     

    1. When did you install Exchange server 2007? Is it before 9/11/2008?

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    Monday, October 13, 2008 1:19 PM
  •  

    Dear customer:

     

    The script will not take down or remove functionality from the server. It just determines the thumbprint of the Direct Trust certificate.

     

    Thanks!

     

    If anything is unclear, please feel free to let me know.

     

    Rock Wang - MSFT

    Tuesday, October 14, 2008 1:38 AM
  • I can't get the above script to run.  There seems to be a piece missing:

    $ds.SearchScope = [System.DirectoryServices.SearchScope]:Tongue Tiedubtree;
    $server = $ds.FindOne();

    What should be before the "ubtree"?

    Thanks!

     

    Tuesday, November 08, 2011 6:31 PM