MSExchangeTransport 12019

This article provides an explanation and possible resolutions for a specific Exchange event. If you don't find what you’re looking for here, try searching Exchange 2010 Help.

Details

Explanation

This Information event indicates that the Microsoft Exchange Transport service Transport Layer Security (TLS) certificate has expired. This expiry may affect SMTP traffic among Hub Transport servers and Edge Transport servers in the organization.

Microsoft Exchange Server 2010 includes a feature that is known as opportunistic TLS. To allow for opportunistic TLS, the Exchange 2010 Setup program configures a self-signed certificate for TLS usage. By default, TLS is enabled in Exchange 2010. This lets any sending system encrypt an incoming SMTP session in conjunction with Exchange 2010. Also, by default, Exchange 2010 tries to establish TLS sessions for remote SMTP connections.

By default, all SMTP communications among Microsoft Exchange 2010 Hub Transport servers is encrypted by using TLS certificates. Additionally, all authenticated SMTP traffic between Hub Transport servers and SMTP clients is encrypted by default by using TLS certificates. Exchange uses the X-ANONYMOUSTLS SMTP protocol extension to encrypt SMTP traffic between Hub Transport and Edge Transport servers. X-ANONYMOUSTLS enables an encrypted session without requiring certificates issued from a certification authority (CA).

Note   Because X-ANONYMOUSTLS does not require certificates from a (CA), the TLS session does not verify the sender or recipient identity. It encrypts only the SMTP traffic.

In a default Exchange 2010 installation, SMTP traffic no longer passes between the Hub Transport and the Edge Transport server if the internal Transport certificate expires.

For more information, see the following topics.

• Understanding Transport Pipeline

• TLS Functionality and Related Terminology in Exchange 2010

• Understanding TLS Certificates

• Understanding Receive Connectors

User Action

To troubleshoot this issue, do one or more of the following:

• Review the Application log and System log on your Exchange 2010 servers for related events. For example, events that occur immediately before and after this event may provide more information about the root cause of this error.

• Increase diagnostics logging for the Microsoft Exchange Transport service. To do this, run the following commands at the Exchange Command Shell:

  Get-EventLogLevel -Identity msexchangetransport

  Get-EventLogLevel -Identity msexchangetransport\* | Set-EventLogLevel -Level Expert

• Renew the expired Exchange certificate. To do this, follow these steps:

  1. Start the Exchange Management Shell.

  2. Note the Thumbprint value from event ID 12017. For example, note the following value:

     c4248cd7065c87cb942d60f7293feb7d533a4afc

  3. Run the following command to renew the certificate:

     Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate

  For more information, see New-ExchangeCertificate.

• If you cannot renew the certificate, create and enable a new TLS certificate. To do this, follow these steps:

  1. Start the Exchange Management Shell.

  2. Run the following command to create a new certificate:

     New-ExchangeCertificate

  3. Run the following command to enable the new certificate:

     Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP

  4. Run the following command to remove expiring certificate:

     Remove-ExchangeCertificate -Thumbprint <thumbprint_of_expiring_certificate>

• If you receive the following error message when you try to remove the default self-signed certificate, use the Certificates MMC snap-in to manually remove the expired self-signed certificate.

  Remove-ExchangeCertificate: The default certificate cannot be removed.

• To use the Certificates MMC snap-in to remove the expiring certificate, follow these steps:

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, click Certificates, click Add, click Computer account, click Next, and then click Finish.

  3. Click OK.

  4. Expand Certificates (Local Computer), expand Personal, and then click Certificates.

  5. In the details pane, examine the expiration date and thumbprint information of each certificate. Then, delete the expiring certificate.

  6. Restart the Microsoft Exchange Transport service.

  7. Run the following command at the Exchange Management Shell to enable the new certificate:

     Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP

  8. Restart the Microsoft Exchange Transport service, and then verify that Event ID 12017 is no longer logged in the Application log.

• If you created a new self-signed certificate on the Hub Transport server and on the Edge Transport server, you may need to reconfigure the Edge subscription. To do this, follow these steps:

  1. On the Edge Transport server, start the Exchange Management Shell.

  2. Run the following command to create a new Edge Subscription file:

     New-EdgeSubscription –FileName “C:\EdgeSubscription-1.xml”

  3. Copy the EdgeSubscription-1.xml file to the Hub Transport server.

  4. On the Hub Transport server, start the Exchange Management Console.

  5. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport.

  6. In the details pane, click Edge Subscriptions, and then click New Edge Subscription in the Actions pane.

  7. Click Browse next to Active Directory Site, click the appropriate site, and then click OK. For example, click Default-First-Site-Name.

  8. Click Browse next to Subscription file, and then click the EdgeSubscription-1.xml file that you copied to the Hub Transport server, and then click OK.

  9. Click Next, and then click Finish.

• Resolve your issue by using self-support options, assisted support options, and other resources. You can access these resources from the Exchange Server Solutions Center. From this page, click Self-Support Options in the navigation pane to use self-help options. Self-help options include searching the Microsoft Knowledge Base, posting a question at the Exchange Server forums, and other methods. Alternatively, in the navigation pane, you can click Assisted Support Options to contact a Microsoft support professional. Because your organization may have a specific procedure for directly contacting Microsoft Product Support Services, be sure to review your organization's guidelines first.

For more information about transport certificates, see the following topics:

• Managing TLS Certificates

• New-ExchangeCertificate

• Enable-ExchangeCertificate

• Remove-ExchangeCertificate

• Understanding Transport Pipeline

• Exchange 2010 Transport Architecture Diagrams Available for Download

The content of each blog and its URL are subject to change without notice. The content within each blog is provided "AS IS" with no warranties, and confers no rights. Use of included script samples or code is subject to the terms specified in the Microsoft Terms of Use.