MSExchangeTransport 12024

 

This article provides an explanation and possible resolutions for a specific Exchange event. If you don't find what you’re looking for here, try searching Exchange 2010 Help.

Details

Product Name

Exchange

Product Version

14.0

Event ID

12024

Event Source

MSExchangeTransport

Category

TransportService

Symbolic Name

CannotLoadInternalTransportCertificateFallbackEphemeralCertificate

Message Text

Microsoft Exchange could not load the certificate with thumbprint of %1 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate %1 -services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, an ephemeral, self-signed certificate with thumbprint %2 is being used.

Explanation

This Information event indicates that the Microsoft Exchange Transport service is configured to use a particular Transport Layer Security (TLS) certificate to establish encrypted SMTP sessions in conjunction with other SMTP servers. However, the Microsoft Exchange Transport service is unable to access the configured certificate. This issue may affect SMTP traffic among Hub Transport servers and Edge Transport servers in the organization.

When the Microsoft Exchange Server 2010 Hub Transport role or Edge Transport role is installed, the Microsoft Exchange Transport service creates an internal self-signed certificate for use together with SMTP over TLS. This lets any sending system encrypt an incoming SMTP session in conjunction with Exchange 2010. By default, the following conditions apply:

  • Exchange 2010 tries to establish TLS sessions for remote SMTP connections.

  • All SMTP communications among Exchange 2010 Hub Transport servers are encrypted by using TLS certificates.

  • All authenticated SMTP traffic between Hub Transport servers and SMTP clients is encrypted by using TLS certificates.

Exchange uses the X-ANONYMOUSTLS SMTP protocol extension to encrypt SMTP traffic between Hub Transport servers and Edge Transport servers. X-ANONYMOUSTLS enables an encrypted session without requiring certificates issued from a certification authority (CA).

Note   Because X-ANONYMOUSTLS does not require certificates from a (CA), the TLS session does not verify the sender or recipient identity. It encrypts only the SMTP traffic.

To support SMTP over TLS with remote servers, a Hub Transport server or an Edge Transport server requires a Windows PKI certificate or a third-party certificate. You can enable the new certificate for SMTP communications to the service connection point (SCP). Typically, the SCP represents the publicly-accessible FQDN of the Hub Transport or Edge Transport server.

This event may be logged if a certificate that has been enabled for use in conjunction with SMTP over TLS has become damaged or has not been enabled for use with SMTP. In this scenario, SMTP traffic may no longer pass between certain Hub Transport servers or Edge Transport servers. For more information, see the following topics.

User Action

To troubleshoot this issue, do one or more of the following:

  • Review the Application log and System log on your Exchange 2010 servers for related events. For example, events that occur immediately before and after this event may provide more information about the root cause of this error.

  • Increase diagnostics logging for the Microsoft Exchange Transport service. To do this, run the following commands at the Exchange Command Shell:

    Get-EventLogLevel -Identity msexchangetransport

    Get-EventLogLevel -Identity msexchangetransport\* | Set-EventLogLevel -Level Expert

  • Examine the installed certificates to verify that an appropriate certificate for use for the Transport server is installed. To view the certificates, follow these steps:

    1. Click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. Click Certificates, click Add, click Computer account, click Next, and then click Finish.

    4. Click OK.

    5. Expand Certificates (Local Computer), expand Personal, and then click Certificates.

    6. In the details pane, view the certificate details to verify that the certificate reflects the publicly-accessible FQDN that is used to access the server.

    For more information, see Understanding TLS Certificates.

  • If the certificate is listed in the Personal certificates store on the Transport server, enable the certificate for use for SMTP. To do this, follow these steps:

    1. Start the Exchange Management Shell.

    2. Run the following command to verify that the certificate thumbprint is listed:

      Get-ExchangeCertificate |fl

    3. Copy the thumbprint to the clipboard.

    4. Run the following command, pasting the thumbprint to replace the <thumbprint_of_certificate> placeholder:

      Enable-ExchangeCertificate -Thumbprint <thumbprint_of_certificate> -Services SMTP

    5. If you receive an error message that resembles the following, restart the Microsoft Exchange Transport service:

      1. WARNING: This certificate will not be used for external TLS connections with an FQDN of 'MAIL.EXANPLE.COM' because the CA signed certificate with thumbprint '<thumbprint>' takes precedence. The following connectors match that FQDN: Default MAIL, Client MAIL.

      To restart the Microsoft Exchange Transport service, run the following command:

      restart-service msexchangetransport

  • If you cannot renew the certificate, create and enable a new TLS certificate. To do this, follow these steps:

    1. Start the Exchange Management Shell.

    2. Run the following command to create a new certificate:

      New-ExchangeCertificate

    3. Run the following command to enable the new certificate:

      Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP

    4. Run the following command to remove expiring certificate:

      Remove-ExchangeCertificate -Thumbprint <thumbprint_of_expiring_certificate>

  • If you receive the following error message when you try to remove the default self-signed certificate, use the Certificates MMC snap-in to manually remove the expired self-signed certificate.

    • Remove-ExchangeCertificate: The default certificate cannot be removed.

  • To use the Certificates MMC snap-in to remove the expiring certificate, follow these steps:

    1. Click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in, click Certificates, click Add, click Computer account, click Next, and then click Finish.

    3. Click OK.

    4. Expand Certificates (Local Computer), expand Personal, and then click Certificates.

    5. In the details pane, examine the expiration date and thumbprint information of each certificate. Then, delete the expiring certificate.

    6. Restart the Microsoft Exchange Transport service.

    7. Run the following command at the Exchange Management Shell to enable the new certificate:

      Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP

    8. Restart the Microsoft Exchange Transport service, and then verify that Event ID 12017 is no longer logged in the Application log.

  • If you created a new self-signed certificate on the Hub Transport server and on the Edge Transport server, you may need to reconfigure the Edge subscription. To do this, follow these steps:

    1. On the Edge Transport server, start the Exchange Management Shell.

    2. Run the following command to create a new Edge Subscription file:

      New-EdgeSubscription –FileName “C:\EdgeSubscription-1.xml”

    3. Copy the EdgeSubscription-1.xml file to the Hub Transport server.

    4. On the Hub Transport server, start the Exchange Management Console.

    5. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport.

    6. In the details pane, click Edge Subscriptions, and then click New Edge Subscription in the Actions pane.

    7. Click Browse next to Active Directory Site, click the appropriate site, and then click OK. For example, click Default-First-Site-Name.

    8. Click Browse next to Subscription file, and then click the EdgeSubscription-1.xml file that you copied to the Hub Transport server, and then click OK.

    9. Click Next, and then click Finish.

  • Resolve your issue by using self-support options, assisted support options, and other resources. You can access these resources from the Exchange Server Solutions Center. From this page, click Self-Support Options in the navigation pane to use self-help options. Self-help options include searching the Microsoft Knowledge Base, posting a question at the Exchange Server forums, and other methods. Alternatively, in the navigation pane, you can click Assisted Support Options to contact a Microsoft support professional. Because your organization may have a specific procedure for directly contacting Microsoft Product Support Services, be sure to review your organization's guidelines first.

For more information about transport certificates, see the following topics:

The content of each blog and its URL are subject to change without notice. The content within each blog is provided "AS IS" with no warranties, and confers no rights. Use of included script samples or code is subject to the terms specified in the Microsoft Terms of Use.