Share via

MSExchangeTransport 12017

  • Articolo

 

Ultima modifica dell'argomento: 2011-03-19

In questo articolo vengono fornite una spiegazione e delle possibili soluzioni per uno specifico evento Exchange. Per ulteriori informazioni, vedere la Guida di Exchange 2010.

Details

Product Name

Exchange

Product Version

14.0

Event ID

12017

Event Source

MSExchangeTransport

Category

TransportService

Symbolic Name

InternalTransportCertificateExpiresSoon

Message Text

An internal transport certificate will expire soon. Thumbprint:%1, hours remaining: %2

Explanation

This Information event indicates that the Microsoft Exchange Transport service Transport Layer Security (TLS) certificate is about to expire. This expiry may affect SMTP traffic among Hub Transport servers and Edge Transport servers in the organization.

Microsoft Exchange Server 2010 includes a feature that is known as opportunistic TLS. To allow for opportunistic TLS, the Exchange 2010 Setup program configures a self-signed certificate for TLS usage. By default, TLS is enabled in Exchange 2010. This lets any sending system encrypt an incoming SMTP session in conjunction with Exchange 2010. Also, by default, Exchange 2010 tries to establish TLS sessions for remote SMTP connections.

By default, all SMTP communications among Microsoft Exchange 2010 Hub Transport servers is encrypted by using TLS certificates. Additionally, all authenticated SMTP traffic between Hub Transport servers and SMTP clients is encrypted by default by using TLS certificates. Exchange uses the X-ANONYMOUSTLS SMTP protocol extension to encrypt SMTP traffic between Hub Transport and Edge Transport servers. X-ANONYMOUSTLS enables an encrypted session without requiring certificates issued from a certification authority (CA).

Note   Because X-ANONYMOUSTLS does not require certificates from a (CA), the TLS session does not verify the sender or recipient identity. It encrypts only the SMTP traffic.

In a default Exchange 2010 installation, SMTP traffic no longer passes between the Hub Transport and the Edge Transport server if the internal Transport certificate expires.

For more information, see Informazioni sui certificati TLS.

User Action

To troubleshoot this issue, do one or more of the following:

  • Verificare se nel registro applicazioni e nel registro eventi di sistema sui server Exchange 2010 sono presenti eventi correlati. Ad esempio, eventi che si sono verificati immediatamente prima e dopo questo evento possono offrire ulteriori informazioni sulla causa principale dell'errore.

  • Review the Operations Console in Operations Manager for detailed information about the cause of this problem. For more information, see the "Introduction" section in this article.

  • Increase diagnostics logging for the Microsoft Exchange Transport service. To do this, run the following commands at the Exchange Command Shell:
    Get-EventLogLevel -Identity msexchangetransport
    Get-EventLogLevel -Identity msexchangetransport\* | Set-EventLogLevel -Level Expert

  • Renew the expired Exchange certificate. To do this, follow these steps:

    1. Start the Exchange Management Shell.
    2. Note the Thumbprint value from event ID 12017. For example, note the following value:
      c4248cd7065c87cb942d60f7293feb7d533a4afc
    3. Run the following command to renew the certificate:
      Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate

    For more information, see New-ExchangeCertificate.

  • If you cannot renew the certificate, create and enable a new TLS certificate. To do this, follow these steps:

    1. Start the Exchange Management Shell.
    2. Run the following command to create a new certificate:
      New-ExchangeCertificate
    3. Run the following command to enable the new certificate:
      Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP
    4. Run the following command to remove expiring certificate:
      Remove-ExchangeCertificate -Thumbprint <thumbprint_of_expiring_certificate>

  • If you receive the following error message when you try to remove the default self-signed certificate, use the Certificates MMC snap-in to manually remove the expired self-signed certificate.

    • Remove-ExchangeCertificate: The default certificate cannot be removed.

  • To use the Certificates MMC snap-in to remove the expiring certificate, follow these steps:

    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in, click Certificates, click Add, click Computer account, click Next, and then click Finish.
    3. Click OK.
    4. Expand Certificates (Local Computer), expand Personal, and then click Certificates.
    5. In the details pane, examine the expiration date and thumbprint information of each certificate. Then, delete the expiring certificate.
    6. Restart the Microsoft Exchange Transport service.
    7. Run the following command at the Exchange Management Shell to enable the new certificate:
      Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP
    8. Restart the Microsoft Exchange Transport service, and then verify that Event ID 12017 is no longer logged in the Application log.

  • If you created a new self-signed certificate on the Hub Transport server and on the Edge Transport server, you may need to reconfigure the Edge subscription. To do this, follow these steps:

    1. On the Edge Transport server, start the Exchange Management Shell.
    2. Run the following command to create a new Edge Subscription file:
      New-EdgeSubscription –FileName “C:\EdgeSubscription-1.xml”
    3. Copy the EdgeSubscription-1.xml file to the Hub Transport server.
    4. On the Hub Transport server, start the Exchange Management Console.
    5. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport.
    6. In the details pane, click Edge Subscriptions, and then click New Edge Subscription in the Actions pane.
    7. Click Browse next to Active Directory Site, click the appropriate site, and then click OK. For example, click Default-First-Site-Name.
    8. Click Browse next to Subscription file, and then click the EdgeSubscription-1.xml file that you copied to the Hub Transport server, and then click OK.
    9. Click Next, and then click Finish.

  • Risolvere il problema utilizzando le opzioni di supporto in autonomia e/o assistito e altre risorse. È possibile accedere a queste risorse dal centro soluzioni di Exchange Server (la pagina potrebbe essere in inglese). In questa pagina fare clic su Self-Support Options nel riquadro di spostamento per utilizzare le opzioni di supporto in autonomia. Il supporto in autonomia prevede, tra le altre, soluzioni quali la ricerca nella Microsoft Knowledge Base e l'invio di domande ai forum di Exchange Server. In alternativa, nel riquadro di spostamento fare clic su Assisted Support Options per contattare un addetto al supporto tecnico Microsoft. Dal momento che l'organizzazione potrebbe avere una procedura specifica per contattare direttamente il Servizio Supporto Tecnico Clienti Microsoft, esaminare innanzitutto le linee guida dell'organizzazione.

For more information about transport certificates, see the following topics:

Il contenuto di ogni blog e il relativo URL sono soggetti a modifica senza preavviso. Il contenuto di ogni blog viene fornito "COSÌ COM'È" senza garanzie, e non conferisce alcun diritto. L'utilizzo del codice o degli script di esempio forniti è soggetto ai termini specificati nella pagina Web Condizioni di utilizzo di Microsoft.