MSExchangeTransport 12015
上一次修改主题: 2011-03-19
本文对特定 Exchange 事件进行了说明并提供了可能的解决方案。如果您在此处未找到所需内容,请尝试在 Exchange 2010 帮助中进行搜索。
Details
Product Name |
Exchange |
Product Version |
14.0 |
Event ID |
12015 |
Event Source |
MSExchangeTransport |
Category |
TransportService |
Symbolic Name |
InternalTransportCertificateExpired |
Message Text |
An internal transport certificate expired. Thumbprint:%1 |
Explanation
This Information event indicates that the Microsoft Exchange Transport service Transport Layer Security (TLS) certificate has expired. This expiry may affect SMTP traffic among Hub Transport servers and Edge Transport servers in the organization.
Microsoft Exchange Server 2010 includes a feature that is known as opportunistic TLS. To allow for opportunistic TLS, the Exchange 2010 Setup program configures a self-signed certificate for TLS usage. By default, TLS is enabled in Exchange 2010. This lets any sending system encrypt an incoming SMTP session in conjunction with Exchange 2010. Also, by default, Exchange 2010 tries to establish TLS sessions for remote SMTP connections.
By default, all SMTP communications among Microsoft Exchange 2010 Hub Transport servers is encrypted by using TLS certificates. Additionally, all authenticated SMTP traffic between Hub Transport servers and SMTP clients is encrypted by default by using TLS certificates. Exchange uses the X-ANONYMOUSTLS SMTP protocol extension to encrypt SMTP traffic between Hub Transport and Edge Transport servers. X-ANONYMOUSTLS enables an encrypted session without requiring certificates issued from a certification authority (CA).
Note Because X-ANONYMOUSTLS does not require certificates from a (CA), the TLS session does not verify the sender or recipient identity. It encrypts only the SMTP traffic.
In a default Exchange 2010 installation, SMTP traffic no longer passes between the Hub Transport and the Edge Transport server if the internal Transport certificate expires.
For more information, see the following topics.
User Action
To troubleshoot this issue, do one or more of the following:
有关相关事件,请查看 Exchange 2010 服务器上的应用程序日志和系统日志。例如,在此事件之前和之后发生的事件可能会提供有关导致出现此错误的根本原因的详细信息。
Increase diagnostics logging for the Microsoft Exchange Transport service. To do this, run the following commands at the Exchange Command Shell:
Get-EventLogLevel -Identity msexchangetransport
Get-EventLogLevel -Identity msexchangetransport\* | Set-EventLogLevel -Level Expert
Renew the expired Exchange certificate. To do this, follow these steps:
Start the Exchange Management Shell.
Note the Thumbprint value from event ID 12017. For example, note the following value:
c4248cd7065c87cb942d60f7293feb7d533a4afc
Run the following command to renew the certificate:
Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate
For more information, see New-ExchangeCertificate.
If you cannot renew the certificate, create and enable a new TLS certificate. To do this, follow these steps:
Start the Exchange Management Shell.
Run the following command to create a new certificate:
New-ExchangeCertificate
Run the following command to enable the new certificate:
Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP
Run the following command to remove expiring certificate:
Remove-ExchangeCertificate -Thumbprint <thumbprint_of_expiring_certificate>
If you receive the following error message when you try to remove the default self-signed certificate, use the Certificates MMC snap-in to manually remove the expired self-signed certificate.
Remove-ExchangeCertificate: The default certificate cannot be removed.
To use the Certificates MMC snap-in to remove the expiring certificate, follow these steps:
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, click Certificates, click Add, click Computer account, click Next, and then click Finish.
Click OK.
Expand Certificates (Local Computer), expand Personal, and then click Certificates.
In the details pane, examine the expiration date and thumbprint information of each certificate. Then, delete the expiring certificate.
Restart the Microsoft Exchange Transport service.
Run the following command at the Exchange Management Shell to enable the new certificate:
Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP
Restart the Microsoft Exchange Transport service, and then verify that Event ID 12017 is no longer logged in the Application log.
If you created a new self-signed certificate on the Hub Transport server and on the Edge Transport server, you may need to reconfigure the Edge subscription. To do this, follow these steps:
On the Edge Transport server, start the Exchange Management Shell.
Run the following command to create a new Edge Subscription file:
New-EdgeSubscription –FileName “C:\EdgeSubscription-1.xml”
Copy the EdgeSubscription-1.xml file to the Hub Transport server.
On the Hub Transport server, start the Exchange Management Console.
Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport.
In the details pane, click Edge Subscriptions, and then click New Edge Subscription in the Actions pane.
Click Browse next to Active Directory Site, click the appropriate site, and then click OK. For example, click Default-First-Site-Name.
Click Browse next to Subscription file, and then click the EdgeSubscription-1.xml file that you copied to the Hub Transport server, and then click OK.
Click Next, and then click Finish.
使用自助支持选项、协助支持选项及其他资源来解决您的问题。您可以从 Exchange Server 解决方案中心访问这些资源。在该页中,单击导航窗格中的“自助支持选项”可使用自助服务选项。自助服务选项包括搜索 Microsoft 知识库、在 Exchange Server 论坛上发布问题及其他方法。或者,您可以在导航窗格中单击“协助支持选项”来联系 Microsoft 支持专业人员。由于您的组织可能已有直接与 Microsoft 产品支持服务联系的特定流程,因此,请您务必先查看您组织的准则。
For more information about transport certificates, see the following topics:
每个博客的内容及其 URL 如有更改,恕不另行通知。每个博客中的内容均“原样”提供,既不承担任何担保,也未赋予任何权利。对包含的脚本示例或代码的使用受 Microsoft 使用条款中指定的条款的约束。