MSExchangeTransport 11024

  • 项目

 

上一次修改主题: 2011-11-30

本文对特定 Exchange 事件进行了说明并提供了可能的解决方案。如果您在此处未找到所需内容,请尝试在 Exchange 2010 帮助中进行搜索。

Details

Product Name

Microsoft® Exchange

Product Version

14

Event ID

11024

Event Source

MSExchangeTransport

Category

MessageSecurity

Symbolic Name

SubjectAlternativeNameLimitExceeded

Message Text

Remote certificate with thumbprint '%1' contains '%2' subject alternative names and exceeds the limit of %3. Subject alternative names of this certificate will be ignored. The limit can be changed by either adding or modifying the SubjectAlternativeNameLimit parameter in the EdgeTransport.exe.config file.

Explanation

This event indicates that the Microsoft Exchange Transport service is unable to use all of the names specified on a Subject Alternative Name (SAN) certificate. Because of this, remote clients or servers may be unable to establish a TLS connection to the Hub Transport server or to the Edge Transport server over a Receive or Send connector.

Microsoft Exchange Server 2010 includes improvements to the management of TLS. TLS lets an administrator configure an encrypted channel over which to communicate with other messaging servers. Additionally, this protocol lets a server authenticate connections before messages can be sent.

For more information, see the following topics:

To support SMTP over TLS with remote servers, a Hub Transport server or Edge Transport server requires a Windows PKI certificate or a third-party certificate. When the Transport server has multiple service connection points (SCPs), the server must use one of the following configurations:

  • A separate TLS certificate for each SCP

  • A certificate that supports SAN

For more information about SAN certificates, see the following Microsoft Exchange Team blog articles:

每个博客的内容及其 URL 如有更改,恕不另行通知。每个博客中的内容均“原样”提供,既不承担任何担保,也未赋予任何权利。对包含的脚本示例或代码的使用受 Microsoft 使用条款中指定的条款的约束。

The Microsoft Exchange Transport service can be configured to limit the number of Subject Alternative Names that it will accept on a TLS certificate. This limit is specified in the following key in the EdgeTransport.exe.config file:

<add key="SubjectAlternativeNameLimit" value="<value>" />

This logged event indicates that the EdgeTransport.exe.config file is configured to limit the Microsoft Exchange Transport service to use fewer SANs than are specified on the particular SAN certificate.

For more information, see How to Request a Certificate With a Custom Subject Alternative Name.

User Action

To troubleshoot this issue, do one or more of the following:

  • 有关相关事件,请查看 Exchange 2010 服务器上的应用程序日志和系统日志。例如,在此事件之前和之后发生的事件可能会提供有关导致出现此错误的根本原因的详细信息。

  • Examine the installed certificates to verify that it is the appropriate certificate for use together with the Transport server. To view the certificates, follow these steps:

    1. Click Start, click Run, type mmc, and then click OK.

  • On the File menu, click Add/Remove Snap-in.

    1. Click Certificates, click Add, click Computer account, click Next, and then click Finish.

    2. Click OK.

    3. Expand Certificates (Local Computer), expand Personal, and then click Certificates.

    4. In the details pane, view the certificate details to verify that the certificate reflects the publicly-accessible FQDN that is used to access the server.

    For more information, see 了解 TLS 证书.

  • Edit the EdgeTransportConfig.exe.config file to modify the SAN limit. To do this, follow these steps:

    1. Start Windows Explorer, and then browse to the following folder:

      %ProgramFiles%\Microsoft\Exchange Server\V14\Bin

    2. Open the EdgeTransport.exe.config file by using any text editor, such as Notepad.

    3. Search for SubjectAlternativeNameLimit. If this key does not exist, add the following entry in the <appSettings> tag after the other entries:

      <add key="SubjectAlternativeNameLimit" value="<limit>" />

      For example, add the following entry:

      <add key="QueueDatabaseRecoveryAction" value="10" />

    4. Save the changes to the file, and then restart the Microsoft Exchange Transport service.

  • Verify that the send connector that is used to send mail to the particular domain has TLS enabled. To do this, follow these steps:

    1. Start the Exchange Management Console, and then locate the Transport server that hosts the affected connector.

    2. On the Send Connectors tab, right-click the specified connector, and then click Properties.

    3. Click the Network tab, and then verify that the Enable Domain Security (Mutual Auth TLS) check box is selected.

    4. Restart the Microsoft Exchange Transport service.

  • Verify that the Receive connector that receives mail from the particular domain has partner authentication enabled. To do this, follow these steps:

    1. Start the Exchange Management Console, and then locate the Transport server that hosts the affected connector.

    2. On the Receive Connectors tab, right-click the specified connector, and then click Properties.

    3. Click the Authentication tab, and then verify that the Transport Layer Security (TLS) and Enable Domain Security (Mutual Auth TLS) check boxes are selected.

    4. Restart the Microsoft Exchange Transport service.

  • 使用自助支持选项、协助支持选项及其他资源来解决您的问题。您可以从 Exchange Server 解决方案中心访问这些资源。在该页中,单击导航窗格中的“自助支持选项”可使用自助服务选项。自助服务选项包括搜索 Microsoft 知识库、在 Exchange Server 论坛上发布问题及其他方法。或者,您可以在导航窗格中单击“协助支持选项”来联系 Microsoft 支持专业人员。由于您的组织可能已有直接与 Microsoft 产品支持服务联系的特定流程,因此,请您务必先查看您组织的准则。

For more information about how to configure TLS, see the following topics.