MSExchangeTransport 12024

 

上一次修改主题: 2011-03-19

本文对特定 Exchange 事件进行了说明并提供了可能的解决方案。如果您在此处未找到所需内容,请尝试在 Exchange 2010 帮助中进行搜索。

Details

Product Name

Exchange

Product Version

14.0

Event ID

12024

Event Source

MSExchangeTransport

Category

TransportService

Symbolic Name

CannotLoadInternalTransportCertificateFallbackEphemeralCertificate

Message Text

Microsoft Exchange could not load the certificate with thumbprint of %1 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate %1 -services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, an ephemeral, self-signed certificate with thumbprint %2 is being used.

Explanation

This Information event indicates that the Microsoft Exchange Transport service is configured to use a particular Transport Layer Security (TLS) certificate to establish encrypted SMTP sessions in conjunction with other SMTP servers. However, the Microsoft Exchange Transport service is unable to access the configured certificate. This issue may affect SMTP traffic among Hub Transport servers and Edge Transport servers in the organization.

When the Microsoft Exchange Server 2010 Hub Transport role or Edge Transport role is installed, the Microsoft Exchange Transport service creates an internal self-signed certificate for use together with SMTP over TLS. This lets any sending system encrypt an incoming SMTP session in conjunction with Exchange 2010. By default, the following conditions apply:

  • Exchange 2010 tries to establish TLS sessions for remote SMTP connections.

  • All SMTP communications among Exchange 2010 Hub Transport servers are encrypted by using TLS certificates.

  • All authenticated SMTP traffic between Hub Transport servers and SMTP clients is encrypted by using TLS certificates.

Exchange uses the X-ANONYMOUSTLS SMTP protocol extension to encrypt SMTP traffic between Hub Transport servers and Edge Transport servers. X-ANONYMOUSTLS enables an encrypted session without requiring certificates issued from a certification authority (CA).

Note   Because X-ANONYMOUSTLS does not require certificates from a (CA), the TLS session does not verify the sender or recipient identity. It encrypts only the SMTP traffic.

To support SMTP over TLS with remote servers, a Hub Transport server or an Edge Transport server requires a Windows PKI certificate or a third-party certificate. You can enable the new certificate for SMTP communications to the service connection point (SCP). Typically, the SCP represents the publicly-accessible FQDN of the Hub Transport or Edge Transport server.

This event may be logged if a certificate that has been enabled for use in conjunction with SMTP over TLS has become damaged or has not been enabled for use with SMTP. In this scenario, SMTP traffic may no longer pass between certain Hub Transport servers or Edge Transport servers. For more information, see the following topics.

User Action

To troubleshoot this issue, do one or more of the following:

  • 有关相关事件,请查看 Exchange 2010 服务器上的应用程序日志和系统日志。例如,在此事件之前和之后发生的事件可能会提供有关导致出现此错误的根本原因的详细信息。

  • Increase diagnostics logging for the Microsoft Exchange Transport service. To do this, run the following commands at the Exchange Command Shell:

    Get-EventLogLevel -Identity msexchangetransport

    Get-EventLogLevel -Identity msexchangetransport\* | Set-EventLogLevel -Level Expert

  • Examine the installed certificates to verify that an appropriate certificate for use for the Transport server is installed. To view the certificates, follow these steps:

    1. Click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. Click Certificates, click Add, click Computer account, click Next, and then click Finish.

    4. Click OK.

    5. Expand Certificates (Local Computer), expand Personal, and then click Certificates.

    6. In the details pane, view the certificate details to verify that the certificate reflects the publicly-accessible FQDN that is used to access the server.

    For more information, see 了解 TLS 证书.

  • If the certificate is listed in the Personal certificates store on the Transport server, enable the certificate for use for SMTP. To do this, follow these steps:

    1. Start the Exchange Management Shell.

    2. Run the following command to verify that the certificate thumbprint is listed:

      Get-ExchangeCertificate |fl

    3. Copy the thumbprint to the clipboard.

    4. Run the following command, pasting the thumbprint to replace the <thumbprint_of_certificate> placeholder:

      Enable-ExchangeCertificate -Thumbprint <thumbprint_of_certificate> -Services SMTP

    5. If you receive an error message that resembles the following, restart the Microsoft Exchange Transport service:

      1. WARNING: This certificate will not be used for external TLS connections with an FQDN of 'MAIL.EXANPLE.COM' because the CA signed certificate with thumbprint '<thumbprint>' takes precedence. The following connectors match that FQDN: Default MAIL, Client MAIL.

      To restart the Microsoft Exchange Transport service, run the following command:

      restart-service msexchangetransport

  • If you cannot renew the certificate, create and enable a new TLS certificate. To do this, follow these steps:

    1. Start the Exchange Management Shell.

    2. Run the following command to create a new certificate:

      New-ExchangeCertificate

    3. Run the following command to enable the new certificate:

      Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP

    4. Run the following command to remove expiring certificate:

      Remove-ExchangeCertificate -Thumbprint <thumbprint_of_expiring_certificate>

  • If you receive the following error message when you try to remove the default self-signed certificate, use the Certificates MMC snap-in to manually remove the expired self-signed certificate.

    • Remove-ExchangeCertificate: The default certificate cannot be removed.

  • To use the Certificates MMC snap-in to remove the expiring certificate, follow these steps:

    1. Click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in, click Certificates, click Add, click Computer account, click Next, and then click Finish.

    3. Click OK.

    4. Expand Certificates (Local Computer), expand Personal, and then click Certificates.

    5. In the details pane, examine the expiration date and thumbprint information of each certificate. Then, delete the expiring certificate.

    6. Restart the Microsoft Exchange Transport service.

    7. Run the following command at the Exchange Management Shell to enable the new certificate:

      Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> -Services SMTP

    8. Restart the Microsoft Exchange Transport service, and then verify that Event ID 12017 is no longer logged in the Application log.

  • If you created a new self-signed certificate on the Hub Transport server and on the Edge Transport server, you may need to reconfigure the Edge subscription. To do this, follow these steps:

    1. On the Edge Transport server, start the Exchange Management Shell.

    2. Run the following command to create a new Edge Subscription file:

      New-EdgeSubscription –FileName “C:\EdgeSubscription-1.xml”

    3. Copy the EdgeSubscription-1.xml file to the Hub Transport server.

    4. On the Hub Transport server, start the Exchange Management Console.

    5. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport.

    6. In the details pane, click Edge Subscriptions, and then click New Edge Subscription in the Actions pane.

    7. Click Browse next to Active Directory Site, click the appropriate site, and then click OK. For example, click Default-First-Site-Name.

    8. Click Browse next to Subscription file, and then click the EdgeSubscription-1.xml file that you copied to the Hub Transport server, and then click OK.

    9. Click Next, and then click Finish.

  • 使用自助支持选项、协助支持选项及其他资源来解决您的问题。您可以从 Exchange Server 解决方案中心访问这些资源。在该页中,单击导航窗格中的“自助支持选项”可使用自助服务选项。自助服务选项包括搜索 Microsoft 知识库、在 Exchange Server 论坛上发布问题及其他方法。或者,您可以在导航窗格中单击“协助支持选项”来联系 Microsoft 支持专业人员。由于您的组织可能已有直接与 Microsoft 产品支持服务联系的特定流程,因此,请您务必先查看您组织的准则。

For more information about transport certificates, see the following topics:

每个博客的内容及其 URL 如有更改,恕不另行通知。每个博客中的内容均“原样”提供,既不承担任何担保,也未赋予任何权利。对包含的脚本示例或代码的使用受 Microsoft 使用条款中指定的条款的约束。