MSExchangeTransport EID 12013
We keep getting this error on our Exchange server:Event Type: ErrorEvent Source: MSExchangeTransportEvent Category: TransportService Event ID: 12013Date: 9/24/2008Time: 9:51:28 AMUser: N/AComputer: MERCURYDescription:Microsoft Exchange couldnGt find a certificate with a thumbprint of 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9 in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9 Gservices SMTP to resolve the issue. If the certificate doesnGt exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by using New- ExchangeCertificate Gdomainname serverfqdn Gservices SMTP.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.The 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9 thumbprinted certificate was a self-generated one that I made with an improper flag that I later deleted. I did not actually *attach* it to anything (never set it in IIS or whatnot) or generally use it, at all. I made it in the console and later deleted it in the console. After deleting it, these errors have been flooding our logs. How do I make them go away? We have no internal or external mailflow problems, just a very annoying error log. We do have a new certificate in place to replace it, as well, and it seems to be working just fine...Any ideas?Thanks!EDIT: P.S., I've rebooted and that didn't help!
September 24th, 2008 5:13pm
Hi,
Try this:
- generate a new certificate useing the New-ExchangeCertificate Powershell command
- then check this technet article
- export the new certificate
- import it in the Trusted Root Certification Authority in your certificate store
Regards,
Johan
blog: www.johanveldhuis.nl
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2008 9:01pm
I just tried your steps and I have continued to see the errors coming in. Should I need to do anything else, such as restart a particular service?Thanks.
September 24th, 2008 9:25pm
Dear customer:
In order to better troubleshoot the issue, please help collect the following information:
1. Did you install Exchange server 2007 SP1?
2. How many Exchange 2007 servers did you deploy? Did you install Edge transport server?
3. On Exchange server 2007, open EMS, run the following command and post the result into the forum for analyze.
Get-exchangecertificate | fl *
4. I made it in the console and later deleted it in the console. Does it mean that you delete the self-signed certificate from Certificates MMC snap-in?
5. On the problematic Exchange server 2007, perform the following steps:
a) Click Start, click Run, type mmc, and then click OK.
b) In the File menu, click Add/Remove Snap-in.
c) In the Add/Remove Snap-in box, click Add.
d) In the Available Standalone Snap-ins list, click Certificates, and then click Add.
e) Click Computer Account, and then click Next.
f) Click the Local computer (the computer this console is running on) option, and then click Finish.
g) Click Close, and then click OK.
h) Navigate to personal-certificate, double click a certificate in the right pane, click detail tab, check thumbprint section, record the thumbprint,
i) Repeat step h for each certificate, and until you find a certificate whose thumbprint equal to 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9,
j) If you didnt find a certificate whose thumbprint equal to 0D8BD4F7DD4D45AB3E9977B0C13651BC49D810A9, it means that you delete the certificate.
6. On the problematic Exchange server 2007, run the following command, and wait for the issue reproduce and save application log as .evt file and send it to v-rocwan@microsoft.com for analyze,
Set-EventLogLevel MSExchangeTransport\TransportService -Level 7
Thanks for your cooperation.
Note: when you send e-mail to me, please add the subject of the post.
Rock Wang - MSFT
Free Windows Admin Tool Kit Click here and download it now
September 25th, 2008 9:18am
Dear customer:
Please run the following command and send the txt file to me for analyze.
Get-exchangeCertificate | fl * >c:\cer.txt
Your information is important for me to troubleshoot the issue.
In addition, did you enable SMTP service for the new self-signed certificate?
You can upload your application log into the following location, I have sent password to you.
https://sftasia.one.microsoft.com/choosetransfer.aspx?key=1ffb0cf8-d8db-46ca-b871-d71e8cbd4248
Thanks for your cooperation.
Rock Wang - MSFT
September 26th, 2008 3:15pm
Dear customer:
Sorry for inconvenience, I havent received your log file; please upload it to the following location again. I have sent the password to you.
URL: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=e256fa2a-b0ce-45f2-9472-53d390f2df08
Thanks for your cooperation.
Rock Wang - MSFT
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2008 11:49am
Dear customer:
Please run the following command and send the txt file to me for analyze.
Get-exchangeCertificate | fl * >c:\cer.txt
Thanks for your cooperation.
Rock Wang - MSFT
October 9th, 2008 11:38am
Dear customer:
I received your log file. According to your txt file, it seems ok.
In order to better troubleshoot the issue, please help collect the following information:
1. On the problematic Exchange server 2007, perform the following steps:
a) Click Start, click Run, type mmc, and then click OK.
b) In the File menu, click Add/Remove Snap-in.
c) In the Add/Remove Snap-in box, click Add.
d) In the Available Standalone Snap-ins list, click Certificates, and then click Add.
e) Click Computer Account, and then click next.
f) Navigate to certificate (local computer) personal certificates, navigate to far right pane and send the screenshot of it to me.
g) Select a certificate, double click it, and click details, select thumbprint, send the screenshot of it to me.
h) Repeat step g for each certificate; send the screenshot of it to me.
Note: when you send e-mail to me, please let me know the subject of the post.
Thanks for your cooperation.
Rock Wang - MSFT
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2008 3:14pm
Dear customer:
Thanks for your reply. The screenshots that you sent to me looks normal.
Try the following steps and send the result to me for analyze,
1. Create a custom script by copying the text below and save it as certlib.ps1 and then follow the instructions below to install it.
**********The Script Text**********
$tmp = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices");$tmp = [System.Reflection.Assembly]::LoadWithPartialName("System.Text");$tmp = [System.Reflection.Assembly]::LoadWithPartialName("System.Security");
function Compute-Hash {
Param ([Byte[]] $bytes = $null)$hasher = new-object System.Security.Cryptography.SHA256Managed;$hasher.ComputeHash($bytes); }
function Write-Bytes{Param ([Byte[]] $bytes = $null)$str = $null;foreach($byte in $bytes){$str = $str + [System.String]::Format("{0:X2} ",$byte); }$str;}
function FromBase64{Param ([String] $instr = $null)[System.Convert]::FromBase64String($instr)}
function ToBase64{Param ([Byte[]] $inbytes = $null)[System.Convert]::ToBase64String($inbytes)}
function GetMachineName{(Get-WmiObject Win32_ComputerSystem).Name;}
function GetLDAPPrefix{$machineName = GetMachineName;$exserver = get-ExchangeServer $machineName;
if($exserver.IsEdgeServer){$ldapprefix = "LDAP://localhost:50389/"write-host "Running on an Edge Server - pulling cert details from Adam";}else{$ldapprefix = "LDAP://";write-host "Not running on Edge - getting cert details from AD";}$ldapprefix;}
function GetRootDSE{$ldapprefix = GetLDAPPrefix;$rootdse = new-object System.DirectoryServices.DirectoryEntry ($ldapprefix + "RootDSE");
$rootdse; }
function GetExchangeServerObject{Param ([System.String] $machinename = $null)$rootdse = GetRootDSE;write-host $rootdse;
$ds = new-object System.DirectoryServices.DirectorySearcher;$ldapprefix = GetLDAPPrefix;
$ds.SearchRoot = new-object System.DirectoryServices.DirectoryEntry ($ldapprefix + $rootdse.ConfigurationNamingContext);$ds.Filter = "(&(objectclass=msExchExchangeServer)cn=$machinename)";
write-host $ds.Filter;
$ds.SearchScope = [System.DirectoryServices.SearchScope]:ubtree;$server = $ds.FindOne();
$server;}
function GetTLSCertFromAD{Param ([System.String] $server = $null)if($server -eq $null){write-error "GetTLSCertFromAD - Must provide server parameter";$null;}
$serverobj = GetExchangeServerObject $server
write-host "Getting Prop"$tlscert = [System.Security.Cryptography.X509Certificates.X509Certificate2] $serverobj.Properties["msexchserverinternaltlscert"][0];$tlscert;
}
function GetCertforThumbprint{Param ([String] $print = $null)if($print -eq $null){write-error "GetCertforThumbprint";$null;}$certstore = new-object System.Security.Cryptography.X509Certificates.X509Store My,LocalMachine;$certstore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly);foreach($curCert in ($certstore.certificates)){if($curCert.Thumbprint -eq $print){$curCert;}}
$certstore.Close();}
**********End Of Script Text**********
2. Run the following steps to check the msExchServerInternalTLSCert value in AD:
a. Save the attached file to the c:\ drive
b. In the Exchange management shell change to the c:\ directory and run the command: . c:\certlib.ps1
Note: In Step b, the command is period space c:\certlib.ps1
c. Run the following command: GetTLSCertfromAD "server name" | fl >c:GetTLSCertfromAD.txt
replace "server name" with your Exchange server name.
d. Make a note of the thumbprint for the certificate displayed.
e. send the GetTLSCertfromAD.txt file to me.
In addition, please help collect the following information:
1. When did you install Exchange server 2007? Is it before 9/11/2008?
Thanks for your cooperation.
Rock Wang - MSFT
October 13th, 2008 4:19pm
Dear customer:
The script will not take down or remove functionality from the server. It just determines the thumbprint of the Direct Trust certificate.
Thanks!
If anything is unclear, please feel free to let me know.
Rock Wang - MSFT
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 4:38am