Hi All, I am using Windows Server 2008 R2 Ent. I am configuring IIS as SMTP Virtual Server to forward mails to Google Apps. I need TLS Certificate for Secure connection. How and from where should I obtain it for this server? Or How should I generate it on Server? In Access tab I can see Under Secure Connection Tab: TLS is not available without a certificate. and Require TLS Encryption is disabled. And in Event Viewer I can see log as "No usable TLS server certificate for SMTP virtual server instance '2' could be found. TLS will be disabled for this virtual-server" Please help me to solve this, As I don't know anything regarding obtaining or creating TLS Certificate. Thanks & Regards, Ishan

Hi, From the problem description, I understand that TLS is not available without a certificate in the Secure Connection Tab under the Access Tab. Just like the figure as followed: If you would like to generate the certificate on your Windows Server 2008 R2, you need to install the Active Directory Certificate Services via adding the roles. For the detailed information about the ADCS, there is a link for your reference: Title: Active Directory Certificate Services Step-by-Step Guide URL: http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx After installing the ADCS, you will find the Secure Communication could be set now: Note: During the setup processing of the ADCS, please pay attention to some detailed instructions. I hope the information provided above is helpful to you. Regards, JamesJames Xiong TechNet Community Support

Hi James, I read Active Directory Certificate Services Step-by-Step Guide. I am also trying to do these steps. These steps require Domain Controller to be set. We don't have Domain Controller currently. Is it possible to do without domain controller. Thanks & Regards, Ishan

Hi, From your last reply, I noticed that there is no available Domain Controller in your organization. Based on my research, I noticed that there is another useful article about installing a server certificate for TLS Encryption for your reference: Title: Installing a server certificate for TLS Encryption URL: http://winintro.ru/mail.en/html/7d31d716-2f99-4b23-a18c-0eaa08a28dde.htm Note: The CA is required before installing a server certificate. Since you don’t have available Domain Controller, I think a third party online CA will be under your consideration list. At the same time, there are some methods about securing the SMTP virtual server, you could refer to link below: Title: Securing SMTP Virtual Servers URL: http://technet.microsoft.com/en-us/library/cc737604(WS.10).aspx Note: The link above is applied to the Windows server 2003. But some configurations are also available towards the Windows server 2008 scenario. I hope the information provided above is helpful to you. Regards, JamesJames Xiong TechNet Community Support

Hi, Any Update? JamesJames Xiong TechNet Community Support

Hey James, I followed following steps: Procedure 1: To request and install a server certificate to provide TLS encryption for all SMTP virtual server communication when you have an online CA Click Start, click Run, type MMC in the Open text field and press Enter. A default Microsoft Management Console (MMC) opens. -->Done Click the File menu, and then click Add/Remove Snap-in.-->Done Select Certificates from the Available snap-ins menu, and then click Add>. On the Certificates snap-in dialog box, select Computer account, and then click Finish. Click OK. -->Done Expand Certificates (Local Computer). Select Personal. Right-click, and then select All Tasks and Request New Certificate. The Certificate Enrollment wizard starts.-->Done (But Blank No entries just add New option available) On the Before You Begin page, click Next. -->Done On the Request Certificates page, select the box next to Computer. Click the double chevron icon next to Details, and then select Properties. -->Not Able to See Request Certificates page. If clicked on Add New--> Asking for Certificate Enrollment Policy Server Configuration.--> ENTER Enrollment Policy Server URI What entries to make in Enrollment Policy Server URI field ?? Procedure 2: To request and install a server certificate to provide TLS encryption for all SMTP virtual server communication when you have an offline CA Click Start, click Administrative Tools, and select Internet Information Services (IIS) Manager to open the IIS 7.0 Manager. -->Done Select the server node. -->Done In the Features pane, select Server Certificates. In the Actions pane, select Open Feature. -->Done In the Actions pane, select Create Certificate Request. The Certificate Request wizard starts. -->Done On the Distinguished Name Properties page, complete all fields, and then click Next. --> Common Name:smtp.gmail.com Organization: Organization's name Organization Unit: Unit name City: City name State: State name Country: Country Name 6. On the Cryptographic Service Provider Properties page, verify that Microsoft RSA SChannel Cryptographic Provider is selected and that Bit Length is set to 1024. Click Next. -->Done 7. On the File Name page, locate where you want to save the file, and provide a name for the file. The file will have a .txt extension. Click Finish. -->Done 8. Submit the file to your CA. When the administrator has issued the certificate, a file that has the .cer extension is returned to you. -->Done 9. In IIS Manager, select the server node. In the Features pane, select Server Certificates. In the Actions pane, select Complete Certificate Request.-->Done 10. On the Specify Certificate Authority Response page, type the file path and name of the *.cer file or browse to the file location, select the file, and then click Open. Click OK to install the certificate.-->Done 11. Now checked in IIS (SMTP Virtual Server) 6.0 Access Tab- TLS Certificate--> No Success. So got stuck again... Thanks & Regards, Ishan

Hi, Now I downloaded makecert.exe Now I am going to try with Procedure 3:To create and install a self-signed server certificate to provide TLS encryption for all SMTP virtual server communication I need information regarding parameters that should I use to generate the certificate? What should be my command? (And One more thing Might be useful for others: There is no need to download whole SDK for downloading makecert.exe . Use the web installer(winsdk_web.exe) and uncheck everything except Tools. Size: About 85MB. file: C:/Program Files/Microsoft SDKs/Windows/v7.1/Bin/ and need to be run using as Administrator) Thanks & Regards, Ishan

Hi there, I had the same issue in our integration and test environment. I found out that the key to success is to have a certificate that shows the FQDN of the SMTP server. This certificate needs to have the purpose of "server authentication". Good news is that you can create self signed server certificates from within IIS Manager. Having created on will enable the checkbox for TLS authentication. Regards Sven