Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, August 30, 2018 10:06 AM
Hi,
I've the following situation:
2 Exchange 2016 Servers (EX01,EX02)
1 Mailbox Database (syncronized with DAG on both Servers)
DNS Round Robin for External Access (HTTPS,POP3S,IMAPS,SMTPS)
1 Wildcard Certificate (on the Exchange system I use only the name outlook.mydomain.com)
Everything works as expected but I have Issues with POP/IMAP when I change the active Member of the Mailbox database to EX02.
So when EX02 is active, all POP/IMAP Users get the Prompt that their password is not correct and cannot connect anymore. I've investigated the situation and found the following:
EX02 throws the following error message every time a client connects via POP/IMAP:
EVENTID: 1102
Source: MSExchangePOPBE
The POP3 service failed to connect using SSL or TLS encryption. No valid certificate is configured to respond to SSL/TLS connections. Check the configured host name as well as which certificates are installed in the Personal Certificates store of the computer.
I've verified that the certificate is stored on both personal certificate stores of both servers.
It seems that when POP Clients are trying to connect to EX02 they are smart enought to connect directly to EX01's DNS RoundRobin name after this message is genereated in the log of EX02, since I hear no complains when the Mailbox Databse is active on EX01.
I've compared the complete configuration on both servers regarding POP and certificates and both are identical. The only difference is that EX01 (good server) has one AccessRules entry more in his get-exchangecertificate output:
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {*.mycompany.com, mycompany.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=AlphaSSL CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
NotAfter : 22.10.2018 16:04:38
NotBefore : 22.10.2015 16:04:38
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Services : IIS
Status : Valid
Subject : CN=*.mycompany.com, OU=Domain Control Validated
Thumbprint : 0C00XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I know that under "Services" there is listed only the IIS Service and not POP/IMAP, but this is normal for Wildcard Certficates. I had to assign the correct X509CertificateName name with set-popsettings
Comparing these two accecssrules on both servers, gives the following difference:_
CryptoKeyRights : Synchronize, GenericAll, GenericRead
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
**********THIS ONE IS ONLY ON EX01 **************
CryptoKeyRights : Synchronize, GenericRead
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Netzwerkdienst
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
*************************************************
CryptoKeyRights : Synchronize, GenericAll, GenericRead
AccessControlType : Allow
IdentityReference : VORDEFINIERT\Administratoren
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
CryptoKeyRights : Synchronize, GenericRead
AccessControlType : Allow
IdentityReference : S-1-5-5-0-123345
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
Do you think that this could be something related to my issue? If yes, how can I add this permission via powershell on EX02? Do you have other suggestions?
As said, the Issue is only related to POP/IMAP. Everything else like MAPI/RPC/SMTPS work without any issue on both MBX Servers.
Thank you very much for your help!
Regards
Simon
All replies (4)
Thursday, August 30, 2018 1:33 PM âś…Answered
FINALLY I SOLVED THE ISSUE ON MY OWN!!!!
It had exactly something to do with these AccessRules that showed up different on the servers.
My fault was, that when I've set up these 2 Servers I first tried to enable the wildcard Certificate on EX01 with IIS,POP,IMAP,SMTP Services, then got the Warning as seen above (".. cannot used for POP SSL/TLS connections ..") and because of that warning I skipped this enabling for POP,IMAP on the EX02. And exactly that was the issue.
I now enabled the POP,IMAP Service for my wildcard certificate ALSO ON EX02 and everything works now on both servers. And now also EX02 has these 4 accessrules on the cert same as EX01.
Hope that my response can help someone else in the same situation.
IMHO Microsoft should also make visible if the wildcard certificate is enabled for POP/IMAP. Also they could update the Warning message, that I ADITTIONALLY have to execute the set-popsettings command. This would clarify it.
Thank you!
Regards
Simon
Thursday, August 30, 2018 12:42 PM
Did you validate the certificate is actually assigned to the pop and imap service using the get-exchangecertificate? command
MCSA exchange 2016 | MCTS exchange 2013 | MCTS-MCITP exchange 2010 | MCTS-MCITP Exchange: 2007 | MCSA Messaging: 2003 | MCP windows 2000
Thursday, August 30, 2018 12:54 PM
as said. IMHO since I use a wildcard certificate the certificate does not show up there.
When I try to enable the wildcard certificate for POP/IMAP I got the warning:
WARNING: This certificate with thumbprint XXXXXXXXXX and subject '*.mydomain.com' cannot used
for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-POPSettings to set X509CertificateName to the FQDN of the service
Output from EX01 get-exchangecertificate (functional Server):
Thumbprint Services Subject
0C00F02XXXXXXXXXXXXXXXXXX ...W... CN=*.mydomain.com, OU=Domain Control Validated
as you see there is only "W" = IIS assigned.
Don't know if the issue is related to the wildcard situation.
One additional note:
I am seeing also the following log entries on EX01 when the database is active on EX02:
2018-08-30T12:49:37.566Z,00000000000009DE,2,10.201.3.3:995,88.149.250.103:32246,[email protected],1,29,5,user,[email protected],R=OK,
2018-08-30T12:49:37.669Z,00000000000009DE,3,10.201.3.3:995,88.149.250.103:32246,69590,61,10,56,pass,*****,"R=""-ERR Logon failure: unknown user name or bad password."";Msg=Proxy:EX02.mydomain.int:1995:SSL;ErrMsg=ProxyNotAuthenticated",
2018-08-30T12:49:37.710Z,00000000000009DE,4,10.201.3.3:995,88.149.250.103:32246,69590,0,0,0,CloseSession,,,
Thursday, August 30, 2018 1:16 PM
hmm. found now an other entry in technet where someone tells that:
"Unfortunately, wildcard certificates does not support IMAP and POP services".
Can someone officially confirm that??
I think this is wrong.. Why would Microsoft then create the warning as seen above to use th X509 Vaule??