Revocation checked failed status in Certificate on Exchange 2013

Hi,
Got error in certificate that we have get from Godaddy for exchange 2013 which was earlier working fine, but now getting error on status that Revocation checked failed and because of that in outlook user getting certificate error.
please suggest to fix this issue.

We've had this error before, and it was solved by configuring the proxy settings.
> via netsh winhttp set proxy
> set-exchangeserver InternetWebProxy setting (don't know if still
applicable in Exchange2013)
> iexplorer proxy settings
ps : You can also
check the crl location, when you take a look into the properties of the certificate. (crl distribution points)

Similar Messages

Exchange 2010 - The certificate status could not be determined because the revocation check failed.

I have tried everything I have found online to get my DigiCert to work.
I have exported the cert and imported it into my child domains and they look perfect.
It is just my parent domain having issues.
netsh winhttp show proxy
does show my correct proxy server for http and https and port 8080
I have tried name, FQDN and IP address.
In the Bypass-list I have tried none, *.domain.com, and a list of all domains and child domains in my forest.
I have flushed the cache
certutil -urlcache crl delete
certutil -urlcache ocsp delete
and rebooted the Exchange 2010 (Windows 2008 R2) server
No matter what, I still see in my Server Configuration for the parent domain's DigiCert cert the message
The certificate status could not be determined because the revocation check failed.
with a red X on the left hand icon. Again, Child domains all say "The certificate is valid for Exchange Server usage."
Note: In spite of having the red X, I was able to assign via EMS the services.
Webmail works fine. Outlook Anywhere fails... I suspect it is due to my red X problem.
Suggestions?
Thanks in Advance
Jim.
Jim.

I have contacted DigiCert and they said the cert is working per their utility, hence the problem is outside the scope of their support.
I have followed, several times, http://support.microsoft.com/kb/979694
http://www.digicert.com/help/ reports all is well.
The DigiCertUtil.exe reports all is well and happy.
I have run
netsh winhttp set proxy proxy-server="http=myproxy:8080;https=myproxy:8080" bypass-list="*.mydomain.com"
Current WinHTTP proxy settings:
Proxy Server(s) : http=myproxy:8080;https=myproxy:8080
Bypass List : *.mydomain.com
I have flushed the cache using the commands
certutil -urlcache crl delete
certutil -urlcache ocsp delete
I still see in my Server Configuration for the parent domain's DigiCert cert the message
"The certificate status could not be determined because the revocation check failed."
with a red X on the left hand certificate icon.
To verify the cert via command line:
certutil -verify -urlfetch c:\mail_domain_com.cer
LoadCert(Cert) returned ASN1 bad tag value met. 0x8009310b (ASN: 267)
CertUtil: -verify command FAILED: 0x8009310b (ASN: 267)
CertUtil: ASN1 bad tag value met.
I suspect this is why I cannot get Outlook Anywhere to connect.
Child domains show a happy certificate icon. Parent domain does not.
Still scratching my head.
Thanks all!
Jim.

EMC - Certificate status could not be determined because revocation check failed.

I've exhausted my resources on this issue and am reaching out for some assistance. I have setup Server 2008 R2 Enterprise SP1, running Exchange 2010 SP1. In EMC I have successfully imported a GoDaddy SSL certificate. Although I am receiving the message -
"The certificate status could not be determined because the revocation check failed."
Here are the steps I've taken to troubleshoot this so far:
[PS] C:\Users\Administrator\Desktop>netsh winhttp show proxy
Current WinHTTP proxy settings:
Direct access (no proxy server).
As you can see, direct access. Which is true, no proxy's on this network.
For good measure, I'll dump the urlcache.
certutil -urlcache ocsp delete
certutil -urlcache crl delete
Both return 0, reboot server.
Comes back up, same message in EMC.
From PS, I test exactly what its getting from GoDaddy.
[PS] C:\Users\Administrator\Desktop>certutil -f -urlfetch -verify mail.fluxlabs.net.crt
Issuer:
SERIALNUMBER=07969287
CN=Go Daddy Secure Certification Authority
OU=http://certificates.godaddy.com/repository
O=GoDaddy.com, Inc.
L=Scottsdale
S=Arizona
C=US
Subject:
CN=mail.fluxlabs.net
OU=Domain Control Validated
O=mail.fluxlabs.net
Cert Serial Number: 27b60918638e0d
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=S
cottsdale, S=Arizona, C=US
NotBefore: 8/20/2011 7:49 PM
NotAfter: 8/20/2012 7:16 PM
Subject: CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
Serial: 27b60918638e0d
SubjectAltName: DNS Name=mail.fluxlabs.net, DNS Name=www.mail.fluxlabs.net
33 49 57 5d 6e d8 6b aa b9 61 73 95 44 07 c9 2e 55 6e 47 10
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 4
[0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt
---------------- Certificate CDP ----------------
Expired "Base CRL (05)" Time: 4
[0.0] http://crl.godaddy.com/gds1-55.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 4
[0.0] http://ocsp.godaddy.com/
CRL (null):
Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
e5 53 19 6c 54 87 8c 62 23 1b b9 11 e1 d8 3d 3f b2 04 77 3f
Issuance[0] = 2.16.840.1.114413.1.7.23.1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
NotBefore: 11/15/2006 8:54 PM
NotAfter: 11/15/2026 8:54 PM
Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=
Scottsdale, S=Arizona, C=US
Serial: 0301
7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 4
[0.0] http://certificates.godaddy.com/repository/gdroot.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 4
[0.0] http://ocsp.godaddy.com
CRL (null):
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
da 1e d5 63 5c 05 58 50 4e db d2 4e e8 9d 28 9d c4 36 b3 1e
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
NotBefore: 6/29/2004 12:06 PM
NotAfter: 6/29/2034 12:06 PM
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Serial: 00
27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
Exclude leaf cert:
b1 04 4b 90 a1 d3 48 de 46 bd d7 50 20 e3 44 b8 3f 68 39 f7
Full chain:
68 36 4d 37 2e 96 bd d2 aa 77 3f d0 e8 78 a9 e6 68 bd 7d 71
Verified Issuance Policies:
2.16.840.1.114413.1.7.23.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was
offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
As you can see, the "revocation server is offline."
So I run the same test from another server on the LAN.
Verified Issuance Policies:
2.16.840.1.114413.1.7.23.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
It passes. The server's firewall has been disabled. DNS cache has been cleared. I have verified everything I can, and still failing to verify.

[PS] C:\Users\Administrator\Desktop>Get-ExchangeCertificate |fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Acces
trol.CryptoKeyAccessRule}
CertificateDomains : {mail.fluxlabs.net, www.mail.fluxlabs.net}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy
, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 8/20/2012 7:16:57 PM
NotBefore : 8/20/2011 7:49:30 PM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 27B60918638E0D
Services : IMAP, POP, IIS, SMTP
Status : RevocationCheckFailure
Subject : CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
Thumbprint : 3349575D6ED86BAAB96173954407C92E556E4710
[PS] C:\Users\Administrator\Desktop>Enable-ExchangeCertificate -Thumbprint 3349575D6ED86BAAB96173954407C92E556E4710 -Services POP,IMAP,SMTP,IIS
The command has already been executed. Yes, I have seen those sites. Neither have worked. Like I said, it is directly connected; and no proxies are set.
-- Jeremy MCSpadden Flux Labs

Certificate for Exchange 2013

Hi
Do I need to import certificate on mailbox servers

Agree with Adam. You can go through below article series on managing certificates in Exchange 2013.
Managing Certificates in Exchange Server 2013 (Part 1)
Also check below...
---- One key difference between Exchange 2010 and Exchange 2013 is that the certificates that are used on the Exchange 2013 Mailbox server are self-signed certificates. Because all clients connect to an Exchange 2013 Mailbox server through an Exchange 2013
Client Access server, the only certificates that you need to manage are those on the Client Access server. The Client Access server automatically trusts the self-signed certificate on the Mailbox server, so clients will not receive warnings about a self-signed
certificate not being trusted, provided that the Client Access server has a non-self-signed certificate from either a Windows certification authority (CA) or a trusted third party. There are no tools or cmdlets available to manage self-signed certificates
on the Mailbox server. After the server has been properly installed, you should never need to worry about the certificates on the Mailbox server. ---- Exchange 2013 certificate
management UI
Blog |
Get Your Exchange Powershell Tip of the Day from here

Exchange Certificate - Revocation Check Failed

Hi,
the scenario is the following:
Windows 2012 R2 domain
Exchange 2010
Windows 2012 R2 PKI (1 CA Root stand alone. 1 CA Subordinate Enterprise)
At Exchange, I get the following error:
The certificate details are:
I guess that revocation check error is due to "%20" at ldap path (second image).
The questions are:
The "%20" is a normal behavior at "CRL Distribution Points" details in the certificate?
if no
How to delete "%20" in the certificate?
Thanks in advance!

Thanks Mark.
The output from issuing CA:
Issuer:
    CN=SERVSUBUCA
    DC=servicioscorp
    DC=pbo
Name Hash(sha1): 3f202eaecb344a1d5f7cefa0ef305ccc4f11764b
Name Hash(md5): d096ae4af2bbf1f9b7246c5c51f979cb
Subject:
    CN=uiomatrv-exca01.servicioscorp.pbo
    OU=IT
    O=PRODUBANCO
    L=Quito
    S=Pichincha
    C=EC
Name Hash(sha1): dbed6b31170d7ea3c36e08e4b7012a4595108527
Name Hash(md5): bd573e0501d5e3d3a8cdcd229dd40a2e
Cert Serial Number: 620000001168945925b163ff5d000000000011
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 32 Days, 5 Minutes, 4 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 32 Days, 5 Minutes, 4 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
NotBefore: 8/4/2014 11:10 AM
NotAfter: 8/3/2016 11:10 AM
Subject: CN=uiomatrv-exca01.servicioscorp.pbo, OU=IT, O=PRODUBANCO, L=Quito, S=Pichincha, C=EC
Serial: 620000001168945925b163ff5d000000000011
SubjectAltName: DNS Name=uiomatrv-exca01.servicioscorp.pbo, DNS Name=gyesitev-exca01.servicioscorp.pbo, DNS Name=gyesitev-exca01, DNS Name=uiomatrv-exca01
Template: WebServer
0e180ca4a6642be3709465fd1db4d9a6fa3be717
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No CRL "Certificate (0)" Time: 0
    [0.0] ldap:///CN=SERVSUBUCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=servicioscorp,DC=pbo?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Verified "Base CRL (2b)" Time: 0
    [0.0] ldap:///CN=SERVSUBUCA,CN=UIOMATRV-CERT02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=servicioscorp,DC=pbo?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (2b)" Time: 0
    [0.0.0] ldap:///CN=SERVSUBUCA,CN=UIOMATRV-CERT02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=servicioscorp,DC=pbo?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ----------------
OK "Delta CRL (2f)" Time: 0
    [0.0] ldap:///CN=SERVSUBUCA,CN=UIOMATRV-CERT02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=servicioscorp,DC=pbo?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
    CRL 2b:
    Issuer: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
    ThisUpdate: 7/30/2014 2:31 PM
    NextUpdate: 8/14/2014 2:51 AM
    507e17f28e96054ead075e0cf353ea1cefbc4d9f
    Delta CRL 2f:
    Issuer: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
    ThisUpdate: 8/3/2014 2:32 PM
    NextUpdate: 8/5/2014 2:52 AM
    52827a7c7b5f621e2db4aa6b76f9fc448a35e50b
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SERVROOTCA
NotBefore: 6/18/2014 1:53 PM
NotAfter: 6/18/2024 2:03 PM
Subject: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
Serial: 2d000000024a75bdddb4ea0374000000000002
Template: SubCA
5b61be4e5ef53895a1475a89a986302a26cc34a8
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
    CRL 03:
    Issuer: CN=SERVROOTCA
    ThisUpdate: 7/3/2014 11:59 AM
    NextUpdate: 7/4/2015 12:19 AM
    34931efb937f7495ce869f635823bbd9e3df578a
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=SERVROOTCA
NotBefore: 6/18/2014 1:08 PM
NotAfter: 6/18/2029 1:18 PM
Subject: CN=SERVROOTCA
Serial: 63f24946f2448c9242ce44936f1f759e
1cd3339f1c7717ff77921ca53408a9d7ca58a5f7
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
  No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Exclude leaf cert:
e594318b0d857c2fcb9d08db80637e278ad891df
Full chain:
a0215d71e05618f20649331ea9541930154344eb
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
The output from Exchange:
Issuer:
    CN=SERVSUBUCA
    DC=servicioscorp
    DC=pbo
Subject:
    CN=uiomatrv-exca01.servicioscorp.pbo
    OU=IT
    O=PRODUBANCO
    L=Quito
    S=Pichincha
    C=EC
Cert Serial Number: 620000001168945925b163ff5d000000000011
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwRevocationFreshnessTime: 21 Hours, 31 Minutes, 44 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwRevocationFreshnessTime: 21 Hours, 31 Minutes, 44 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
NotBefore: 04/08/2014 11:10
NotAfter: 03/08/2016 11:10
Subject: CN=uiomatrv-exca01.servicioscorp.pbo, OU=IT, O=PRODUBANCO, L=Quito, S=Pichincha, C=EC
Serial: 620000001168945925b163ff5d000000000011
SubjectAltName: DNS Name=uiomatrv-exca01.servicioscorp.pbo, DNS Name=gyesitev-exca01.servicioscorp.pbo, DNS Name=gyesitev-exca01, DNS Name=uiomatrv-exca01
Template: WebServer
17 e7 3b fa a6 d9 b4 1d fd 65 94 70 e3 2b 64 a6 a4 0c 18 0e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No CRL "Certificate (0)" Time: 0
    [0.0] ldap:///CN=SERVSUBUCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=servicioscorp,DC=pbo?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
Verified "Base CRL (2b)" Time: 0
    [0.0] ldap:///CN=SERVSUBUCA,CN=UIOMATRV-CERT02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=servicioscorp,DC=pbo?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (2b)" Time: 0
    [0.0.0] ldap:///CN=SERVSUBUCA,CN=UIOMATRV-CERT02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=servicioscorp,DC=pbo?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ----------------
OK "Delta CRL (2f)" Time: 0
    [0.0] ldap:///CN=SERVSUBUCA,CN=UIOMATRV-CERT02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=servicioscorp,DC=pbo?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
    CRL 2b:
    Issuer: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
    9f 4d bc ef 1c ea 53 f3 0c 5e 07 ad 4e 05 96 8e f2 17 7e 50
    Delta CRL 2f:
    Issuer: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
    0b e5 35 8a 44 fc f9 76 6b aa b4 2d 1e 62 5f 7b 7c 7a 82 52
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=40
Issuer: CN=SERVROOTCA
NotBefore: 18/06/2014 13:53
NotAfter: 18/06/2024 14:03
Subject: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
Serial: 2d000000024a75bdddb4ea0374000000000002
Template: SubCA
a8 34 cc 26 2a 30 86 a9 89 5a 47 a1 95 38 f5 5e 4e be 61 5b
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=SERVROOTCA
NotBefore: 18/06/2014 13:08
NotAfter: 18/06/2029 13:18
Subject: CN=SERVROOTCA
Serial: 63f24946f2448c9242ce44936f1f759e
f7 a5 58 ca d7 a9 08 34 a5 1c 92 77 ff 17 77 1c 9f 33 d3 1c
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Exclude leaf cert:
24 b9 1e b2 79 76 b0 16 2d 6d ae e2 cd 6b 98 aa 5f 27 38 20
Full chain:
7b 8c 64 0e 02 42 5a 7e 2d 1a 8b d4 db 3a c2 9c 10 a9 13 56
Issuer: CN=SERVSUBUCA, DC=servicioscorp, DC=pbo
NotBefore: 04/08/2014 11:10
NotAfter: 03/08/2016 11:10
Subject: CN=uiomatrv-exca01.servicioscorp.pbo, OU=IT, O=PRODUBANCO, L=Quito, S=Pichincha, C=EC
Serial: 620000001168945925b163ff5d000000000011
SubjectAltName: DNS Name=uiomatrv-exca01.servicioscorp.pbo, DNS Name=gyesitev-exca01.servicioscorp.pbo, DNS Name=gyesitev-exca01, DNS Name=uiomatrv-exca01
Template: WebServer
17 e7 3b fa a6 d9 b4 1d fd 65 94 70 e3 2b 64 a6 a4 0c 18 0e
The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)
Revocation check skipped -- no revocation information available
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
Thanks in advance!

Best practices for buying a digital certificate for Exchange 2013

Good dayfriends,
Could you indicateme which are the bestpractices when buying
a public digital certificatefor use onExchangeServer 2013.
I'd be interested in knowing your opinion about
using wildcardor SAN certificates.
Likewise what are the best recommendations
to include names and why they should or
should not include the internal FQDN
of my servers.
Currently I have an infrastructure that has two
MailBox servers,two CAS servers and an EDGE
2010 server, but I'm planning update it to Exchange 2013.
I searched what are the best
practices according to Microsoft but
have found little information.
I would appreciate
if you can post links like
Microsoft KBs and other technical documents that
discuss the above mentioned.
Thanking your
invaluable support.
Greetings.

Hi,
Personal suggestion, we can use two namespaces for your Exchange 2013:
Autodiscover.domain.com (Used for autodiscover service)
Mail.domain.com (used for all Exchange services external and internal URLs)
Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
Digital Certificates Best Practices part in the following technet article:
http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
Additionally, here are some other scenarios about certificate planning in Exchange 2013:
http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
Regards,
Winnie Liang
TechNet Community Support

Using an SSL certificate for Exchange 2013

Hi,
I am not sure if this is the correct forum to post this question in.
Basically we are migrating from Exchange 2007 to Exchange 2013. Our 2013 machines have both roles installed and do everything. They are configured in a DAG. We have no hardware load balancing/reverse proxy or etc. inside or outside.
We use an alias of mail.domain.com to connect to OWA/ActiveSync and etc from the Internet.. this alias would point to mail1.domain.com which is the IP of the first Exchange 2013 server.
If that server were to break, we would point the alias of mail.domain.com to mail2.domain.com which is the IP of the second Exchange 2013 server. Clients would not need any changes before they started connecting to the remaining mail server (eventually)
and email would continue.
I know this is not an ideal setup, but for now it is what we have and would keep us running in the event of server failure.
My question is, when I request a certificate, do I need two of them with mail1.domain.com and mail2.domain.com as their primary and SAN of mail.domain.com OR do I request one certificate with mail.domain.com as the primary host and SAN of mail1.domain.com
and mail2.domain.com (and install the one certificate on both servers).
I want to include mail1.domain.com and mail2.domain.com as this can be helpful for testing and/or during migration.
I hope that makes some sense and appreciate any help people can offer.
Thanks!

You do not need server names in the certificate if you are using mail.domain.com only in all of the URL settings. You will want autodiscover.domain.com, however.
Consider configuring a different internal and external name for Outlook Anywhere so that Outlook knows whether it is connecting from the Internet or internally. For internal Outlook Anywhere, use a name that you don't publish to the Internet.
For example, use mail.domain.com for everything except internal Outlook Anywhere, use mailinternal.domain.com. Put mail.domain.com, mailinternal.domain.com and autodiscover.domain.com in the certificate.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Configuring CA Certificate for Exchange 2013

Hello,
I have two exchange 2013 server running both CAS and MB roles which are also part of a DAG. To secure mail flow in and out of my organization, I am planning to implement reverse proxy in my DMZ. I can easily access my OWA using my DAG name. I wonder if I
can configure my reverse proxy machine to access the cluster name/ip. I am also confused about configuring the certificate. Which one of my machines should be used to create the CSR?
Pooriya Aghaalitari

Hey David,
I just got to learn about this after I sent the post. So I can create the certificate and import/export to other servers right? Thanks a lot man.
Regards,
Pooriya
Pooriya Aghaalitari
Yes. In fact, you want to make sure all the certs applied to the CAS are the same ( same thumbprint)
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Wildcard certificate for Exchange 2013

Hello!
I have a testing network with Exchange 2013SP1 and Windows Server 2012R2 domain controller with CA installed.
For testing purposes I issued a wildcard certificate for my Exch2013 from my local CA using Web server template and installed it on the Exchange server.
Now when I open, for example, ecp or owa page I'm getting the error stating my certificate is wrong:
Q1) Is Windows CA capable of issuing a wildcard certificates?
Q2) If Q1=yes then what can be the cause of the problem?
Thank you in advance,
Michael

Hi Michael,
Please click Certificate error in IE to view the details about the error. If the error is related to untrusted certificate, please open Internet Explorer, click Settings > Internet Option > Content option > Certificate. In the
Certificates dialog box, click the Trusted Root Certification Authorities
tab and check if your certificate is in the list.
If the certificate is not in the list, we can install the certificate in Trusted root certificate store by the following KB:
http://support2.microsoft.com/kb/2006728
If the error certificate is related to mismatch issue, please confirm if this certificate is assigned with IIS service. If not, please enable it with IIS service and restart IIS service to have a try. To double check about the Exchange certificate, we can
run the following command to check it:
Get-ExchangeCertificate | FL
Regards,
Winnie Liang
TechNet Community Support

Self Signed Certificate for Exchange 2013

What's the draw back for using self sign certificate in production enviroment

Hi,
Based on my research, here are the disadvantages of self-signed certificate:
1. The certificates aren’t trusted by other applications/operating systems. This may lead to authentications errors etc.
Note: To overcome this limitation, some IT staff add the self-signed certificates to the Trusted Roots Certificate Authorities. However, using this workaround may to additional time that needed for management and troubleshooting.
2. Self-signed certificates life time is usually 1 years. Before the year is ended, the certificate may need to renew/replace.
3. Self-signed certificates may use low hash and cipher technologies. Due this, the security level that implemented by self-signed certificates may not satisfy the current Security Policy etc. .
4. No support for advanced PKI (Public Key Infrastructure) functions (e.g. Online checking of the revocation list etc.).
5. Most of the advanced feathers of the server side applications required to impended a PKI (Public Key Infrastructure). By this, self-signed certificates advantages cant be used.
For more information, you can refer to the following article:
http://blogs.microsoft.co.il/yuval14/2011/09/23/the-advantages-and-disadvantages-of-using-self-signed-certificates/
Thanks,
Angela Shi
TechNet Community Support

Java Webstart application problem with TLS certificate revocation checks (Java 1.7.0_76)

We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
The application is running on a server within a wide area network which is separated from the internet.
The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
are no problems with certificate revocation checks.
The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
"Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
it cannot fetch the certificate under https://my-site.de:80.
The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
- Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
- Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
our users.
It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
Many thanks!
This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
(sorry for this is in german... and also my english above)
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
security: OCSP Response: GOOD
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
security: UNAUTHORIZED
security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
security: Revocation Status Unknown
com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
    at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
    at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
    at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
    at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
    at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
    at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
    at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
    at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
    at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
    at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
    at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
    at com.sun.javaws.Main.launchApp(Unknown Source)
    at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
    at com.sun.javaws.Main.access$000(Unknown Source)
    at com.sun.javaws.Main$1.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        ... 35 more
Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    ... 36 more
security: Ungültiges Zertifikat vom HTTPS-Server
network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]

Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.

Windows Server 2012 - Backup failing with Exchange - The application will not be available for recovery from this backup. the consistency check failed

Hi
We have a Windows 2012 server with Exchange 2013, all is working fine except now i am getting issues with the backup.
'Exchange - The application will not be available for recovery from this backup. the consistency check failed for the component Microsoft Exchange Server'
I have checked the database all is fine, i have created a new db and move all mailbox;s over and then removed the old db, i have enabled circular logging and then disabled it, it seems no matter what i do i cannot get a full backup!
i did have to restore the server once and the backups still worked for about 4 days after that and then stopped, i have also tried to remove and re add the backup role!
i am stumped, any advice would be great!

Hi
Ok, i created a test db and tried to back it up right away, it failed, i did not add any mailbox's to it either. i got quite a few events in the windows logs, as well as the same event above i got the following:
Log Name: Application
Source: MSExchangeRepl
Date: 21/01/2013 10:16:30
Event ID: 2038
Task Category: Exchange VSS Writer
Level: Warning
Keywords: Classic
User: N/A
Computer: NERDS-DC01.nerds.local
Description:
Microsoft Exchange VSS Writer backup failed. No log files were truncated. Instance 75754d0d-8dfe-4909-8beb-5a4f824254a9. Database 4843b37c-7b3c-42b2-8b57-1393615c2c15.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeRepl" />
<EventID Qualifiers="32772">2038</EventID>
<Level>3</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-01-21T10:16:30.000000000Z" />
<EventRecordID>261645</EventRecordID>
<Channel>Application</Channel>
<Computer>NERDS-DC01.nerds.local</Computer>
<Security />
</System>
<EventData>
<Data>75754d0d-8dfe-4909-8beb-5a4f824254a9</Data>
<Data>4843b37c-7b3c-42b2-8b57-1393615c2c15</Data>
</EventData>
</Event>
AND
Log Name: Application
Source: MSExchangeRepl
Date: 21/01/2013 10:16:30
Event ID: 2038
Task Category: Exchange VSS Writer
Level: Warning
Keywords: Classic
User: N/A
Computer: NERDS-DC01.nerds.local
Description:
Microsoft Exchange VSS Writer backup failed. No log files were truncated. Instance 75754d0d-8dfe-4909-8beb-5a4f824254a9. Database db5826f3-1029-4219-ad80-441a0e94537a.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeRepl" />
<EventID Qualifiers="32772">2038</EventID>
<Level>3</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-01-21T10:16:30.000000000Z" />
<EventRecordID>261646</EventRecordID>
<Channel>Application</Channel>
<Computer>NERDS-DC01.nerds.local</Computer>
<Security />
</System>
<EventData>
<Data>75754d0d-8dfe-4909-8beb-5a4f824254a9</Data>
<Data>db5826f3-1029-4219-ad80-441a0e94537a</Data>
</EventData>
</Event>
and
Log Name: Application
Source: MSExchangeRepl
Date: 21/01/2013 10:16:30
Event ID: 2034
Task Category: Exchange VSS Writer
Level: Error
Keywords: Classic
User: N/A
Computer: NERDS-DC01.nerds.local
Description:
The Microsoft Exchange Replication service VSS Writer (Instance 75754d0d-8dfe-4909-8beb-5a4f824254a9) failed with error FFFFFFFC when processing the backup completion event.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeRepl" />
<EventID Qualifiers="49156">2034</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-01-21T10:16:30.000000000Z" />
<EventRecordID>261649</EventRecordID>
<Channel>Application</Channel>
<Computer>NERDS-DC01.nerds.local</Computer>
<Security />
</System>
<EventData>
<Data>75754d0d-8dfe-4909-8beb-5a4f824254a9</Data>
<Data>FFFFFFFC</Data>
</EventData>
</Event>
and
Log Name: Application
Source: SPP
Date: 21/01/2013 10:16:30
Event ID: 16389
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: NERDS-DC01.nerds.local
Description:
Writer Microsoft Exchange Writer experienced retryable error during shadow copy creation. Retrying... More info: .
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="SPP" />
<EventID Qualifiers="0">16389</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-01-21T10:16:30.000000000Z" />
<EventRecordID>261650</EventRecordID>
<Channel>Application</Channel>
<Computer>NERDS-DC01.nerds.local</Computer>
<Security />
</System>
<EventData>
<Data>Microsoft Exchange Writer</Data>
<Data>
</Data>
<Data>The writer experienced a transient error. If the backup process is retried, the error may not reoccur. (0x800423F3)</Data>
<Data>
</Data>
<Binary>00000000A5120000981200000000000042BEB7C511CAC619E59C92030000000000000000</Binary>
</EventData>
</Event>

Authenticated proxy for cert revocation check

Hi guys,
Since upgrading to Java 7u25, Web Start will do a certificate revocation check at startup. Problem is, it seems to be ignoring the proxy authentication settings (I have it set up to user browser settings; tried switching to manual but there's no way to specify a username and password!) and it's locking my account because it tries to access the proxy without credentials. Even stranger, it seems to pass the revocation check eventually... so it seems it's only ignoring it long enough to fire a few failed login attempts. Any ideas how to get around this?

Hi,
Please try the following method.
Certificate revocation checked failed:
http://blogs.technet.com/b/bshukla/archive/2012/04/30/certificate-revocation-checked-failed.aspx
Wendy Liu
TechNet Community Support

Exchange 2013 don't unassign IIS Services from Certificate Self-Sign

Hi,
I Imported a new Public certificate to Exchange 2013 SP1 and assigned IIS Service, but IIS service keep assign to certificate self signed. Now, I have ISS services
assigned in two certificate (self signed and public certificate), someone have seen it? What do I do now?
Another question, Can I remove self-signed certificate? Is it any one service tied to Exchange?

Hi,
If possible, please provide more parameters(Status, IsSelfSigned etc.) about the certificate with IIS service:
Get-ExchangeCertificate -Thumbprint
382E9DCC4CCA38DA488345F7B46114BA91EBB8F0 | FL
Get-ExchangeCertificate -Thumbprint
86EE0029EBC8FDCC9F98572602E69F65226BAB76 | FL
Please restart IIS service by running iisreset /noforce from a command prompt window. If the public certificate is configured correctly and has included all namespaces used for all Internal and external Exchange connections,
we can remove the self-signed certificate safely.
Thanks,
Winnie Liang
TechNet Community Support

Exchange 2013/2007 coexistence: The Name on the Security Certificate is Invalid or Does Not Match the Name of the Site.

In the midst of Exchange 2013/2007 coexistence configuration.
Currently:
Exchange 2007:
2 CAS\HUB
1 Mailbox server
Exchange 2013 (2 sites):
LA:
1 CAS
2 MBX servers
MKE:
1 CAS
2 MBX servers.
We purchased a certificate from Digicert and added every SAN name we could think of including "legacy.companyname.com", just to be sure. Added certificate to Exchange 2013 CAS servers and 2007 CAS\HUB boxes. Configured virtual directories on Exchange
2013 MKE-CAS01 but not on Exchange 2013 LA-CAS01. Configured virtual directories to on Exchange 2007 CAS\HUB to point to "legacy.companyname.com".
Mailboxes have not been moved yet. I just wanted to get the coexistence between Exchange 2013/2007 up first but some users (not all) receiving
"The name of the security certificate is invalid or does not match the name of the site" for
"LEGACY.COMPANYNAME.COM". I remember configuring the AUTODISCOVER virtual directory for Exchange 2007. Any ideas? Thank you.

Hi,
Please make sure that the certificate with "legacy.companyname.com" name is enabled for IIS service. We can check it by running the following command in Exchange server 2007:
Get-ExchangeCertificate | FL
Thanks,
Winnie Liang
TechNet Community Support

Revocation checked failed status in Certificate on Exchange 2013

Similar Messages

Maybe you are looking for