Exchange Error – MSExchangeFrontEndTransport ID 12014

CMD-winSolution for Windows Server Event ID 12014 – MSExchangeFrontEndTransport Microsoft Exchange could not find a certificate that contains the domain name.

This error message usually appears when sysadmin change certificates for services like IIS or MS Exchange. Problem is with incorrect SSL certificate installation where old SSL certificate data still persists inside ReceiveConnector, in this case are wrong informations about the certificate issuer inside cert because were updated in time.

Full error message:

Microsoft Exchange could not find a certificate that contains the domain name <I>CN=TERENA SSL CA, O=TERENA, C=NL<S>CN=mail.contoso.com, OU=Domain Control Validated in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Frontend EXCHANGE1 with a FQDN parameter of <I>CN=TERENA SSL CA, O=TERENA, C=NL<S>CN=mail.contoso.com, OU=Domain Control Validated. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

FIX:

(you should be really careful if this problem is also yours with same situation or similar. I’m not responsible for any damage you made)

We need to list all Receive connectors in EMS:

Get-ReceiveConnector

Note – use your generated Identity values of ReceiveConnector:

Identity										Bindings					Enabled
--------										--------					-------
EXCHANGE1Default Frontend EXCHANGE1			{[::]:25, 0.0.0.0:25}		True
EXCHANGE1Outbound Proxy Frontend EXCHANGE1		{[::]:717, 0.0.0.0:717}		True
EXCHANGE1Client Frontend EXCHANGE1				{[::]:587, 0.0.0.0:587}		False
EXMB1Default EXMB1								{[::]:25, 0.0.0.0:25}		True
EXMB1Client Proxy EXMB1						{[::]:465, 0.0.0.0:465}		False

I’ve identified my Default Frontend receive connector as EXCHANGE1Default Frontend EXCHANGE1 (you can also identify this connector in error message).

Now we need to get more informations about active certificate of identified receive connector:

Get-ReceiveConnector -Identity "EXCHANGE1Default Frontend EXCHANGE1" | fl Server,Fqdn,TlsCertificateName
Server				: EXCHANGE1
Fqdn				: EXCHANGE1.contoso.com
TlsCertificateName	: <I>CN=TERENA SSL CA, O=TERENA, C=NL<S>CN=mail.contoso.com, OU=Domain Control Validated

In this case as I’ve told are wrong informations about the certificate issuer inside cert. I’ve installed new certificate and old removed, but certification authority changed issuer informations about self and we didn’t know about this event.

New installed certificate and informations of Issuer:

Issuers-dataTo correct this problem we need to fix these values:

Note – use your own values in your new installed certificate

Set-ReceiveConnector -Identity "EXCHANGE1Default Frontend EXCHANGE1" -TlsCertificateName "<I>CN=TERENA SSL CA 2, O=TERENA, L=Amsterdam, S=Noord-Holland, C=NL<S>CN=mail.contoso.com, OU=Domain Control Validated"

To check if we were successful:

Get-ReceiveConnector -Identity "EXCHANGE1Default Frontend EXCHANGE1" | fl Server,Fqdn,TlsCertificateName
Server             : EXCHANGE1
Fqdn               : EXCHANGE1.contoso.com
TlsCertificateName : <I>CN=TERENA SSL CA 2, O=TERENA, L=Amsterdam, S=Noord-Holland, C=NL<S>CN=mail.contoso.com, OU=Domain Control Validated

Now you should see no more Event ID 12014 errors and MS Exchange should work without problems.

2 thoughts on “Exchange Error – MSExchangeFrontEndTransport ID 12014

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.