none
Flagged as SPAM: RRS feed

  • Question

  • Hi all, we have a slight problem in our current environment and im' hoeing someone can assist.

    Whenever an event is written to the admin audit logs we receive the following error:

    Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

    This error occurs when commands are run (e.g. write-adminauditlog) from a different AD site only.  I've tested moving the system mailbox to the opposite site and can replicate the issue from the site it was initially moved from.

    Acording to the following from the link: https://technet.microsoft.com/en-us/library/bb310763(v=exchg.141).aspx

    "Client Access servers that aren't exposed to the Internet don't have to have separate Secure Sockets Layer (SSL) certificates to allow proxied traffic from another Client Access server. By default, they can use the self-signed certificate installed with Exchange 2010. "

    We have external URLs set on each CAS server so i can assume its no longer using the self signed certs for validation. Wireshark shows EWS proxy requests using the internalnlbbypass server and not the internalurl.  As we are split-dns the IIS cert assigned to EWS is a globally signed wildcard cert for only the internal & external domain name, and not the domain the servers are joined to.

    As a workaround I've moved the system mailbox to a test mailbox server with the CAS role that doesn't have an external URL set, and its working fine after assigning the self signed cert to IIS.

    I've searched for a solution and the closest I've found is to turn off the cert validation for proxy requests, here: https://social.technet.microsoft.com/Forums/exchange/en-US/4632e7f9-581d-4147-ba37-8b73a097ca14/internalnlbbypassurl-query-in-relation-to-external-3rd-party-certs?forum=exchange2010

    "CAS-CAS proxy by default does not validate the cert, it is used for encryption.  This is why it works with self signed certs.  You can set a reg key to enforce the validation."

    Does anyone know what this reg key is, as we may be forcing cert validation?

    Many thanks
    Thursday, June 7, 2018 11:06 AM

Answers

All replies