How Transport Selects Certificates for TLS


Understanding how certificates are selected for a Transport layer Security (TLS) session will help you troubleshoot TLS issues. Since we shipped Exchange 2007, support engineers Jenny Frye and Stuart Presley have been helping customers work through issues around deploying Domain Security and using TLS to connect Hub Transport servers and Edge Transport servers and to enable POP and IMAP clients to encrypt traffic with Hub servers.

To help diagnose the issues that early adopters were encountering, Stuart carefully reviewed the certificate selection piece of the transport code. He provided a set of rough documentation that outlined the steps that Exchange Transport goes through to select the appropriate certificate for TLS.

Then Jenny took Stuart’s documentation, created some great flow charts, and polished up the wording to make it more useful for the IT admin. The result is published in this month’s Exchange 2007 Help documentation update at TLS Certificate Selection. To download all updated Exchange 2007 Help documentation, go to Microsoft Exchange Server 2007 Help at the Microsoft Download Center.

Thanks to Stuart and Jenny for this rich addition to our core documentation. It’s exactly what we needed!

And now, here’s a peek at the flow chart that Jenny created for inbound anonymous TLS certificate selection process.

To see the full description that accompanies this flowchart, and to learn more about inbound STARTTLS and Outbound Anonymous certificate selection, check out TLS Certificate Selection.


Again, thanks to Jenny and Stuart for taking the time to document this and help us include this in our core documentation.

John Speare

Comments (4)
  1. Carmelo lisciotto says:

    Not a big fan of the Active Sync…

    Carmelo Lisciotto

  2. Reese MCSE says:

    So I already have 1 Exchange 2007 server that coexist with 4 other Exchange 2003 servers. Everything has been working fine. I just installed a new Exchange 2007 server in a new AD site. For some reason email will not deliver between my two Exchange 2007 servers that reside in seperate AD sites. I see messages building up in the queues that are named according to the remote site so it appears that they know where to route the messages but the error is 451 4.4.0 Primary target IP address resonded with: "421 4.4.3 Connection dropped" is specified.

    I am seeing the event ID 1037 in the event logs. My Hub transport servers have both Exchange and PKI (enterprise root CA) certificates.

    Is this a easy fix?

  3. alonn says:

    having the same problem too.. but didn’t find anything yet..

  4. Stuart Presley says:

    Reese, Alonn,

    Generally speaking the 1037 events are usually harmless. The text of the event is very misleading and has actually been removed altogether in later builds (post RTM).

    Usually these events occur because a new PKI certificate has been installed on the server that has the FQDN of the computer listed in the CertificateDomains but the SMTP service is not enabled on it.

    To rectify the 1037 event you can enable the SMTP Service on the PKI certificate. Unfortunately, creating a new self signed certificate will not help as long as a valid PKI certificate with the FQDN of the machine is installed. In cases where you might also be running NLB on the server, if you have a certificate installed that contains the NLB cluster name you will get the above event. Unfortunately there’s no way around this event in those cases short of installing a new PKI certificate with the physical FQDN and SMTP service enabled.

Comments are closed.