question

oldschoola410-1263 avatar image
0 Votes"
oldschoola410-1263 asked ·

hybrid configuration wizard says certificate has no smtp services

I am running the hybrid configuration wizard on a dedicated exchange 2019 for hybrid server to move the role off an existing 2013 hybrid server.
Currently on-prem we still have exchange 2013, and also 2019 servers.

When i get to the point of the HCW running all commands to create connectors i get this error saying "given certificate is not enabled for smtp protocol"
During the hcw it only lets me select 1 certificate, it is a 3rd party wildcard(same cert installed on the other servers). the cert has the root ca in the trusted folder.


HCW0 - PowerShell failed to invoke 'Set-SendConnector': The given certificate is not enabled for SMTP protocol. Only certificates enabled for SMTP protocol can be set on Send Connectors. To enable a certificate for SMTP, please use 'Enable-ExchangeCertificate' cmdlet. {CategoryInfo={Activity=[System.String] Set-SendConnector,Category=[System.Management.Automation.ErrorCategory] InvalidOperation,Reason=[System.String] InvalidOperationException,TargetName=[System.String] Outbound to Office 365,TargetType=[System.String] ADObjectId},ErrorDetails=,Exception=[System.Management.Automation.RemoteException] The given certificate is not enabled for SMTP protocol. Only certificates enabled for SMTP protocol can be set on Send Connectors. To enable a certificate for SMTP, please use 'Enable-ExchangeCertificate' cmdlet.,FullyQualifiedErrorId=[System.String] [Server=hybrid100RequestId=cdf36830-7128-4be1-bbab-9c8e8194a4d6,TimeStamp=8/2/2020 3:59:17 AM] [FailureCategory=Cmdlet-InvalidOperationException] 8E5C345C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetSendConnector} The source Transport servers specified for the connector aren't in the same Active Directory site.

When I run the Enable-ExchangeCertificate command on that dedicated new hybrid 2019 server it says that the certificate thumbprint does have iis and smtp associated with it, yet i continue to get this error above and it does not let me finish the configuration.


office-exchange-online-itprooffice-exchange-hybrid-itpro
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@oldschoola410-1263
Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·

Came across this issue in our environment trying to add new servers to an existing send connector - the cmdlet I was using was Set-Sendconnector -SourceTransportServers @{add='SERVERNAME'} which is in effect re-adding all existing servers and the new server to the connector. I found that the error was not related to the new server but somehow one of the existing servers did not have the SMTP service assigned to the cert used by the send connector. Running Enable-ExchangeCertificate on the existing server and then re-running the additions to the send connector resolved the issue.

0 Votes 0 ·

1 Answer

KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered ·

Try to run command below on your Exchange 2019 server, find the correct information for certificate on that server and make sure this certificate is valid:

 Get-ExchangeCertificate| fl Thumbprint,Services,Subject,Status

I also try to reenable SMTP to the certificate which has had "SMTP" service, I don't get any warning about it:
15603-snipaste-2020-08-05-10-08-19.png

Could you provide a detailed information about the certificate on your Exchange 2019 server? It may could help us to narrow down it.

Here is also a related KB which about certificate error when running HCW: "Confirm Hybrid Certificate has IIS and SMTP services assigned to it" error when you run the Exchange Hybrid Configuration Diagnostic



· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Here is a pic of the get- command run off the hybrid server. the certificate im using is the 3rd party wildcard thats highlighted in the screenshot below. As you can see it has iis and smtp assigned.
The cert is a 3rd party signed public ca cert wildcard. The ca is a trusted ca on the server. IT is the same wildcard assigned to all my other exchange servers with no issue.
I ran through the article you posted prior to postingon here and followed those commands to "reapply" the settings, but still the same issue happens.

15645-8-4-2020-10-46-05-pm.jpg


0 Votes 0 ·

ok after rerunning it decided to go through the wizarfd completely. now with no error.
the only thing im seeing now is when i use the exchange connectivity tester to test oauth i get this error

.


when i run the get-authserver command on my hybrid server i get the 2nd screenshot below... one thing i noticed from that connectivity test is the X-FEserver that responds, is not the hybrid server...does this matter? my autodiscover.company.com and hybrid.company.com entries are pointed to my 2019 hybrid server and my activesync.company.com is pointed to the 2013 activesync, cas server.

15722-image.png


0 Votes 0 ·
image.png (16.8 KiB)
image.png (436.5 KiB)

Glad to see the original question is solved now. About the new question, I would suggest you create a new thread and continue to discuss it in that new thread. It will better for other users to search and find the suitable answer.

Here is information that will be useful to you new question: How to configure Exchange Server on-premises to use Hybrid Modern Authentication


0 Votes 0 ·