I literally have no idea of what to do with this error. I only see it when I restart the our Exchange 2013 Front End server.

Log Name:      Application
Source:        MSExchange Certificate Notification
Date:          9/20/2013 2:28:46 PM
Event ID:      2001
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      front end server
Description:
A transient failure has occurred. The problem may resolve itself. Diagnostic information:

Microsoft.Exchange.Data.DataSourceOperationException: The request failed. The remote server returned an error: (401) Unauthorized. ---> Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. The remote server returned an error: (401) Unauthorized. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse()
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request)
   at Microsoft.Exchange.WebServices.Data.ExchangeService.InternalFindFolders(IEnumerable`1 parentFolderIds, SearchFilter searchFilter, FolderView view, ServiceErrorHandling errorHandlingMode)
   at Microsoft.Exchange.WebServices.Data.ExchangeService.FindFolders(FolderId parentFolderId, SearchFilter searchFilter, FolderView view)
   at Microsoft.Exchange.Data.Storage.Management.EwsStoreDataProvider.InvokeServiceCall[T](Func`1 callback)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Storage.Management.EwsStoreDataProvider.InvokeServiceCall[T](Func`1 callback)
   at Microsoft.Exchange.Data.Storage.Management.EwsStoreDataProvider.GetOrCreateFolderCore(String folderName, FolderId parentFolder, Func`1 creator)
   at Microsoft.Exchange.Data.Storage.Management.AsyncOperationNotificationDataProvider.GetDefaultFolder()
   at Microsoft.Exchange.Data.Storage.Management.EwsStoreDataProvider.<>c__DisplayClass1b`1.<InternalFindPaged>b__13()
   at Microsoft.Exchange.Data.Storage.Management.EwsStoreDataProvider.InvokeServiceCall[T](Func`1 callback)
   at Microsoft.Exchange.Data.Storage.Management.EwsStoreDataProvider.<InternalFindPaged>d__21`1.MoveNext()
   at Microsoft.Exchange.Data.Storage.Management.AsyncOperationNotificationDataProvider.<GetNotificationDetails>d__57.MoveNext()
   at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext()
   at Microsoft.Exchange.Servicelets.CertificateNotificationServicelet.RemoveAllNotification()
   at Microsoft.Exchange.Servicelets.CertificateNotificationServicelet.UpdateDataInMbx(List`1 certificates)
   at Microsoft.Exchange.Servicelets.CertificateNotificationServicelet.Work()

• Edited by netlander Friday, September 20, 2013 7:03 PM

Looks like there's a problem with the CAS (front-end) server accessing data via the EWS virtual directory on the Mailbox (back-end) server.  Are you seeing any issues using OWA or any other client-access issues?  Is the only symptom this error?

Not that I know of, but this is a new production implementation of 2013, I'm still testing all systems before rolling it out to the public.

I'd be curious to know if you can connect to the EWS endpoint on your mailbox server, navigate in your web browser to https://<CASFQDN>/EWS/Exchange.asmx , authenticate, do you see a page like in my next post?

• Edited by Jesse Tedoff - MSFTMicrosoft employee Tuesday, September 24, 2013 5:02 AM

Yes, that is the exact page I get.

We're in the same boat.  This is a production installation, running on Windows Server 2012, that we've been getting that error on for months.  We just updated to CU3 and the error is still there.  It doesn't seem to impact anything as far as I can see, so I'm not certain that it matters.

For what it's worth, we use a single certificate for the IIS,POP,IMAP,SMTP services on all of our CAS servers.  It's issued from our internal CA and has ~13 entries in the SAN for various purposes.  It was issued from a custom template that we use for various purposes, so it's possible there's something about the certificate that something somewhere doesn't like.   Unfortunately the error doesn't seem to contain any specifics, so it's difficult to tell what's happening.

The event immediately after the error is information event 2002:
A round of expiration check has finished. The next round is scheduled at...

Also at the same time there is a warning in the system log for Event 6037, LSA (LsaSrv)

The program w3wp.exe, with the assigned process ID 2804, could not authenticate locally by using the target name HTTP/owa.langslb.domain.com. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
 
 Try a different target name.

The address is the address used by our hardware load balancer for our CAS servers.  The IP for the name will be one of the CAS.  On reboot, even if the load balancer doesn't have time to detect one of the systems being offline, it would have a percentage chance of getting the IP of an already online system. 

We have the same error. According to MS this is transient;

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=2001&EvtSrc=MSExchange+RPC+Over+HTTP+Autoconfig&LCID=1033

It is not, we see it at the same time each day on all 2013 CAS Servers

Our WebServicesVirtualDirectory Authentication settings are:

InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl                   : https://company.com/EWS/Exchange.asmx
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalUrl                   :
CertificateAuthentication     :
LiveIdNegotiateAuthentication :
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : False
DigestAuthentication          : False
WindowsAuthentication         : True
OAuthAuthentication           : True
AdfsAuthentication            : False

Does anyone know if this is incorrect?

Thanks

We're in the same boat.  This is a production installation, running on Windows Server 2012, that we've been getting that error on for months.  We just updated to CU3 and the error is still there.  It doesn't seem to impact anything as far as I can see, so I'm not certain that it matters.

For what it's worth, we use a single certificate for the IIS,POP,IMAP,SMTP services on all of our CAS servers.  It's issued from our internal CA and has ~13 entries in the SAN for various purposes.  It was issued from a custom template that we use for various purposes, so it's possible there's something about the certificate that something somewhere doesn't like.   Unfortunately the error doesn't seem to contain any specifics, so it's difficult to tell what's happening.

The event immediately after the error is information event 2002:
A round of expiration check has finished. The next round is scheduled at...

Also at the same time there is a warning in the system log for Event 6037, LSA (LsaSrv)

The program w3wp.exe, with the assigned process ID 2804, could not authenticate locally by using the target name HTTP/owa.langslb.domain.com. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
 
 Try a different target name.

The address is the address used by our hardware load balancer for our CAS servers.  The IP for the name will be one of the CAS.  On reboot, even if the load balancer doesn't have time to detect one of the systems being offline, it would have a percentage chance of getting the IP of an already online system. 

I have the exact same error with Exchange 2013 CU3 CAS servers. can any one explain what is that about? and how to resolve it?