Problems Creating Exchange CSR For Certificate
I'm very new to Exchange management. I must be doing something wrong, but I cannot figure out what.I have SBS2008 and then running Exchange Server 2007. I want to get a real SSL certificate for my server for remote access to email. I have two FQDNs pointing to my server, so I think I need two certificates (or one, more expensive one ... GoDaddy single FQDN certs are only $12.99).I'm running using the Domain Administrator I created during the building of Server. I did have to add this user to the Exchange Server Administrator group, but I'm reading that I need to also be part of the local administrator's group. Thing is, the Admin user does not appear on the normal user list -- and every time I try to add a different user, lsass.exe seems to go into a loop.When I execute the New-ExchangeCertificate command, I'm getting the same response each time:New-ExchangeCertificate : Either you cannot overwrite the output file C:\Certificates\certrequest.req because it is set to read-only or you have insufficientpermissions to create this certificate request.At line:1 char:24+ New-ExchangeCertificate <<<< -generaterequest -keysize 2048 -subjectname "c=US, l=Milwaukee, s=Wisconsin, o=Steven Weber,cn=mailhost.company.com" -domainname mailhost.company.com -PrivateKeyExportable $true -Path C:\Certificates\certrequest.req + CategoryInfo : WriteError: (:) [New-ExchangeCertificate], Expor tDestinati...ssionsException + FullyQualifiedErrorId : 14FDFA00,Microsoft.Exchange.Management.SystemCon figurationTasks.NewExchangeCertificateNow, the system does create a blank file in that location, so clearly it can write there. I created this directory just before trying the first time as this Admin user, so clearly that user must own it.I can find no support for this error code anywhere.Any assistance is very greatly appreciated. Thanks!Steve
March 2nd, 2010 10:33pm
Make sure your account is in the Exchange Organization
Administrators group, log out, log in and try again.-- Ed Crowley
MVP"There are seldom good technological solutions to behavioral
problems.".
"swweber" wrote in message news:5504a5fc-666d-4474-823c-6bff422f55c2...I'm
very new to Exchange management. I must be doing something wrong, but I
cannot figure out what.I have SBS2008 and then running Exchange Server
2007. I want to get a real SSL certificate for my server for remote
access to email. I have two FQDNs pointing to my server, so I think I
need two certificates (or one, more expensive one ... GoDaddy single FQDN
certs are only $12.99).I'm running using the Domain Administrator I
created during the building of Server. I did have to add this user to
the Exchange Server Administrator group, but I'm reading that I need to also
be part of the local administrator's group. Thing is, the Admin user
does not appear on the normal user list -- and every time I try to add a
different user, lsass.exe seems to go into a loop.When I execute the
New-ExchangeCertificate command, I'm getting the same response each
time:New-ExchangeCertificate : Either you cannot overwrite the output
file C:\Certificates\certrequest.req because it is set to read-only or you
have insufficientpermissions to create this certificate request.At
line:1 char:24+ New-ExchangeCertificate <<<<
-generaterequest -keysize 2048 -subjectname "c=US, l=Milwaukee,
s=Wisconsin, o=Steven Weber,cn=mailhost.company.com" -domainname
mailhost.company.com -PrivateKeyExportable $true -Path
C:\Certificates\certrequest.req +
CategoryInfo :
WriteError: (:) [New-ExchangeCertificate], Expor
tDestinati...ssionsException + FullyQualifiedErrorId :
14FDFA00,Microsoft.Exchange.Management.SystemCon
figurationTasks.NewExchangeCertificateNow, the system does create a
blank file in that location, so clearly it can write there. I created
this directory just before trying the first time as this Admin user, so
clearly that user must own it.I can find no support for this
error code anywhere.Any assistance is very greatly appreciated.
Thanks!Steve
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2010 10:54pm
Hi Ed ...Thanks for the reply and the suggestion.The Administrator user has been assigned to the Roles: Exchange Organization Administrator, Exchange Recipient Administrator, Exchange View-Only Administrator, Exchange Public Folder Administrator, and Exchange Server Administrator. I logged out, and logged back in. Still no certificate came out.One thing did change ... the FullQualifiedErrorID is now 14578EC4. Does that mean anything?Again, my thanks to anyone who can help me.Steve
March 4th, 2010 8:12am
Sorry, I've never encountered anything like what you're
seeing, so I have no more ideas.-- Ed Crowley MVP"There
are seldom good technological solutions to behavioral problems.".
"swweber" wrote in message news:3ee1ef97-6f72-4956-8499-9f028827202c...Hi
Ed ...Thanks for the reply and the suggestion.The
Administrator user has been assigned to the Roles: Exchange Organization
Administrator, Exchange Recipient Administrator, Exchange View-Only
Administrator, Exchange Public Folder Administrator, and
Exchange Server Administrator. I logged out, and logged back
in. Still no certificate came out.One thing did change .... the
FullQualifiedErrorID is now 14578EC4. Does that mean
anything?Again, my thanks to anyone who can help
me.Steve
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2010 8:20am
Hi,
First please ensure thatthe account should be delegate with Exchange Server Administrator role and local Administrators group for the target server.
Add the full control permissions to the following directory for Administrators:
c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys Note: Changed following permissions on the machinekeys folder: Security->click advanced->select administrators (which should be listed as having full permissions already), ->edit -> change the setting from 'this folder only' to 'this folder, subfolders and files"
Regards,
Xiu
March 4th, 2010 12:11pm
Hi Xiu ...Thanks for the posting. I did what you suggested with respect to the machinekeys. A few errors were reported on what appeared to be some of the keys inside that folder, but overall, it appeared that it took. The Admin user is specifically listed.However, I am still getting an error. Same text, different code: 1452F6CCThe big thing I cannot figure out is the idea that the administrator must be a member of the local Administrators group. This user is the one I set up during the initial setup of this SBS server. How can I look and see whether or not the user is a member of this group ... and more importantly, how to I add the user if, for some very strange reason ... the user is not.Thanks again!Steve
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2010 6:12am
Oh, PS. I've even rebooted the server. No help.
March 5th, 2010 6:12am
Hi,Do you mean that the user is not the local administrator??Then please use the local admin and then add the Use the Local Users and Groups MMC consoleChange the properties of the Administrator account by using the Local Users and Groups Microsoft Management Console (MMC).
Open the MMC console and select Local Users and Groups.
Right-click the Administrator group and select Properties. The Administrator Properties window appears.
On the General tab, click "ADD" to add the account to the administrator group.
Close the MMC console.
Besides, what do you mean "A few errors were reported..." Please grant the full permission to the machinekeys folder,also check if it set "this folder,subfolders and files".Regards,Xiu
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2010 10:46am
So I found, on a different site, the solution. A simple right-click and "Run As Administrator" on the Exchange Management Console program, and bingo, the certificate was created.Thanks.
March 8th, 2010 2:09am
Glad to here it works now.Regards,Xiu
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2010 5:10am