“Oi, Admin! you’re not as clever as you think you are!”, or, the importance of doing simple things right.

just had a call from a customer who was having terrible trouble exporting discovery search data to pst from Exchange 2013. The search was apparently running fine, but the download failed with a long error message.

clip_image001

i asked for problem steps recorder output to see what they were doing… (this is from my repro):

clip_image001[4]

if you can spot what they’re doing wrong without reading the error message, well done. have a muttley medal.

this throws the error message:

PLATFORM VERSION INFO Windows : 6.2.9200.0 (Win32NT) Common Language Runtime : 4.0.30319.34209 System.Deployment.dll : 4.0.30319.34274 built by: FX452RTMGDR clr.dll : 4.0.30319.34209 built by: FX452RTMGDR dfdll.dll : 4.0.30319.34274 built by: FX452RTMGDR dfshim.dll : 6.3.9600.16384 (winblue_rtm.130821-1623) SOURCES Deployment url : /microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https%3A%2F%2Flocalhost%2Fews%2FExchange.asmx">https://localhost/ecp/15.0.1076.9/exporttool/<servername>/microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https%3A%2F%2Flocalhost%2Fews%2FExchange.asmx ERROR SUMMARY Below is a summary of the errors, details of these errors are listed later in the log. * Activation of /microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https%3A%2F%2Flocalhost%2Fews%2FExchange.asmx">https://localhost/ecp/15.0.1076.9/exporttool/<servername>/microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https%3A%2F%2Flocalhost%2Fews%2FExchange.asmx resulted in exception. Following failure messages were detected: + Downloading /microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https://localhost/ews/Exchange.asmx">https://localhost/ecp/15.0.1076.9/exporttool/<servername>/microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https://localhost/ews/Exchange.asmx did not succeed. + The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. + The remote certificate is invalid according to the validation procedure.

so… what’s wrong there? well, the remote certificate is invalid. fine… but it’s the local machine… the url says “localhost”…. oh… sigh.

they’ve done the standard admin shortcut of going to localhost because they can’t be bothered to type out the unfeasibly long servername, and the client then throws an error, because “localhost” isn’t a subject alternative name on the cert, unsurprisingly. the little red address bar in the screenshot above is a clue, there.

sure enough, when they use the servername instead of the url, everything works like a charm:

clip_image001[6]

 

the lesson there is “do things right”. localhost will throw errors with https other than just needing to click through a cert warning, so don’t use it. if you are using it, and you get weird behaviour, try attaching to the site with a url that is actually on the SSL certificate.

also, a post script: when it says “if you experience problems, try clearing cookies and signing in again”, why not try clearing the cookies and signing in again, before you ring me up and tell me it doesn’t work? 😀

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Andi  On June 3, 2016 at 2:39 pm

    I am an admin who did NOT take the lazy way out and I am still getting this error:
    1- for MS to think it is OK to default to an externally accessible management center with a default url in this day and age is incredulous to me
    2- I suspect we are not alone in deciding to create an alternate site on our exchange server for administrative purposes and turn the functionality off on the default site
    3- We have a wild card certificate on our exchange server which uses our external domain (*.org) and a MS AD cert for the internal domain name (server.*.local)
    4- I have downloaded said local certificate to my machine. I still get the same “unable to create secure connection” error regardless of the url I use (full internal name, short internal name, DNS alias, IP address). I also get the SAME error when working ON THE SERVER ITSELF (NOT using localhost).
    5- I am finding MANY people reporting the same problem. Unfortunately, I am NOT finding any answers
    6- It must really be an issue since CU11 &/or 12 claimed to have addressed it (they did not)

    Maybe instead of being so snarky, you might actually offer some assistance. Many of us are “Generalist” administrators who do not have a Masters in certificates and/or exchange so a little real help to make this work would be appreciated. Senior administration will be expecting this functionality to work for compliance purposes.

    Come on MS.

    Andi

  • Doug  On June 15, 2017 at 8:11 pm

    Apparently, polite people say HELO, but what do impolite bloggers say?

    Like Andi, I’m getting this error, and my URLs don’t say “localhost” in them. This is a pretty sarcastic blog entry that beats SysAdmins up instead of providing them with real help. I had hoped to find help here, and your article started out so great, only to end on a very disappointing note.

    • Nick P  On June 15, 2017 at 10:38 pm

      hi doug – you’re right. it is a pretty sarcastic blog entry. i’m sorry. i’ve been a sysadmin myself, and i spend 50 hours a week helping out other sysadmins, so… what can i say, if you spend a lot of time round sysadmins, you get to be a bit sysadminny. the reason for writing the post is that i have now seen this be the cause multiple times. after 14 years of it now, what i tend to find is that 95% of the time, people haven’t done the obvious, simple stuff.

      what’s the *exact* error you’re getting (click the details button on the popup)? is it certificate related? if so, is the url you are attaching to included on the cert, and have you tried clearing cookies, like it says? paste the error in a reply if you like.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: