“Oi, Admin! you’re not as clever as you think you are!”, or, the importance of doing simple things right.

just had a call from a customer who was having terrible trouble exporting discovery search data to pst from Exchange 2013. The search was apparently running fine, but the download failed with a long error message.

clip_image001

i asked for problem steps recorder output to see what they were doing… (this is from my repro):

clip_image001[4]

if you can spot what they’re doing wrong without reading the error message, well done. have a muttley medal.

this throws the error message:

PLATFORM VERSION INFO Windows : 6.2.9200.0 (Win32NT) Common Language Runtime : 4.0.30319.34209 System.Deployment.dll : 4.0.30319.34274 built by: FX452RTMGDR clr.dll : 4.0.30319.34209 built by: FX452RTMGDR dfdll.dll : 4.0.30319.34274 built by: FX452RTMGDR dfshim.dll : 6.3.9600.16384 (winblue_rtm.130821-1623) SOURCES Deployment url : /microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https%3A%2F%2Flocalhost%2Fews%2FExchange.asmx">https://localhost/ecp/15.0.1076.9/exporttool/<servername>/microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https%3A%2F%2Flocalhost%2Fews%2FExchange.asmx ERROR SUMMARY Below is a summary of the errors, details of these errors are listed later in the log. * Activation of /microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https%3A%2F%2Flocalhost%2Fews%2FExchange.asmx">https://localhost/ecp/15.0.1076.9/exporttool/<servername>/microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https%3A%2F%2Flocalhost%2Fews%2FExchange.asmx resulted in exception. Following failure messages were detected: + Downloading /microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https://localhost/ews/Exchange.asmx">https://localhost/ecp/15.0.1076.9/exporttool/<servername>/microsoft.exchange.ediscovery.exporttool.application?name=ce66od_1&ews=https://localhost/ews/Exchange.asmx did not succeed. + The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. + The remote certificate is invalid according to the validation procedure.

so… what’s wrong there? well, the remote certificate is invalid. fine… but it’s the local machine… the url says “localhost”…. oh… sigh.

they’ve done the standard admin shortcut of going to localhost because they can’t be bothered to type out the unfeasibly long servername, and the client then throws an error, because “localhost” isn’t a subject alternative name on the cert, unsurprisingly. the little red address bar in the screenshot above is a clue, there.

sure enough, when they use the servername instead of the url, everything works like a charm:

clip_image001[6]

 

the lesson there is “do things right”. localhost will throw errors with https other than just needing to click through a cert warning, so don’t use it. if you are using it, and you get weird behaviour, try attaching to the site with a url that is actually on the SSL certificate.

also, a post script: when it says “if you experience problems, try clearing cookies and signing in again”, why not try clearing the cookies and signing in again, before you ring me up and tell me it doesn’t work? 😀

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Andi  On June 3, 2016 at 2:39 pm

    I am an admin who did NOT take the lazy way out and I am still getting this error:
    1- for MS to think it is OK to default to an externally accessible management center with a default url in this day and age is incredulous to me
    2- I suspect we are not alone in deciding to create an alternate site on our exchange server for administrative purposes and turn the functionality off on the default site
    3- We have a wild card certificate on our exchange server which uses our external domain (*.org) and a MS AD cert for the internal domain name (server.*.local)
    4- I have downloaded said local certificate to my machine. I still get the same “unable to create secure connection” error regardless of the url I use (full internal name, short internal name, DNS alias, IP address). I also get the SAME error when working ON THE SERVER ITSELF (NOT using localhost).
    5- I am finding MANY people reporting the same problem. Unfortunately, I am NOT finding any answers
    6- It must really be an issue since CU11 &/or 12 claimed to have addressed it (they did not)

    Maybe instead of being so snarky, you might actually offer some assistance. Many of us are “Generalist” administrators who do not have a Masters in certificates and/or exchange so a little real help to make this work would be appreciated. Senior administration will be expecting this functionality to work for compliance purposes.

    Come on MS.

    Andi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: