Tuesday 19 August 2014

Exchange 2013 Client Access Servers (CAS) using Single Namespace and Windows Network Load Balancing (NLB) "An error occurred while using SSL configuration for endpoint 0.0.0.0:443. The error status code is contained within the returned data".

Exchange 2013 Client Access Servers (CAS) using Single Namespace and Windows Network Load Balancing (NLB) "An error occurred while using SSL configuration for endpoint 0.0.0.0:443. The error status code is contained within the returned data".

You have recently just completed a new Certificate Request in Exchange 2013, the certificate seems to have bound correctly to the Client Access Server (CAS) in which you raised the request, although some users cannot connect to Outlook Web App (OWA) or Outlook. There are two Client Access Servers (CAS) in the environment, load balanced using Network Load Balancing (NLB). On investigating the certificates on the second CAS (not the server that the request was raised on), the Event Logs are filled with the following error "An error occurred while using SSL configuration for endpoint 0.0.0.0:443. The error status code is contained within the returned data" to get users working and to take the pressure of me to fix the issue I used nlbmgr.exe to Stop the problematic host, thus passing all Client Access traffic through only a single CAS.
 

The error "An error occurred while using SSL configuration for endpoint 0.0.0.0:443. The error status code is contained within the returned data" is caused by a conflicting binding in IIS. Therefore I opened an MMC to view the Certificates, it appeared the newly installed public certificate had not been installed correctly on the secondary CAS, the private key associated to the certificate was not found. I removed this certificate and used the MMC on the working CAS server to Export the working Certificate.
 
The wizard is self-explanatory but ensure the Yes, Export the Private Key radio button is selected, click Next.
 

I then used the MMC on the problematic server to import the Certificate with it's Private Key, you can do this by right clicking on the Personal/Certificates store and selecting Import.
 

Now that both of the Client Access Servers have the correct certificate with corresponding private key, it should be viewable by it's Friendly Name from the ECP. You will notice the IIS service is currently assigned to this certificate, and it was working correctly on the original CAS server.
 
 

The next stage was to manually reconfigure the Bindings in IIS on the problematic server, from the IIS Manager GUI click on Default Web Site and click Bindings... from the right hand menu. On the working CAS the bindings were are follows, please note 10.10.7.34 is the VIP of the NLB cluster. I therefore reconfigured the problematic server to match this configuration.
 
HTTP to 10.10.7.34 on Port 80 with No Hostname.
 

HTTPS binding to IP Address 10.10.7.34 on Port 443, with the Hostname mail.domain.com and the SSL Certificate bound should match the Friendly Name of your Certificate request viewable from the ECP.
 
HTTPS with No IP on Port 443, again using the same Friendly Named SSL Certificate.
 

Once this was completed I restarted the IIS Service, and the "An error occurred while using SSL configuration for endpoint 0.0.0.0:443. The error status code is contained within the returned data". was no longer filling the Event Logs. I also went back into NLB Manager and started the problematic CAS again, to test thoroughly I open Internet Explorer and browsed to OWA and checked the Certificates status.