Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
APPLIES TO: 
2016 2019 Subscription Edition
Important
Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019 will reach end of support on Oct 14, 2025. To stay supported, you need to upgrade. For more information, see End of Support for Exchange 2016 and Exchange Server 2019.
The selection of an inbound anonymous Transport Layer Security (TLS) certificate occurs in the following scenarios:
- Simple Mail Transfer Protocol (SMTP) sessions between Microsoft Edge Transport servers and Mailbox servers for authentication.
- SMTP sessions between mailbox servers.
For communication between Mailbox servers, the X-anonymous TLS and the public keys from certificates are used to encrypt the session. After the session encryption, Kerberos Authentication takes place between the servers. When an SMTP session is established, the Receiving server initiates a certificate selection process to determine which certificate to use in the TLS negotiation. The Sending server also performs a certificate selection process. For more information about the certificate selection process by Sending server, see Selection of Outbound Anonymous TLS Certificates.
This article describes the selection process for inbound anonymous TLS certificates. All the steps are performed on the Receiving server. The following figure shows the steps of this process:
The steps depicted in the preceding diagram are explained here:
When the SMTP session is established, Microsoft Exchange calls a process to load the certificates.
In the "load certificate" function, the Receive connector, to which the session is connected, is checked to see whether the AuthMechanism property is set to a value of ExchangeServer. Prior to this check, the value ExchangeServer must be enabled as an authentication mechanism. If ExchangeServer isn't enabled as an authentication mechanism, you can enable it by selecting Exchange Server authentication on the Authentication tab. If the ExchangeServer isn't enabled as an authentication mechanism, the Mailbox server doesn't advertise X-ANONYMOUSTLS to the Sending server in the SMTP session, which then prevents the certificate from loading.
Note
If the AuthMechanism property isn't set to a value of ExchangeServer, you can set the AuthMechanism property on the Receive connector to the value ExchangeServer using the Set-ReceiveConnector command.
Microsoft Exchange queries the Active Directory service to retrieve the thumbprint of the certificate on the server. The msExchServerInternalTLSCert attribute on the server object stores the certificate thumbprint.
If the msExchServerInternalTLSCert attribute can't be read or if the value is null, Microsoft Exchange doesn't advertise X-ANONYMOUSTLS and no certificate is loaded.
If the msExchServerInternalTLSCert attribute can't be read, you can view the current value of the msExchServerInternalTLSCert attribute by running the following command:
Get-TransportService -Identity <Mailbox Server Name> | ft InternalTransportCertificateThumbprintIf the msExchServerInternalTLSCert attribute's value is null, you can update its value by assigning/reassigning SMTP service to the certificate you want to use as an Internal Transport Certificate. To assign/re-assign SMTP service, run the following command:
Enable-ExchangeCertificate -thumbprint <Certificate thumbprint> -Services SMTPNote
For more information about the Enable-ExchangeCertificate command, see Enable-ExchangeCertificate.
If the msExchServerInternalTLSCert attribute can't be read or if the value is null during startup of the Microsoft Exchange Transport service, instead of during the SMTP session, Event ID 12012 is logged in the Application log.
If a thumbprint is found, the certificate selection process searches the local computer certificate store for a certificate that matches the thumbprint. If the certificate isn't found, the server doesn't advertise X-ANONYMOUSTLS, no certificate is loaded, and Event ID 12013 is logged in the Application log.
After a certificate is loaded from the certificate store, it's checked to see whether it has expired. The Valid to field on the certificate is compared to the current date and time. If the certificate has expired, Event ID 12015 is logged in the Application log. But the certificate selection process doesn't fail, and it advertises AnonymousTLS.
Important
If the certificate has expired, you must renew the certificate irrespective of the certificate selection process failing or getting completed successfully. For information on how to renew the certificate, see Renew an Exchange Server certificate.
More information
For more information about how certificates are selected for other TLS scenarios, see the following articles: