Microsoft Exchange Client Access server “%1” attempted to proxy Outlook Web Access traffic to Client Access server “%2”. This failed because the Outlook Web Access registry key “AllowInternalUntrustedCerts” is set to “0”, but no certificate trusted by “%1” was available for the Secure Sockets Layer (SSL) encryption of the proxy connection.

Details
Product: Exchange
Event ID: 43
Source: MSExchange OWA
Version: 8.0
Symbolic Name: ProxyErrorSslTrustFailure
Message: Microsoft Exchange Client Access server “%1” attempted to proxy Outlook Web Access traffic to Client Access server “%2”. This failed because the Outlook Web Access registry key “AllowInternalUntrustedCerts” is set to “0”, but no certificate trusted by “%1” was available for the Secure Sockets Layer (SSL) encryption of the proxy connection.
   
Explanation

The Warning event indicates the computer that is running the Client Access server role could not proxy a Microsoft Office Outlook Web Access request from one Client Access server to a Client Access server that is located in a different Active Directory directory service site. This event occurs if the following conditions are true:

  • The security certificate presented by the remote proxying Client Access server is not trusted by the Client Access server that initiates the proxy request.

  • The Client Access server that initiates the proxy request does not allow untrusted security certificates for proxying.

In a Microsoft Exchange Server 2007 organization, a Client Access server can act as a proxy for other Client Access servers within the organization. This is useful if the following conditions are true:

  • Multiple Client Access servers are present in different Active Directory sites in an organization.

  • Only one Client Access server is exposed to the Internet.

By default, the proxying process allows the use of an untrusted security certificate to create a secure HTTPS connection. You can create the AllowInternalUntrustedCerts registry key to change the default behavior.

For more information about Outlook Web Access proxying and redirection, see Understanding Proxying and Redirection.

   
User Action

To resolve this warning, follow one of more of these steps:

  • Verify that the security certificate installed at Outlook Web Access virtual directories of the remote proxying Client Access server is from a trusted certifying authority.

  • Configure the Client Access server that initiates the proxy request to use an untrusted security certificate for proxying. You configure this setting by editing the registry.

    Caution   Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

  1. In Registry editor, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA.

  2. Double-click AllowInternalUntrustedCerts.

  3. Under Value data, type 1.

  4. Under Base, click Decimal.

  5. Close Registry Editor.

  6. Restart Internet Information Services (IIS) by using the command iisreset/noforce.

If you are not already doing so, consider running the tools that Microsoft Exchange offers to help administrators analyze and troubleshoot their Exchange environment. These tools can help you make sure that your configuration is in line with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. Go to the Toolbox node of the Exchange Management Console to run these tools now. For more information about these tools, see Toolbox in the Exchange Server 2007 Help.

Related:

Leave a Reply