Monday, March 13, 2017

Fixing Broken BackEnd Site

Hi folks,

I would love to share with you my recent experience that I had with Remote PowerShell on an Exchange 2016 box. As you well know since Exchange 2013 Exchange server is using 2 web sites in IIS: Default WebSite and BackEnd. The prior is listening on ports 80 and 443 while the latter is listening on ports 81 and 444.

In my case when I launched Exchange Management Shell I was greeted with the below error:


My investigation led me to the following error events in System log



And Application log:




The errors were pointing to the BackEnd site where actual data rendering and processing for all protocols including PowerShell. As I was looking for solution of this problem this post and this TechNet article. According to it we need to retrieve information of all certificates that are used by IIS. We will need to use the below command for it.

netsh http show sslcert

You will get output as below:



When retrieved we will need to record certificate hash and application ID (appid) for 127.0.0.1:443. Usually I prefer to dump the above command to a test file to make it easier. Also I was not able to find a certificate which was listed for 0.0.0.0:444 in the certificate store of the affected server. So the certificate needs to be removed and replace with the existing one which is used for the Default Web Site.

After this  you will need to delete cert for the back-end site represented by 0.0.0.0:444 by running the below command:

netsh http delete sslcert ipport=0.0.0.0:444

After cert has been removed we will need to configure certificate for our back-end web site to use the same certificate that is used  by the Default Web Site. In the output above it is presented as 127.0.0.1:443.
Let's imagine that certificate hash for 127.0.0.1:443  is 1234567890abcdef3456787asabaec4e8ba and application id is  "{1abc2e345-a14b-4c22-b022-59fc885b0974}"

netsh http add sslcert ipport=0.0.0.0:444 certhash=1234567890abcdef3456787asabaec4e8ba appid="1234567890abcdef3456787asabaec4e8ba"{1abc2e345-a14b-4c22-b022-59fc885b0974}"



Make sure that all the brackets and quotes are in place.

I hope you will find this article helpful.

Enjoy!