I have spent 10+ hours working with Microsoft's support to configure a hybrid setup between our On-Premises Exchange 2016 Server and Azure AD environments and are currently stuck on an error (see below) when trying to assign the TlsCertificateName value to the On-Premises Receive Connector.
These commands create a variable $TLSCertName that include the certificate issuer and subject values:
$TLSCert = Get-ExchangeCertificate -Thumbprint <Thumbprint>
$TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"
Set-ReceiveConnector "<Receive Connector Name" -TlsCertificateName $TLSCertName
The error displayed when trying to execute this command is:
Cannot process argument transformation on parameter 'TlsCertificateName'. Cannot convert value "<TLSCertName>" to type "Microsoft.Exchange.Data.SmtpX509Identifier". Error:
""<TLSCertName>" isn't a valid Certificate Identifier."
+ CategoryInfo : InvalidData: (:) [Set-ReceiveConnector], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-ReceiveConnector
+ PSComputerName : <Server's FQDN>
Microsoft believes the problem is caused by some of the values in the certificate subject that contain quotes, i.e. OU="Hosted by CONTOSO, Inc.", O="CONTOSO, Inc.", thus causing the command to truncate the contents of the TLSCertName variable.
I have tried manually entering the argument instead of using the variable (with and without quotes), using single quotes, escaping the quotes (`"), but nothing has worked.
Has anyone come across this issue? I have tried researching online but haven't been able to find a solution.
Any help will be greatly appreciated!
So, after a few hours venturing on my own instead of working with Microsoft support I finally figured out the reason for the error by complete coincidence + guess work.
While reviewing values for the certificate's subject in EAC, I noticed when I clicked on the subject field a message popped up saying:
"In the subject of the certificate, the important value is the common name (CN), which indicates the host that the certificate can be used for."
The SSL certificate I'm using is a Multi-domain certificate, and since the common name can only contain up to one entry, the certificate uses a field called Subject Alternate Name (SAN) which allows multiple names to be included. Therefor there is no CN field available in the subject.
Exchange does not read/use the SAN field and wasn't accepting the command because of the missing CN (wish this was documented somewhere and their support knew it as well).
The solution was to use the contents of the TLSCertName variable in the command, and manually add the CN value to the subject section, as in:
<S>CN=contoso.com, OU=Multi-Domain SSL, OU="Hosted by CONTOSO, INC.", O="CONTOSO, Inc."...
Keep in mind the CN must exist in the SAN per standard mandates. You can read more information about this in https://support.dnsimple.com/articles/what-is-common-name/
Hope this helps someone looking for an answer for the same problem.
Now off to solve the issue that depended on this!