Forum Discussion
Exchange health set unhealthy
Hello everyone!
Some healthprobes on our Exchange 2016 Server have been reporting an unhealty state since the middle of February. OAB.Proxy, EWS.Proxy, Outlook.proxy and OutlookMapiHttp.Proxy.
We have no mailboxes on the server, so its not critical, but I would still like to figure out what is going on.
They all fail with "The remote server returned an error: (401) Unauthorized" and if I try to invoke the probe i see this in the response:
It looks like the SSL validation is not happening.
Is it normal for the probe to use localhost for this?
When I run "Get-WebServicesVirtualDirectory" both internal and external virtual directry is set to our external url.
Any insight is greatly appreciated!
4 Replies
Hi Gly,
Yes, the localhost reference is fine.
I'm may be digging too many years into the past, but I have a hunch you hit this timeout issue when the CRL URL can't be reached.
Here's a quick-but-lengthy PowerShell one-liner you can run on your Exchange Server host to check if the CRL is accessible from the host itself. Note, I'm on Exchange Server 2019 but I would anticipate this should still work on Exchange Server 2016 given how basic the command is.
Out of sympathy for anyone reading this post, I've also included a formatted version of the same one-liner.
# One-liner. Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" } | ForEach-Object { $null = certutil -v -store my $_.Thumbprint | Where-Object { $_ -match "\(http.+\.crl\)" }; if (0 -lt $Matches.Count) { $crl = $Matches[0] -replace "[\(\)]", ""; [PSCustomObject] @{ Thumbprint = $_.Thumbprint; NotAfter = $_.NotAfter; Subject = $_.Subject; CRL = $crl; CRLOkay = 400 -gt (Invoke-WebRequest -UseBasicParsing -Method Get -Uri $crl).StatusCode }; } } # The same one-liner from above formatted for easier reading. You can readily copy-and-paste this version into the PowerShell console window if you like. Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" } | ForEach-Object { $null = certutil -v -store my $_.Thumbprint | Where-Object { $_ -match "\(http.+\.crl\)" }; if (0 -lt $Matches.Count) { $crl = $Matches[0] -replace "[\(\)]", ""; [PSCustomObject] @{ Thumbprint = $_.Thumbprint; NotAfter = $_.NotAfter; Subject = $_.Subject; CRL = $crl; CRLOkay = 400 -gt (Invoke-WebRequest -UseBasicParsing -Method Get -Uri $crl).StatusCode; } } }Output
If you find that CRLOkay is True then my recollection is wrong and I'd have to go away and try to reproduce your timeout before I could attempt to give myself a refresher.
Cheers,
Lain
Hello LainRobertson,
The healthprobes started working again without me doing anything a few days after I made the original post. I ran your one-liner (had to make a change to the regex: "http.+\.crl") and it resulted in CRLOkay = True, but then again the error is no longer present. I will try this again if the error somehow reappears later.
Thank you very much for taking the time to respond!
Sorry for the late reply.
The certificate binding was correct, and works for other services, but I figured I could try to remove it and add it again to see if anything changed. However before I got that far i noticed the healthprobes had started working again. This was five days ago, and they have been working since. So I am thouroghly confused. 😅
I'll keep monitoring the situation.
Thanks for your suggestion TowelOpen IIS and check the "Default web site" and check if binding and the certificate are there and properly configured.
