现象:
- 使用浏览器访问ECP或OWA,可以正常显示登录框。使用域账号登录后屏幕显示空白,chrome浏览器报503错误
分析:
- 查看日志发现有大量Event 15021 错误“An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.”
- 在exchange 服务器上使用管理员身份打开命令行输入下列命令查看证书绑定
C:\Windows\system32>netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 294e5fc35f99f97bc18a7f767e3c1413a8797d3b
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 0.0.0.0:444
Certificate Hash : 21a067fd4d2058569a773ff8e2049c29f27200a3
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 0.0.0.0:8172
Certificate Hash : e59610098eb1b0501bb12b9aca8ca9cb2d88a583
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 127.0.0.1:443
Certificate Hash : 294e5fc35f99f97bc18a7f767e3c1413a8797d3b
Application ID : <{4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
C:\Windows\system32>
- 检查“: 0.0.0.0:443” “: 0.0.0.0:444” “ : 127.0.0.1:443” 三个绑定,你会发现,三个的Application ID 是一致的,但是“: 0.0.0.0:444” 的Certificate Hash 值与其他两个不同,如上所示。
解决方法:
C:\Windows\system32>netsh http delete sslcert ipport=0.0.0.0:444
SSL Certificate successfully deleted
C:\Windows\system32>netsh http add sslcert ipport=0.0.0.0:444 certhash=294e5fc35f99f97bc18a7f767e3c1413a8797d3b appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
备注:
- 该Bug在CU6补丁后已经修复,建议升级到最新CU版本
- 具体详细情况请参考官方连接