Skip to content

Commit 99e76b4

Browse files
dpaulson45dpaulson45
authored
Merge pull request #2461 from microsoft/dpaul-HcDev2
Use Get-TransportService InternalTransportCertificateThumbprint instead of LDAP query
2 parents 0e2e800 + d76ceb7 commit 99e76b4

8 files changed

Lines changed: 24 additions & 36 deletions

File tree

Diagnostics/HealthChecker/Analyzer/Security/Get-ExchangeCertificateCustomObject.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ function Get-ExchangeCertificateCustomObject {
77
[Parameter(ValueFromPipeline)]
88
[object[]]$Certificate,
99

10-
[object]$InternalTransportCertificate,
10+
[string]$InternalTransportCertificateThumbprint,
1111

1212
[object]$AuthConfig
1313
)
@@ -104,7 +104,7 @@ function Get-ExchangeCertificateCustomObject {
104104
IsSanCertificate = $null -ne $cert.DnsNameList -and ($cert.DnsNameList).Count -gt 1
105105
Namespaces = $certDnsNameList
106106
Services = $cert.Services
107-
IsInternalTransportCertificate = $null -ne $InternalTransportCertificate -and $cert.Thumbprint -eq $InternalTransportCertificate.Thumbprint
107+
IsInternalTransportCertificate = $null -ne $InternalTransportCertificateThumbprint -and $cert.Thumbprint -eq $InternalTransportCertificateThumbprint
108108
IsCurrentAuthConfigCertificate = $isAuthConfigInfo
109109
IsNextAuthConfigCertificate = $isNextAuthCertificate
110110
SetAsActiveAuthCertificateOn = if ($isNextAuthCertificate) { $authConfig.NextCertificateEffectiveDate } else { $null }

Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityExchangeCertificates.ps1

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -266,19 +266,6 @@ function Invoke-AnalyzerSecurityExchangeCertificates {
266266
}
267267
Add-AnalyzedResultInformation @params
268268
}
269-
} elseif ($exchangeInformation.GetExchangeServer.IsEdgeServer -eq $true) {
270-
$params = $baseParams + @{
271-
Name = "Valid Internal Transport Certificate Found On Server"
272-
Details = $false
273-
DisplayCustomTabNumber = 1
274-
}
275-
Add-AnalyzedResultInformation @params
276-
277-
$params = $baseParams + @{
278-
Details = "We can't check for Internal Transport Certificate on Edge Transport Servers"
279-
DisplayCustomTabNumber = 2
280-
}
281-
Add-AnalyzedResultInformation @params
282269
} else {
283270
$params = $baseParams + @{
284271
Name = "Valid Internal Transport Certificate Found On Server"

Diagnostics/HealthChecker/DataCollection/ExchangeInformation/Invoke-JobExchangeInformationCmdlet.ps1

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,12 @@ function Invoke-JobExchangeInformationCmdlet {
161161

162162
try {
163163
$getTransportService = Get-TransportService -Identity $Server -ErrorAction Stop
164+
try {
165+
$exchangeCertificateInformation.InternalCertificateThumbprint = $getTransportService.InternalTransportCertificateThumbprint
166+
} catch {
167+
Write-Verbose "Failed to create the certificate object."
168+
Invoke-CatchActions
169+
}
164170
} catch {
165171
Write-Verbose "Failed to run Get-TransportService"
166172
Invoke-CatchActions

Diagnostics/HealthChecker/DataCollection/ExchangeInformation/Tests/Get-ExchangeCertificateCustomObject.Tests.ps1

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ Describe "Testing Get-ExchangeServerCertificateInformation & Get-ExchangeCertifi
3939
Context "Valid Exchange Server Certificates Detected" {
4040
BeforeAll {
4141
$info = Get-ExchangeServerCertificateInformation -Server $Script:Server
42-
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -InternalTransportCertificate $info.InternalCertificate -AuthConfig (Get-AuthConfig)
42+
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -AuthConfig (Get-AuthConfig)
4343
}
4444

4545
It "Valid Auth Certificate (using weak SHA1 Hash Algorithm) Detected" {
@@ -82,7 +82,7 @@ Describe "Testing Get-ExchangeServerCertificateInformation & Get-ExchangeCertifi
8282
BeforeAll {
8383
Mock Get-ExchangeCertificate -MockWith { return Import-Clixml $Script:parentPath\Tests\DataCollection\GetExchangeCertificateWithoutAuth.xml }
8484
$info = Get-ExchangeServerCertificateInformation -Server $Script:Server
85-
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -InternalTransportCertificate $info.InternalCertificate -AuthConfig (Get-AuthConfig)
85+
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -AuthConfig (Get-AuthConfig)
8686
}
8787

8888
It "Get Auth Config But No Matching Certificate" {
@@ -99,7 +99,7 @@ Describe "Testing Get-ExchangeServerCertificateInformation & Get-ExchangeCertifi
9999
BeforeAll {
100100
Mock Get-AuthConfig -MockWith { throw "Bad thing happened - Get-AuthConfig" }
101101
$info = Get-ExchangeServerCertificateInformation -Server $Script:Server
102-
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -InternalTransportCertificate $info.InternalCertificate -AuthConfig $null
102+
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -AuthConfig $null
103103
}
104104

105105
It "Unable To Find Valid Auth Certificate" {
@@ -116,7 +116,7 @@ Describe "Testing Get-ExchangeServerCertificateInformation & Get-ExchangeCertifi
116116
BeforeAll {
117117
Mock Get-ExchangeCertificate -MockWith { return $null }
118118
$info = Get-ExchangeServerCertificateInformation -Server $Script:Server
119-
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -InternalTransportCertificate $info.InternalCertificate -AuthConfig (Get-AuthConfig)
119+
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -AuthConfig (Get-AuthConfig)
120120
}
121121

122122
It "No Custom certificate Object Returned" {
@@ -128,7 +128,7 @@ Describe "Testing Get-ExchangeServerCertificateInformation & Get-ExchangeCertifi
128128
BeforeAll {
129129
Mock Get-ExchangeCertificate { Import-Clixml $Script:parentPath\Tests\DataCollection\GetExchangeCertificateBroken.xml }
130130
$info = Get-ExchangeServerCertificateInformation -Server $Script:Server
131-
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -InternalTransportCertificate $info.InternalCertificate -AuthConfig (Get-AuthConfig)
131+
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -AuthConfig (Get-AuthConfig)
132132
}
133133

134134
It "Should Successfully Import Certificates From RawData" {
@@ -146,7 +146,7 @@ Describe "Testing Get-ExchangeServerCertificateInformation & Get-ExchangeCertifi
146146
BeforeAll {
147147
Mock Get-ExchangeCertificate -MockWith { throw "Bad thing happened - Get-ExchangeCertificate" }
148148
$info = Get-ExchangeServerCertificateInformation -Server $Script:Server
149-
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -InternalTransportCertificate $info.InternalCertificate -AuthConfig (Get-AuthConfig)
149+
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -AuthConfig (Get-AuthConfig)
150150
}
151151

152152
It "No Custom Certificate Object Returned And Exception Logged" {
@@ -159,7 +159,7 @@ Describe "Testing Get-ExchangeServerCertificateInformation & Get-ExchangeCertifi
159159
BeforeAll {
160160
Mock Get-ExchangeCertificate -MockWith { return Import-Clixml $Script:parentPath\Tests\DataCollection\GetExchangeCertificateOnAzure.xml }
161161
$info = Get-ExchangeServerCertificateInformation -Server $Script:Server
162-
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -InternalTransportCertificate $info.InternalCertificate -AuthConfig (Get-AuthConfig)
162+
$script:results = $info.Certificates | Get-ExchangeCertificateCustomObject -AuthConfig (Get-AuthConfig)
163163
}
164164

165165
It "Should Not Return The 'Windows Azure CRP Certificate Generator' Certificate" {

Diagnostics/HealthChecker/Features/Get-HealthCheckerDataObject.ps1

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -38,14 +38,14 @@ function Get-HealthCheckerDataObject {
3838
if ($null -ne $ExchangeCmdletResult.ExchangeCertificateInformation) {
3939
$certs = ($ExchangeCmdletResult.ExchangeCertificateInformation.Certificates | ConvertTo-ExchangeCertificate -CatchActionFunction ${Function:Invoke-CatchActions})
4040
$certCustomParams = @{
41-
InternalTransportCertificate = $ExchangeCmdletResult.ExchangeCertificateInformation.InternalCertificate
42-
AuthConfig = $OrganizationInformationResult.GetAuthConfig
41+
InternalTransportCertificateThumbprint = $ExchangeCmdletResult.ExchangeCertificateInformation.InternalCertificateThumbprint
42+
AuthConfig = $OrganizationInformationResult.GetAuthConfig
4343
}
4444

4545
$exchangeCertificateInformation = [PSCustomObject]@{
46-
Certificates = $certs
47-
InternalCertificate = $ExchangeCmdletResult.ExchangeCertificateInformation.InternalCertificate
48-
CustomCertificates = ($certs | Get-ExchangeCertificateCustomObject @certCustomParams)
46+
Certificates = $certs
47+
InternalCertificateThumbprint = $ExchangeCmdletResult.ExchangeCertificateInformation.InternalCertificateThumbprint
48+
CustomCertificates = ($certs | Get-ExchangeCertificateCustomObject @certCustomParams)
4949
}
5050

5151
[array]$connector = $OrganizationInformationResult.GetSendConnector

Diagnostics/HealthChecker/Tests/HealthChecker.MockedCalls.Tests.ps1

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,6 @@ Describe "Testing Health Checker by Mock Data Imports" {
3030
Mock Get-OwaVirtualDirectory { return Import-Clixml "$Script:MockDataCollectionRoot\Exchange\GetOwaVirtualDirectory.xml" }
3131
Mock Get-WebServicesVirtualDirectory { return Import-Clixml "$Script:MockDataCollectionRoot\Exchange\GetWebServicesVirtualDirectory.xml" }
3232
Mock Get-OrganizationConfig { return Import-Clixml "$Script:MockDataCollectionRoot\Exchange\GetOrganizationConfig.xml" }
33-
Mock Get-InternalTransportCertificateFromServer { return Import-Clixml "$Script:MockDataCollectionRoot\Exchange\GetInternalTransportCertificateFromServer.xml" }
3433
Mock Get-HybridConfiguration { return $null }
3534
Mock Get-PartnerApplication { return $null }
3635
Mock Get-ExchangeDiagnosticInfo -ParameterFilter { $Process -eq "Microsoft.Exchange.Directory.TopologyService" -and $Component -eq "VariantConfiguration" -and $Argument -eq "Overrides" } `

Shared/CertificateFunctions/Get-ExchangeServerCertificateInformation.ps1

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
# Copyright (c) Microsoft Corporation.
22
# Licensed under the MIT License.
33

4-
. $PSScriptRoot\..\ActiveDirectoryFunctions\Get-InternalTransportCertificateFromServer.ps1
54
. $PSScriptRoot\..\ScriptBlockFunctions\RemotePipelineHandlerFunctions.ps1
65
. $PSScriptRoot\..\Invoke-CatchActionError.ps1
76
. $PSScriptRoot\ConvertTo-ExchangeCertificate.ps1
@@ -85,11 +84,6 @@ function Get-ExchangeServerCertificateInformation {
8584
$exchangeServerCertificates = $null
8685
Get-ExchangeCertificate -Server $Server -ErrorAction Stop | ConvertTo-ExchangeCertificate -CatchActionFunction $CatchActionFunction |
8786
Invoke-RemotePipelineHandler -Result ([ref]$exchangeServerCertificates)
88-
89-
Write-Verbose "Trying to query internal transport certificate from AD for this server"
90-
$internalTransportCertificate = $null
91-
Get-InternalTransportCertificateFromServer -ComputerName $Server -CatchActionFunction $CatchActionFunction |
92-
Invoke-RemotePipelineHandler -Result ([ref]$internalTransportCertificate)
9387
} catch {
9488
Write-Verbose "Failed to collect the Exchange Server Certificate Information on $server. Inner Exception: $_"
9589
Invoke-CatchActionError $CatchActionFunction
@@ -105,8 +99,8 @@ function Get-ExchangeServerCertificateInformation {
10599
}
106100
end {
107101
return [PSCustomObject]@{
108-
Certificates = $certObject
109-
InternalCertificate = $internalTransportCertificate
102+
Certificates = $certObject
103+
InternalCertificateThumbprint = $null
110104
}
111105
}
112106
}

docs/Diagnostics/HealthChecker/InternalTransportCertificateCheck.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@ The Internal Transport Certificate in Exchange Server is used in Exchange Server
66

77
A missing Internal Transport Certificate can lead to a broken MailFlow on or with the affected machine. It's therefore essential to have a valid certificate for this purpose on the machine. We recommend to not replace the self-signed certificate which was created by Exchange itself.
88

9+
Health Checker gets the Internal Transport Certificate by running `Get-TransportService` if this has failed to run, this would also result in the failed to find the Internal Transport Certificate.
10+
911
### What does the check do?
1012

1113
The check queries the certificate which is marked as Internal Transport Certificate on the server against which the script is currently running. The script will throw a warning if the certificate cannot be found on the machine. It must then be recreated by the Exchange Server administrator and set as new Internal Transport Certificate.

0 commit comments

Comments
 (0)