November 7, 2022

Exchange Upgrade CU23 Fail with Cert Error

By Geekphreek

Anyone else had this:

Error:
The following error was generated when "$error.Clear();
          Install-ExchangeCertificate -services "IIS, POP, IMAP" -DomainController $RoleDomainController
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
          {
          Install-AuthCertificate -DomainController $RoleDomainController
          }
        " was run: "Microsoft.Exchange.Management.SystemConfigurationTasks.AddAccessRuleCryptographicException: Could not grant Network Service access to the certificate with thumbprint 9B95F26A22DE3A83F4328A24B79FD873EC985DBB because a cryptographic exception was thrown. ---> System.Security.Cryptography.CryptographicException: Access is denied.
  at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
   at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.AddAccessRule(X509Certificate2 certificate, AccessRule rule)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.ManageExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services, String websiteName, Boolean requireSsl, ITopologyConfigurationSession dataSession, Server server, List`1 warningList, Boolean allowConfirmation, Boolean forceNetworkService)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

The important take from this is the “Could not grant Network Service access to the certificate with thumbprint 9B95F26A22DE3A83F4328A24B79FD873EC985DBB because a cryptographic exception was thrown. —> System.Security.Cryptography.CryptographicException: Access is denied.” What’s really happened in MS has thrown a strop over your Certificates. You don’t have to change permissions, just quickly generate some new self-signed and swap them back once completed.

By now you will have noticed you cannot open ECP and you cannot open Exchange PowerShell as Exchange is in recovery mode and broken. Open PowerShell and execute:

Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin
New-ExchangeCertificate -Services SMTP
(Note that Thumbprint, you'll need that for this command)
Enable-ExchangeCertificate -Services IIS -Thumbprint 38137A08253C659FFC6B97FC085BB440783F2CA3

Replace that thumbprint with yours. You’ll now be able to restart the Exchange install and it will complete without error.

Once done, log in to ECP, go to Servers, Certificates and reassign your usual Cert to IIS, SMTP, POP3 & IMAP. You should be done.