Exchange 2016 on Server 2016 installation got error on Mailbox Role Client, does anyone know how to fix this? RRS feed

  • Question

  • The following error was generated when "$error.Clear(); 
              Install-ExchangeCertificate -WebSiteName "Exchange Back End" -services "IIS, POP, IMAP" -DomainController $RoleDomainController -InstallInTrustedRootCAIfSelfSigned $true
              if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
                Install-AuthCertificate -DomainController $RoleDomainController
            " was run: "Microsoft.Exchange.Management.SystemConfigurationTasks.AddAccessRuleCryptographicException: Could not grant Network Service access to the certificate with thumbprint C27AF638A028FF5785B4593432F2794393BCB175 because a cryptographic exception was thrown. ---> System.Security.Cryptography.CryptographicException: Access is denied.

       at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
       at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.AddAccessRule(X509Certificate2 certificate, AccessRule rule)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.ManageExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services, String websiteName, Boolean requireSsl, ITopologyConfigurationSession dataSession, Server server, List`1 warningList, Boolean allowConfirmation, Boolean forceNetworkService)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
       at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
       at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
       at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
    Wednesday, September 23, 2020 8:58 AM

All replies

  • Dear,

    It seems the install did not run as admin. If you launch it with command prompt, did you run cmd as admin?

    Wednesday, September 23, 2020 12:54 PM
  • you mean for pasting the prerequisite code in powershell right? if yes, then yes, i did. Im not sure why was this error an issue if the prerequisite analysis didnt showed any errors.
    Wednesday, September 23, 2020 1:52 PM
  • Hi,

    Please make sure the account have all the permissions like domain admin, schema and enterprise admin.

    According to the error message, "Could not grant Network Service access to the certificate with thumbprint",

    Fire up MMC, add the Local Computer Certificate store into the console, located the certificate with thumbprint C27AF638A028FF5785B4593432F2794393BCB175, It will be in the personal store if you are getting this error, Tyr to move it into the Trusted Root Certification Authorities. 

    Below is also a thread discussed about the similar issue as yours for your reference:

    Error installing exchange 2016 step 1 of 7: Mailbox role

    Please note that, this Exchange Server Development forum mainly focuses on scripting issues, And the previous TechNet Exchange forum has been migrated to Q&A forum, please post your issues there if you need further support. 


    Joyce Shen

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, September 25, 2020 5:22 AM