January 2023Presented in Exchange Server Security Update (SU) together with “Certificate Signing of PowerShell Serialization Payload” feature has been added. Microsoft announced that administrators must activate Serialization Payload during the initial installation. This requirement is AuthCertificateIf there is a problem with AuthCertification on the Exchange Server, the system may experience various problems.
Previously sourced from Auth Certificate OWA ve ECP We mentioned Exchange Server Auth Certificate in the article about access problems.
Microsoft, Exchange Server Auth Certificate to solve their problems GitHub published a script on its page. This script should be run before enabling Serialization Payload. If there is no Auth Certificate problem in your environment, this script is not needed.
Requirements for Exchange Server Auth Certificate Script
This script can only be run on servers running the Mailbox role of Exchange Server and from an elevated Exchange Management Shell (EMS) command prompt. You must be a member of the appropriate role group to use the script.
How to Use Exchange Server Auth Certificate Script
If you trust the certificate, you can perform the verification process with this script. You do not need to use any extra parameters for the verification process. The script performs each operation in the Exchange Server installation directory. LoggingAuthCertificateMonitoring
under folder .txt
saves in format.
.MonitorExchangeAuthCertificate.ps1

After the script is run, the path where it saves the log file is shown. In my own environment, I have verified that all Auth Certificates are correct and working.

The following command can be used to renew the active Auth Certificate on the Exchange Server. This command also restarts the WebApp pools and performs the renewal process:
.MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true
If the response is “Y” when the command is first run, the script will start running unattended. It is recommended to restart WebApp pools when the active Authentication Certificate is changed. It is not recommended to replace the Local SMTP certificate with the newly created Authentication Certificate.

It is recommended to recycle the WebApp Pool when the Active Authentication Certificate is changed. You must respond with 'Y'.

It is not recommended to replace the local transport certificate with the newly created Authentication Certificate. You must respond with 'N'.

This script runs in refresh mode without user interaction and performs the required Authentication Certificate refresh. In unattended mode, the internal SMTP certificate is temporarily replaced with the new Authentication Certificate and then reverted back to the old certificate. The script also restarts services such as MSExchangeServiceHost, MSExchangeOWAAppPool, and MSExchangeECPAppPool, and WebApp Pools when the primary Authentication Certificate is changed.
Note: If the script cannot find a previously configured internal relay certificate on the machine on which it is run, it creates a new internal relay certificate.
.MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -Confirm:$false
The following command is run in refresh mode without user interaction. This mode considers Exchange servers only when they are reachable and performs the refresh action if necessary:
.MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreUnreachableServers $true -Confirm:$false
This script runs in refresh mode without user interaction and the refresh action is performed even when Exchange Hybrid configuration is detected:
Note: After the Active Authentication Certificate is changed, you must re-run the Hybrid Configuration Wizard (HCW). This is important to ensure that it is compatible with the renewed certificate.
.MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreHybridConfig $true -Confirm:$false
Exchange Server Auth Certificate Script Parameters
parameters | Price |
---|---|
ValidateAndRenewAuthCertificate | This optional parameter enables the validation and renewal mode that will perform the necessary actions to replace an invalid/expired Authentication Certificate or configure a new next Authentication Certificate if the current Authentication Certificate expires in < 60 days or the certificate configured as the next Authentication Certificate expires in < 120 days. |
IgnoreUnreachableServers | This optional parameter can be used to ignore some Exchange servers within the organization if they are not reachable. If this parameter is used, the script will only verify the reachable servers and perform Authentication Certificate renewal actions based on the result. The parameter can be combined with the parameter and can also be used with the parameter to configure the script to run via a scheduled task.IgnoreHybridConfig ConfigureScriptToRunViaScheduledTask |
IgnoreHybridConfig | This optional parameter allows you to explicitly perform Authentication Certificate renewal actions (if required) even if Exchange hybrid configuration is detected. You need to run HCW after the renewed Authentication Certificate becomes the Certificate in use. The parameter can be combined with the parameter and can also be used with the parameter to configure the script to run via a scheduled task.IgnoreUnreachableServers ConfigureScriptToRunViaScheduledTask |
PrepareADForAutomationOnly | This optional parameter can be used in AD Split Permission scenarios. It allows you to create an AD account that can then be used to automatically run the Exchange Authentication Certificate Monitoring script via Task Scheduler. |
ADaccountDomain | This optional parameter allows you to specify the domain that will be used to create the AD account that is then used by the script for automation. The parameter can be combined with thePrepareADForAutomationOnly |
ConfigureScriptToRunViaScheduledTask | This optional parameter can be used to automatically provision the requirements for AD (user account), Exchange (enable account via email, hide account from address book, create a new role group with limited permissions) and finally creates the scheduled task on the computer where the script is executed (must be an Exchange server running the mailbox role). |
AutomationAccountCredential | This optional parameter can be used to provide a different user under the context of which the script is executed via the scheduled task. |
Password | Parameter to provide a password to the script which is required in some scenarios. |
ExportAuthCertificatesAsPfx | This optional parameter can be used to export all Authentication Certificates present in the system as a password protected .pfx file. |
ScriptUpdateOnly | This optional parameter allows you to simply update the script without performing any other action. |
SkipVersionCheck | This optional parameter can be used to bypass the Automatic Update feature to download the latest version of the script. |