ExchangePro: Inter-org (cross forest) migration from EX2010 to EX2013 Cert Error (4295017)

Issue

Inter-org (cross forest) migration from exchange 2010 to exchange 2013

During migration from Ex2010 to Ex2013 via Exchange Pro the following Error appears:

The call to 'https://Ex2010-CAS.ForestA.com/EWS/mrsproxy.svc' failed. Error details: Could not establish trust relationship for the SSL/TLS secure channel with authority 'Ex2010-CAS.ForestA.com'. -- The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. -- The remote certificate is invalid according to the validation procedure.

Cause

The Error message displayed above indicates that your 2013 CAS does not trust your Ex2010 MRSProxy host. Typically this computer is an Ex2010 CAS. This can also be confirmed by going to Ex2013 CAS, open Internet Explorer and enter Https://Name of the server from the error, you would get a certificate error.

This error will only occur when migrating from Ex2010 to Ex2013 or Ex2013 to Ex2013, and is a result of an Ex2013 requirement to transfer mailbox data via encrypted SSL over port 443.

 Solution

 What is the best way to get Ex2013 server to trust Certificate your Ex2010?

 1.      If the Certificate on the Exchange 2010 server is a publicly valid certificate (i.e. GoDaddy or VeriSign) you can simply update the Exchange Pro settings page to use the public name present on the certificate, instead of the internal name. You may also need to update your E2E windows ‘hosts’ file to direct to the internal IP vs the external IP

a.      Click on the Forest tab within Exchange Pro

b.      Under your Source Forest click on Sites tab

c.      Under the Site Settings view look at the MRS Proxy Server(s)

d.      Copy the current value to a notepad

e.      Double click on the MRS Proxy Server(s) tab and delete the current value and replace it with the External name as listed on the certificate.

f.       Save the current configuration and restart the Binary Tree Exchange Pro MCP service

g.      Try the migration again and it should be successful.

2.      If the certificates were issued by your internal PKI sever on the source, you can export the root certificate from the source and then add it to a GPO on the target. Wait for the GPO to replicate, then execute GPUpdate /Force on the Ex2013 box to receive the updated certificates.

3.      If the certificate on Ex2010 is self signed, you can import that cert into your computer context to make it valid.

a.      You would open Internet Explorer on the Ex2013 box then type the following

https://Ex2010-CAS.ForestA.com/powershell  and press enter

b.      Click on “continue to this website (not recommended)”

c.      It will prompt you for credentials, enter your source admin account

d.      click on the red X shield next to Certificate error on the Url

e.      Mismatched Address box pops up                                             

f.       Go to Certificate tab

g.      You can import the Cert from here into the Trusted Root store

h.      Now use the Windows Certificate Manager to copy the certificate from the user context to the Trusted Root Store of the computer context

i.     Click on View certificate