EdgeSync failed to decrypt the credential for Edge Transport - Eventid 1033 MSExchange EdgeSync - Renewed certificate lately?

EdgeSync failed to decrypt the credential for Edge Transport server sr-xxxx.domain.lan using the private key of the default Exchange certificate with exception Invalid provider type specified.

. The certificate's thumbprint is XXXXXXXXXXXXXXXXXXXX52F0283F5F8BDDD13058 and its subject is CN=autodiscover.domain.nl, OU=ICT, O=Company., L=City, S=State, C=NL.

Use either Enable-ExchangeCertificate or New-ExchangeCertificate to set the proper Exchange default certificate and re-subscribe the Edge Transport server sr-XXXX.domain.lan again.

Well...here we go again.

At least I'm not bored at work.

Quick recap, this was after renewing our old Exchange certificate that had the SMTP service assigned to it. The old certificate was an old SHA1 type, this is very important to keep in mind as it comes back later in the solution.

In my quest to solve this as quickly as possible I came across some other strange things, which I will list later on.

But first let me sum up all the steps needed to resolve this:

1. On the Edge server request a new Exchange certificate:
   New-ExchangeCertificate
2. Generate a new EdgeSubscription file:
   New-EdgeSubscription -FileName C:\Temp\Servername.xml
3. Copy the EdgeSubscription file to an Exchange 2013 or 2016 or 2019 server (I'm assuming you installed multirole)
4. Remove the current EdgeSubscription(s):
   Get-EdgeSubscription | select Name
   Remove-EdgeSubscription -Identity YourEdgesubscriptionName
5. Find the current self signed Exchange Certificate with the servername as Subject. This certificate is created at installation. This certificate needs to get the SMTP service reassigned to it. Copy the thumbprint, we need it in the second command:
   Get-ExchangeCertificate | fl
   Enable-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXX334EFEA37EFC7E5813 -DoNotRequireSsl -Services:SMTP
6. Double check your existing subscription has been deleted:
   Get-EdgeSubscription
7. Create a new Edge Subscription with the file copied in step 3:
   New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\Temp\Servername.xml" -Encoding Byte -ReadCount 0)) -Site YourSiteName
8. Then start your newly created subscription:
   Start-EdgeSynchronization
9. Test the EdgeSynchronization:
   Test-EdgeSynchronization
10. The last step is to sync everything:
    Start-EdgeSynchronization -ForceUpdateCookie -ForceFullSync

The problem I had was the certificate that got renewed initialy was a SHA1 certificate.

The one it got replaced with was a SHA256 certificate. When trying to renew the Edge Subscription the following error popped up:

A special Rpc error occurs on server sr-xxxxx Invalid provider type specified

This the SHA1 part I mentioned earlier. The Edge Subscription only works with SHA1 certificates.

Strange and not very secure, eventho it is meant for internal Exchange server traffic only.

Hence the default certificate created at installation of Exchange itself is needed, which is SHA1.

Solved.

Exchange 2013 and 2016 - Create Edge subscription

I keep forgetting this:

This is for Exchange 2010, 2013 and 2016 and probaly 2019 but I didn't check this.

Create a new subscription file on the Edge server:

New-EdgeSubscription -FileName C:\Temp\Servername-Edge.xml

Copy the file to a mailbox server and import using this command:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\Temp\Servername-Edge.xml" -Encoding Byte -ReadCount 0)) -Site "Sitename"

451 4.4.0 Primary target IP address responded with: 454 4.7.0 Temporary authentication failure - Exchange Edge

The error doesn't suggest anything that could point you to a solution.
In my case it wasn't the KB article found here.

Turned out to be a certificate Service assignment that got lost.

The error in the Eventviewer was:

EventID: 12023
Level: Warning

Task Category: Transportservice
Source: MSExchangeFrontEndTransport

Microsoft Exchange could not load the certificate with thumbprint of BAE49XX5021785XX4433FXXA78XX434CXXBD4EXX from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate BAE49XX5021785XX4433FXXA78XX434CXXBD4EXX -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint XX728XXD9AD2D55XXE9F9D4BEXX8949AE4DXXCBA is being used.

When running the command:

Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
499A246DF957FDF438CD9C7BF5DB070E326B0AF9  ...W...    CN=sr-XXXXX.domain.lan, O=Trend Micro ScanMail for Microsoft Ex...
4272892D9AD2D557DE9F9D4BEB98949AE4D8CCBA  .......    CN=sr-XXXXX.domain.lan
065470FCE311211810679A92A4A2F67708E29398  .......    CN=SkypeforBusiness-OWA
DA9D8609DED5198F1AEEE96E3CCE33ED7323DA5E  IP.WS..    CN=service0.domain.lan
ECB0F4D6FE4BCA7B6DAB79C96F491222F845B3B9  ....S..    CN=service1.domain.nl, O=domain N.V., L=City, S=State, C=NL
E40C46317EE13A419C3B41334EFEA37EFC7E5813  ....S..    CN=sr-XXXXX
2B55508050B8C4269D4DA3EE5C97B346AEAFDF7C  .......    CN=WMSvc-SR-XXXXX
93EEEB92883AB769FD22226B8B78DAB4C60EABD0  ....S..    CN=Microsoft Exchange Server Auth Certificate


Enable-ExchangeCertificate DA9D8609DED5198F1AEEE96E3CCE33ED7323DA5E -Services SMTP

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'BAE49EF5021785CA4433F25A7800434CA4BD4E6E' (expires 21-11-2017 13:51:22)
Replace it with certificate: 'DA9D8609DED5198F1AEEE96E3CCE33ED7323DA5E' (expires 26-9-2020 14:12:44)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
A special Rpc error occurs on server SR-XXXXX: The internal transport certificate for the local server was damaged or m
issing in Active Directory. The problem has been fixed. However, if you have existing Edge Subscriptions, you must subs
cribe all Edge Transport servers again by using the New-EdgeSubscription cmdlet in the Shell.
    + CategoryInfo          : ObjectNotFound: (:) [Enable-ExchangeCertificate], InvalidOperationException
    + FullyQualifiedErrorId : [Server=SR-XXXXX,RequestId=30ee7bbb-899d-4cb0-b4e2-8d7862775a41,TimeStamp=19-10-2018 10:
   06:00] [FailureCategory=Cmdlet-InvalidOperationException] FD2ADDFB,Microsoft.Exchange.Management.SystemConfigurati
  onTasks.EnableExchangeCertificate
    + PSComputerName        : sr-XXXXX.domain.lan

As soon as I ran this command mail flow started again.