Disabling the SMTP Exit Module of a Certification Authority

Author Uwe GradeneggerPosted on Categories TroubleshootingTags

Assume the following scenario:

  • The certification authority is configured to send e-mail notifications about the events on the certification authority only using the SMTP Exit module.
  • The configured SMTP server is unreachable, for example due to a failure.

In this case, the exit module cannot deliver the email notifications. It will time out and the certificate authority will work very slowly.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

In the Windows event display the Event no. 46 logged.

The "Windows default" Exit Module "Initialize" method returned an error. The transport failed to connect to the server. The returned status code is 0x80040213 (-2147220973). The Certification Authority was unable to send an email notification for EXITEVENT_STARTUP to admins1@fabrikam.com,admin2@fabrikam.com.

In such a case, it makes sense to disable the SMTP exit module.

This can be done by unsubscribing from all events.

Which events trigger an e-mail notification is defined in the following registry value.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{name-of-certification authority}\ExitModules\CertificateAuthority_MicrosoftDefault.Exit\smtp\EventFilter

If the value is set to "0", all events are cancelled.

The following command line command can also be used to cancel all events.

certutil -setreg exit\smtp\eventfilter 0

For the changes to take effect, the Certification Authority service must be restarted.

Alternative: Disable exit module completely

It is also possible to disable the exit module completely. See article "Operating the Certification Authority without exit module„.

Related links:

One thought on “Deaktivieren des SMTP Exit-Moduls einer Zertifizierungsstelle”

  1. Pingback: Details about the event with ID 46 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish