This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 51%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
I am running the hybrid configuration wizard on a dedicated exchange 2019 for hybrid server to move the role off an existing 2013 hybrid server.
Currently on-prem we still have exchange 2013, and also 2019 servers.
When i get to the point of the HCW running all commands to create connectors i get this error saying "given certificate is not enabled for smtp protocol"
During the hcw it only lets me select 1 certificate, it is a 3rd party wildcard(same cert installed on the other servers). the cert has the root ca in the trusted folder.
HCW0 - PowerShell failed to invoke 'Set-SendConnector': The given certificate is not enabled for SMTP protocol. Only certificates enabled for SMTP protocol can be set on Send Connectors. To enable a certificate for SMTP, please use 'Enable-ExchangeCertificate' cmdlet. {CategoryInfo={Activity=[System.String] Set-SendConnector,Category=[System.Management.Automation.ErrorCategory] InvalidOperation,Reason=[System.String] InvalidOperationException,TargetName=[System.String] Outbound to Office 365,TargetType=[System.String] ADObjectId},ErrorDetails=,Exception=[System.Management.Automation.RemoteException] The given certificate is not enabled for SMTP protocol. Only certificates enabled for SMTP protocol can be set on Send Connectors. To enable a certificate for SMTP, please use 'Enable-ExchangeCertificate' cmdlet.,FullyQualifiedErrorId=[System.String] [Server=hybrid100RequestId=cdf36830-7128-4be1-bbab-9c8e8194a4d6,TimeStamp=8/2/2020 3:59:17 AM] [FailureCategory=Cmdlet-InvalidOperationException] 8E5C345C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetSendConnector} The source Transport servers specified for the connector aren't in the same Active Directory site.
When I run the Enable-ExchangeCertificate command on that dedicated new hybrid 2019 server it says that the certificate thumbprint does have iis and smtp associated with it, yet i continue to get this error above and it does not let me finish the configuration.
@oldschoola410
Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 33%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Came across this issue in our environment trying to add new servers to an existing send connector - the cmdlet I was using was Set-Sendconnector -SourceTransportServers @{add='SERVERNAME'} which is in effect re-adding all existing servers and the new server to the connector. I found that the error was not related to the new server but somehow one of the existing servers did not have the SMTP service assigned to the cert used by the send connector. Running Enable-ExchangeCertificate on the existing server and then re-running the additions to the send connector resolved the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 86%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
I also went through this, I installed a new certificate on a two member DAG and tried to add it to the Hybrid outbound connector. I stared with server no 1 but kept getting the "this certificate is not enabled for SMTP, though it clearly was. Thing is that a send connector has a number of "source servers", that is servers that are allowed to use it. So, the error was coming from the certificate of the OTHER source server the send connector was going to allow through it and on the other server the certificate was not indeed enabled for SMTP.
Dimitris
Try to run command below on your Exchange 2019 server, find the correct information for certificate on that server and make sure this certificate is valid:
Get-ExchangeCertificate| fl Thumbprint,Services,Subject,Status
I also try to reenable SMTP to the certificate which has had "SMTP" service, I don't get any warning about it:
Could you provide a detailed information about the certificate on your Exchange 2019 server? It may could help us to narrow down it.
Here is also a related KB which about certificate error when running HCW: "Confirm Hybrid Certificate has IIS and SMTP services assigned to it" error when you run the Exchange Hybrid Configuration Diagnostic
Here is a pic of the get- command run off the hybrid server. the certificate im using is the 3rd party wildcard thats highlighted in the screenshot below. As you can see it has iis and smtp assigned.
The cert is a 3rd party signed public ca cert wildcard. The ca is a trusted ca on the server. IT is the same wildcard assigned to all my other exchange servers with no issue.
I ran through the article you posted prior to postingon here and followed those commands to "reapply" the settings, but still the same issue happens.
ok after rerunning it decided to go through the wizarfd completely. now with no error.
the only thing im seeing now is when i use the exchange connectivity tester to test oauth i get this error
when i run the get-authserver command on my hybrid server i get the 2nd screenshot below... one thing i noticed from that connectivity test is the X-FEserver that responds, is not the hybrid server...does this matter? my autodiscover.company.com and hybrid.company.com entries are pointed to my 2019 hybrid server and my activesync.company.com is pointed to the 2013 activesync, cas server.
Glad to see the original question is solved now. About the new question, I would suggest you create a new thread and continue to discuss it in that new thread. It will better for other users to search and find the suitable answer.
Here is information that will be useful to you new question: How to configure Exchange Server on-premises to use Hybrid Modern Authentication