Cannot integrate Server Essentials Services with Office 365

Question

A new installation of Server 2016 standard with Server Essentials Experience Role installed.The Server is fully patched to date.
In Server Essentials Dashboard in HOME\Services TAB the Microsoft Cloud Services Integration does not populate.

I believe this issue started for us in late Sepotember 2022.
It seems OnlineServicesConfigFile-GB.xml and OnlineServicesConfigFile.xml are not available for download. Please see logs below.

[1752] 221119.011750.2937: OnlineServicesConfigFile: downloading https://sbsdomains.blob.core.windows.net/azureintegration-2016rtm/OnlineServicesConfigFile-GB.xml
[1752] 221119.011750.7625: OnlineServicesConfigFile: Failed to download online services config file OnlineServicesConfigFile-GB.xml.
[1752] 221119.011750.7625: OnlineServicesConfigFile: downloading https://sbsdomains.blob.core.windows.net/azureintegration-2016rtm/OnlineServicesConfigFile.xml
[1752] 221119.011750.8718: OnlineServicesConfigFile: Failed to download online services config file.
[3420] 221119.011803.2938: O365ProviderBackend: Connect failed becaused System.TimeoutException: Timeout occurred waiting for connection to complete. Connection attempt is still in progress.

I tested both URL's in a browser and I get an error that the resource is not found.

<Error> <Code>ResourceNotFound</Code> <Message>The specified resource does not exist. RequestId:23a0f60e-501e-008e-72d4-fca758000000 Time:2022-11-20T11:36:41.6703595Z</Message> </Error>

Answer 1

This is the result of an error that's happening over on Microsoft's backend seeing as they have broken some of the online services download links, by (re)moving the XML files that they point to, and there's nothing much that anyone here can do about it I'm afraid. I've tried to inform Microsoft about the issue (on this forum), but they never acknowledged me.

Basically what's happening is that the C:\ProgramData\Microsoft\Windows Server\Data\Cloud folder is empty because the following links (where the Essentials source code goes to in order to download the XML files to fill that folder with) are broken (and hence the HOME -> Get Started -> SERVICES section of the server Dashboard won't populate):

https://go.microsoft.com/fwlink/?LinkID=785361
ExternalOnlineServicesUtils.cs
OnlineServicesConfigFile.xml
OnlineServicesConfigLanguageResourceFile.xml

https://go.microsoft.com/fwlink/?LinkID=785361
CloudServiceEnvironment.cs
CloudServiceEnvironment.xml

Until such time as Microsoft fixes those broken links, the online services features of Windows Server Essentials will not work.

Unfortunately, Microsoft seems hell-bent on continuously breaking the online services features in Windows Server Essentials (I guess they don't care about their Essentials/SBS customers anymore, and would rather that they just move up to using their pricey Azure platform instead). Personally, I'd say that you should try and avoid using any of the online services in Essentials now seeing as Microsoft will most likely just keep on breaking them over and over again (and then taking many months to fix what they've broken each time). It's SUPER annoying!

Answer 2

• @The Office Maven @Jon VanDyke @RadiumArch FIXED!!! HERE ARE THE STEPS...

Create 3 files using the below text and save in same location then…

In Powershell as admin navigate to configureTLSess.ps1 location and execute it.
  
configureTLSEss.ps1
     Write-Host "Please Make sure the files 'TLSDisable.reg' and 'TLSPreReq.reg' are present in the same location as script under the folder 'SupportFiiles'---" -ForegroundColor Green
     Write-Host "If not present, please merge these manually---" -ForegroundColor Green
     Write-Host "Backing registries..."
     reg export HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL ssl.reg
     reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL schannel.reg
     reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 NetV2.reg
     reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 NetV4.reg
     reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727 NetV2-64.reg
     reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 NetV4-64.reg
     reg export 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' winhttp.reg
     reg export 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' winhttp-64.reg
     Write-host "Disabling Old TLS Versions..Importing registry SupportFiles\TLSDisable.reg"
     reg import .\SupportFiles\TLSDisable.reg
     Write-Host "Configuring TLS1.3 Pre-Reqs"
     reg import .\SupportFiles\TLSPreReq.reg
     write-host "Reboot is required to complete the operation, reboot and try to enable )365 integration again"
    
TLSDisable.reg
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
 
"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
 
"AllowInsecureRenegoClients"=dword:00000000
 
"AllowInsecureRenegoServers"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/56]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
 
"Enabled"=dword:FFFFFFFF
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
 
"DisabledByDefault"=dword:00000001
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
 
"DisabledByDefault"=dword:00000001
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
 
"DisabledByDefault"=dword:00000001
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
 
"DisabledByDefault"=dword:00000001
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
 
"DisabledByDefault"=dword:00000001
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
 
"DisabledByDefault"=dword:00000001
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
 
"DisabledByDefault"=dword:00000001
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
 
"DisabledByDefault"=dword:00000001
 
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
 
"DisabledByDefault"=dword:00000000
 
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
 
"DisabledByDefault"=dword:00000000
 
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
 
"DisabledByDefault"=dword:00000000
 
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
 
"DisabledByDefault"=dword:00000000
 
"Enabled"=dword:00000001
 
TLSPreReq.reg
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
 
"SchUseStrongCrypto"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
 
"SchUseStrongCrypto"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
 
"SchUseStrongCrypto"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
 
"SchUseStrongCrypto"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
 
"DefaultSecureProtocols"=dword:00000AA0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
 
"DefaultSecureProtocols"=dword:00000AA0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
 
"DisabledByDefault"=dword:00000000
 
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
 
"DisabledByDefault"=dword:00000000
 
"Enabled"=dword:00000001

Answer 3

Yes, TLS 1.2 must be enabled and forced over 1.3 protocols.

You can review your logs and find the log states resource not found and the links. The links above 1 of 2 links work. Wondering if the links changed and 1 of them did not get updated.

Effects all Azure AD and O365 hybrid deployments from what I see. Applies to any server running the Essentials experience be it that version or standard with the feature turned on.

Answer 4

So, the issue I have found with the dashboard not populating is related to the updated standard in TLS. (1.2) This will also affect your AnyWhere access giving an error.

To resolve this issue you have to change some registry keys to "force" the server to use TLS 1.2

Note: Always backup your registry prior to making any modifications.

The registry entries can be found here: https://gist.github.com/debold/1634d73ffda15dce4945aa30873c5338#file-enable-net-tls12-reg

Once you make the changes, you will need to restart the server. The issue with connecting to Office 365 still remains however due to what @The Office Maven mentioned regarding the XML files being missing. Microsoft has to fix this.

My thoughts are, as a workaround, we find the XML files from a healthy, functioning WSE server and copy them to the server with the issue.

Answer 5

Broken for me as well. Would REALLY like a fix.....