Exchange Emergency Mitigation Service dont fetch mitigation from mitogation endpoint

Ondrej Drobilek 1 Reputation point
2022-10-18T07:16:07.09+00:00

Hello all,

since enabling EEMS i receive in certain environment (in other environments I dont see any issue) error lower. However test are successful. I guess issue with TLS certificate. Not sure how to fix, can You help here?

.\Test-MitigationServiceConnectivity.ps1
Result: Success.
Message: The Mitigation Service endpoint is accessible from this computer.

Invoke-RestMethod -Method GET -Uri "https://officeclient.microsoft.com/getexchangemitigations"
xml EOCS
--- ----
version="1.0" encoding="utf-8" EOCS

I can fetch from affected servers https://officeclient.microsoft.com/getexchangemitigations via Edge and no certificate warning received.
251493-image.png

Eventid 1008 displays each one hour:
An unexpected exception occurred. Diagnostic information:
Exception encountered while fetching mitigations : System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.<GetHttpUrlResponseAsync>d__2.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.FetchMitigationsFromUrlT
at Microsoft.Exchange.Mitigation.Service.MitigationCloudServiceV2.FetchMitigations()
at Microsoft.Exchange.Mitigation.Service.Mitigations.MitigationEngine.FetchAndApplyMitigation()
---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.<GetHttpUrlResponseAsync>d__2.MoveNext()<---

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,429 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 143.6K Reputation points MVP
    2022-10-18T11:30:01.467+00:00

    Sounds like the Exchange Servers cant connect to the internet:
    https://granikos.eu/exchange-emergency-mitigation-service-findings/


  2. Andy David - MVP 143.6K Reputation points MVP
    2022-10-18T11:50:44.88+00:00

    OK, so no proxies in the path? TLS 1.2 is being enforced on the Exchange Servers?

    0 comments No comments

  3. Jame Xu-MSFT 4,171 Reputation points
    2022-10-26T08:18:11.067+00:00

    Hi @Ondrej Drobilek ,

    Thanks for your feedback above which shared more information and glad to know that your issue is resolved now! Since our forum has the policy that The question author cannot accept their own answer. They can only accept answers by others, and according to the scenario introduced here: Answering your own questions on Microsoft Q&A

    I would make a brief summary of this post so that other forum members could easily find useful information here:

    [Exchange Emergency Mitigation Service dont fetch mitigation from mitogation endpoint - Summary]

    Issue Symptom:
    Exchange Emergency Mitigation Service dont fetch mitigation from mitogation endpoint

    Solution:
    Cause was firewall. Adding FW exception helped.

    You could "Accept Answer" for this summary to close this thread, and your action would be helpful to other users who encounter the same issue and read this thread. Thanks for your understanding!


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments