This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 28.000000000000004%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Good Morning
Firstly, thank you for taking the time to read my post. Looking for some advice and help please with the following scenario.
A Windows Server 2008 physical box running Exchange 2010 SP3 (Latest Roll-up) - 14.03.0513.000
I am doing a test migration before moving our small user base (25-50) to O365 permanently.
I have setup Azure AD Connect and sync'd two test users. All works good, users can sign in on Azure with their current windows (UPN) creds.
When running the migration wizard i am doing so from a domain joined member (W7 - 64 bit) which I believe is okay to do-so.
All steps of the migration pass, i.e tenant e-mail addresses added to all mailboxes with the default policy applied.
However, at the last hurdle I am receiving the following message:-
"Microsoft.Exchange.Migration.MigrationServerConnectionFailedException
The connection to the server 'mail.example.com' could not be completed.
Microsoft.Exchange.MailboxReplicationService.MRSRemoteTransientException
The call to 'https://mail.example.com/EWS/mrsproxy.svc' failed. Error details: Could not establish secure channel for SSL/TLS with authority 'mail.example.com'. --> The request was aborted: Could not create SSL/TLS secure channel..
Microsoft.Exchange.MailboxReplicationService.MRSRemotePermanentException
Could not establish secure channel for SSL/TLS with authority 'mail.example.com'.
Microsoft.Exchange.MailboxReplicationService.MRSRemotePermanentException
The request was aborted: Could not create SSL/TLS secure channel."
*Please note I have replace our domain with example.
We have a 3rd party cert (digicert).
MRSProxy is enabled
Service responds with creds if i browse to the link.
I have enabled/disabled the proxy / reset IIS etc. and to no avail.
Hoping for anything else I can try in terms of troubleshooting.
Thanks for taking the time to read
--
Christopher.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @Christopher
According to the error information you provided above, "Could not establish secure channel for SSL/TLS with authority "
Please make sure you have enabled TLS 1.2 or a later version and disabled TLS 1.0 and 1.1. And I mentioned that your windows server version is 2008, we can check the description here:
For the step by step guide, check the link here: Preparing for TLS 1.2 in Office 365 and Office 365 GCC
This official KB gives an introduction about Troubleshooting issues where the hybrid migration endpoint cannot be created for your reference as well.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello @Joyce Shen - MSFT
Thank you for your response. The server is definitely Windows Server 2008 SP2 (not R2).
Could I ask if it's possible, not to subsequently break anything internally, to enable TLS1.2 but leave TLS1.0 in-place until our migration is complete. Once done we plan to effectively retire the on-prem server anyway.
I have read that O365 will look for TLS1.2 to connect and fail if not enabled, so just looking to make as few changes as necessary to get the migration going.
I hope that makes sense and thank you for your response.
--
Christopher
Hi,
Any progress about your issue? Enable TLS1.2 and remain TLS1.0 should be OK, however it's not the best practice. Take a try and verify if HCW work properly.
Hi
The updates outlined, thank you, were unable to install due to them reporting that they were not applicable to the system. Looking further I could see that 4019276, for example, has been superseded by another update so I think the patches are actually already in-place.
I will be making the change in a DR environment tomorrow and will report back.
Christopher.
Hi,
Feel free to share your update here if any, waiting for your feedback! Good luck
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 34%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJO%3C/text%3E%3C/svg%3E)
Hi Christopher,
Were you able to get this to work? I am having the same issue on EBS 2008. The goal is to upgrade to Server 2019 ASAP and this is just a step along the way. According to https://support.microsoft.com/en-us/topic/description-of-software-update-services-and-windows-server-update-services-changes-in-content-for-2017-5db6e3a1-e753-ce76-d7bc-7b8aaa887548
KB4034786 supersedes KB4019276. I have the registry keys setup and I believe everything is correct for TLS 1.2, just waiting for a time to reboot. If you were successful in getting this to work I would greatly appreciate if you would share what you did.
Thanks,
John
Good Morning All
I can confirm that after enabling TLS1.2 - and ensuring that Exchange 2010 SP3 was patched with the latest cumulative updates I was able to make the end point connection from our server, Windows Server 2008 Std to Office 365.
As other posters noted, this also meant that Outlook on Android devices started to work again without issue.
Thank you everyone for your assistance and best of luck to anyone else working with older systems and worrying about pressing that button!
Hi @JohnM Oxley
I have yet to implement given we are fast approaching our busy period and don't want to risk upsetting anything until we are in a position to spend more time. I am pretty confident however that enabling TLS1.2 which will work side-by-side with the other TLS1.0 etc won't lead to major problems and once it's enabled, I can get the end point created, start the migration and then retire the old box. What you could do, if you have the ability, is to bring up a DR environment of your current setup, make the TLS change and make sure your Exchange box etc. still boots, etc. etc - that's what I did and all seemed good.
It all depends I guess on your timescales and pressure from above!
When I do make the change I will of course be coming back here to post the update and let you all know but at this time I'm afraid I'm unable to say when this will be.
Good luck - I'm sure you will be fine.
Hi @Christopher
I was able to complete the process, other than some SChannel events in the logs everything is working great and I was able to create the end point with the HCW. The whole process was pretty uneventful. On a side note, Outlook for Android has started working with Exchange again. Thanks for the response and good luck with your server! Let me know if I can answer any questions.
That's great news! I'm super pleased for you and glad that you've made progress. I'm pretty sure when I make the change I'll be in the same situation as your good-self but for us, I just need to move past our busy period (production) before rolling out. The outlook for android issue is actually the catalyst to try and get the change made sooner rather than later!
All the best!