Hybrid Setup Issues

Question

Hi Guys,

I'm having an issue integrating my on prem exchange server and Office365.

Environment

Forest with +2 domains

First domain, exchange 2010 (All roles) + cas server

Second domain, exchange 2013 (Mailbox role) + 2 x CAS servers

Third domain, Exchange 2013 (All roles)

When I run the hybrid configuration utility I get an error

HCW8057 - Office 365 was unable to communicate with your on-premises Autodiscover endpoint. This is typically due to incorrect DNS or Firewall configuration. The office 365 tenant is currently configured to use the following URL for Autodiscover queries for the office 365 tenant to the on-premises organization.

If I run Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox shaun@**.co.za -Verbose | fl

It returns the following results:

RunspaceId  : 6edd31de-680d-435b-bfab-91113de0c63f

Task        : Checking EWS API Call Under Oauth

Detail      : The configuration was last successfully loaded at 0001-01-01 12:00:00 AM UTC. This was 1059932730

              minutes ago.

              The token cache is being cleared because "use cached token" was set to false.

              Exchange Outbound Oauth Log:

              Client request ID: ec7a0fa6-bf47-455f-9427-54d27f095561

              Information:[OAuthCredentials:Authenticate] entering

              Information:[OAuthCredentials:Authenticate] challenge from

              'outlook.office365.com/.../Exchange.asmx' received: Bearer

              client_id="00000002-0000-0ff1-ce00-000000000000",

              trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1

              service_asserted_app_v1", authorization_uri="login.windows.net/.../authorize",Basic

              Realm=""

              Information:[OAuthCredentials:GetToken] client-id: '00000002-0000-0ff1-ce00-000000000000', realm: '',

              trusted_issuer: '00000001-0000-0000-c000-000000000000@*'

              Information:[OAuthCredentials:GetToken] start building a token for the user domain '**.co.za'

              Error:Missing signing certificate.

              Exchange Response Details:

              HTTP response message:

              Exception:

              System.Net.WebException: The request was aborted: The request was canceled. --->

              Microsoft.Exchange.Security.OAuth.OAuthTokenRequestFailedException: Missing signing certificate.

                 at Microsoft.Exchange.Security.OAuth.LocalTokenIssuer..ctor(LocalConfiguration localConfiguration,

              String realm)

                 at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder..ctor(String realm, String tenantId,

              LocalConfiguration localConfiguration, String caller)

                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.GetToken(WebRequest webRequest,

              HttpAuthenticationChallenge challengeObject)

                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.Authenticate(String challengeString, WebRequest

              webRequest, Boolean preAuthenticate)

                 at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request,

              ICredentials credentials)

                 at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials

              authInfo)

                 at System.Net.HttpWebRequest.CheckResubmitForAuth()

                 at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)

                 at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)

                 at System.Net.HttpWebRequest.ProcessResponse()

                 at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)

                 --- End of inner exception stack trace ---

                 at System.Net.HttpWebRequest.GetResponse()

                 at Microsoft.Exchange.Monitoring.TestOAuthConnectivityHelper.SendExchangeOAuthRequest(ADUser user,

              String orgDomain, Uri targetUri, String& diagnosticMessage, Boolean appOnly, Boolean useCachedToken,

              Boolean reloadConfig)

ResultType  : Error

Identity    : Microsoft.Exchange.Security.OAuth.ValidationResultNodeId

IsValid     : True

ObjectState : New

I have no issue setting up mailboxes locally, but when I try migrate a mailbox from on-prem to office365 it fails and the error log is blank. So battling to find the error here. We block smtp to the www, and only allow to a specific host (Our Mailgateway) not sure if this could be the problem?

Thanks

Shaun

Answer 1

Hi Guys,

So spent some time on this this weekend and still no luck. But logged onto our 2010 server to sort out an issue and found this error when I open up the smtp connector. It was late last night, so will carry on today with it.

Warnings

Get-ReceiveConnector

Completed

Warning:

The object CAS1\Default Frontend CAS1 has been corrupted, and it's in an inconsistent state. The following validation errors happened:

Warning:

Could not convert property TlsDomainCapabilities to type SmtpReceiveDomainCapabilities. Error while converting string 'mail.protection.outlook.com:512' to result type Microsoft.Exchange.Data.SmtpReceiveDomainCapabilities: "mail.protection.outlook.com:512" isn't a valid list of SMTP Receive domain capabilities.

Warning:

The object CAS2\Default Frontend CAS2 has been corrupted, and it's in an inconsistent state. The following validation errors happened:

Warning:

Could not convert property TlsDomainCapabilities to type SmtpReceiveDomainCapabilities. Error while converting string 'mail.protection.outlook.com:512' to result type Microsoft.Exchange.Data.SmtpReceiveDomainCapabilities: "mail.protection.outlook.com:512" isn't a valid list of SMTP Receive domain capabilities.

Answer 2

Hi Shaun,

Have you checked the information Neo posted above? Any updates to share?

Thanks,

Allen

Answer 3

Hi Shaun,

We have an official KB published for this kind of hybrid deployment error. Have you checked it already?"HCW8034" or "HCW8057" error when you run the Hybrid Configuration wizard.

Specifically, please focus on the Firewall is blocking required IP addresses from accessing on-premises servers section and see if you have allowed all the required URLs and IP address ranges on your firewall. Based on my experience, most of these errors are caused by firewall settings, so let’s focus on this part first.

And if everything required has been allowed, would you please try bypassing all firewall settings temporarily to see if the issue relates to firewall settings at all? For security considerations, I suggest you do it at an off-work time.

Looking forward to your updates.

Thanks,

Neo

Answer 4

I have spent days on this, and have been through every MS guide available. I'm running a hybrid, and it will remain a hybrid, data is too expensive for me to send out directly from my production site. I don't pay for data from my head office, so the the applications that need to mail out, will always use that server. The lepide software is another expense for something that should work natively.