EWS Issue TLS 1.2 Office365 Hybrid with Exchange

Prasad Vadke 6 Reputation points
2021-11-18T02:24:19.093+00:00

Hi,

We have Exchange 2016 CU 19 setup in Hybrid with Office365.

There are 2 issues

  1. Users on Office365 are unable to perform Free/Busy Lookup of on-premise Exchange Users
  2. The connector on Office365 Pointing to On-Prem Exchange always fail during validation. It shows connectivity issue

Rest everything is working

We are able to migrate ExchangeMailboxes to Office365 without any issues
Exchange Users are able to perform Free Busy Lookup of Office365 Users
Exchange Users are able to send email to Office365 Users

Upon doing EWS test on https://testconnectivity.microsoft.com/tests/EwsTask/input we observed the below issue on connecting to Auto Discover

The SSL certificate failed one or more certificate validation checks.
Collapse
Test Steps

The Microsoft Connectivity Analyzer is probing the TCP endpoint 103.155.188.20 on port 443 to detect which SSL/TLS protocols and cipher suites are enabled.
We were able to detect the enabled protocols and cipher suites.
Collapse
Additional Details
TLS Protocol: SSL v3, Not enabled.
TLS Protocol: TLS 1.0, Enabled cipher suites: TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS Protocol: TLS 1.1, Enabled cipher suites: TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS Protocol: TLS 1.2, Not enabled.

Checking that your server supports modern TLS protocols and cipher suites.
Your server doesn't support modern TLS protocols and cipher suites.

It shows as TLS 1.2 not enabled however on doing tests from SSL Labs or any other SSL Check site, it reports TLS 1.2 is enabled

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Cipher Suites

TLS 1.2 (suites in server-preferred order)

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128

How to ensure TLS 1.2 is enabled & functional on Exchange. All the registry settings are configured correctly for TLS 1.2

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,708 questions
{count} vote

2 answers

Sort by: Most helpful
  1. KyleXu-MSFT 26,276 Reputation points
    2021-11-19T01:54:55.91+00:00

    @Prasad Vadke

    This thread will focus on discussing the first problem: Users on Office365 are unable to perform Free/Busy Lookup of on-premise Exchange Users. One thread one question is easier for other users to search and reference. About the mail flow issue, I would suggest you open a new thread and let us discuss in it.

    Do you mean online user cannot see the Exchange on-premises mailbox free/busy information? If so, I would suggest you have a check about the configuration of Organization Sharing on your Exchange on-premises:
    150851-qa-kyle-09-47-32.png

    Mark sure those information are correct:

     Domains to share with: yourOnlineDomain.mail.onmicrosoft.com, mail.yourOnlineDomain.onmicrosoft.com, yourOnlineDomain.onmicrosoft.com (If there exist customize domain, you also need to add it)  
          
     Application URI: outlook.com  
          
     Autodiscover endpoint: https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity  
    

    After that, wait a while and try to check again. By the way, Exchange 2016 CU 19 is old, I would suggest you update to Exchange CU 22 and Nov21SU, it could strengthen your Exchange server security and solve some known issues.

    About TLS, here is a detailed information about it: Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    0 comments No comments

  2. Md Nasir Uddin 105 Reputation points
    2023-11-20T07:32:32.73+00:00

    I shared a solution step, May it help you.

    1. open the command prompt.
    2. write down: hostname
    3. Again write down: whoami [ note: please open command prompt by administrator credentials)
    4. regiedit

    User's image

    1. User's image
    2. if hex value 1, that means TLS version 1.2 is enabled.
    3. If the hex value is 0, that means TLS version 1.2 is disabled.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.