Office 365 Hybrid Connection Wizard error hangs?

Question

Office 365 Hybrid Connection Wizard error hangs?

Luke Hogan 1

Attempting to configure a Full Hybrid connection between our on-prem Exchange and Exchange 365 in preparation for full migration. After painfully troubleshooting all of the errors trying to get the "Office 365 Hybrid Configuration" applet to run, it is now getting stuck at "Adding Federated Domain"

After investigating the error log here: %appdata%\Roaming\Microsoft\Exchange Hybrid Configuration I can see the errors below appearing in the log.

2022.03.14 21:41:49.823 ERROR 10277 [Client=UX, Activity=Domain Ownership, Session=OnPremises, Cmdlet=Set-FederatedOrganizationIdentifier, Thread=6] FINISH Time=1075.1ms Results=PowerShell failed to invoke 'Set-FederatedOrganizationIdentifier': An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An error occurred accessing Windows Live. Detailed information: "The underlying connection was closed: An unexpected error occurred on a send.".". {CategoryInfo={Activity=[System.String] Set-FederatedOrganizationIdentifier,Category=[System.Management.Automation.ErrorCategory] InvalidResult,Reason=[System.String] ProvisioningFederatedExchangeException,TargetName=[System.String] ,TargetType=[System.String] },ErrorDetails=,Exception=[System.Management.Automation.RemoteException] An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An error occurred accessing Windows Live. Detailed information: "The underlying connection was c losed: An unexpected error occurred on a send.".".,FullyQualifiedErrorId=[System.String] [Server=CFD-EX02,RequestId=d395096b-a1b0-4b59-b186-67b118264444,TimeStamp=3/14/2022 9:41:49 PM] [FailureCategory=Cmdlet-ProvisioningFederatedExchangeException] 584F1A5C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederatedOrganizationIdentifier} 2022.03.14 21:41:49.837 ERROR 10224 [Client=UX, Page=DomainProof, Thread=6] Microsoft.Online.CSE.Hybrid.PowerShell.PowerShellInvokeException: PowerShell failed to invoke 'Set-FederatedOrganizationIdentifier': An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An error occurred accessing Windows Live. Detailed information: "The underlying connection was closed: An unexpected error occurred on a send.".". {CategoryInfo={Activity=[System.String] Set-FederatedOrganizationIdentifier,Category=[System.Management.Automation.ErrorCategory] InvalidResult,Reason=[System.String] ProvisioningFederatedExchangeException,TargetName=[System.String] ,TargetType=[System.String] },ErrorDetails=,Exception=[System.Management.Automation.RemoteException] An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An error occurred accessing Windows Live. Detailed information: "The underlying connection was closed: An unexpected error occurred on a send.".".,FullyQualifiedErrorId=[System.String] [Server=CFD-EX02,RequestId=d395096b-a1b0-4b59-b186-67b118264444,TimeStamp=3/14/2022 9:41:49 PM] [FailureCategory=Cmdlet-ProvisioningFederatedExchangeException] 584F1A5C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederatedOrganizationIdentifier} ---> System.Management.Automation.RemoteException: An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An error occurred accessing Windows Live. Detailed information: "The underlying connection was closed: An unexpected error occurred on a send.".". --- End of inner exception stack trace --- at Microsoft.Online.CSE.Hybrid.PowerShell.PowerShellInvokeResult.CreateOrThrowMapped(String cmdlet, IReadOnlyDictionary2 parameters, DateTimeOffset start, IPowerShellDataStreams dataStreams, ILogger logger, IPowerShellObject[] objects) at Microsoft.Online.CSE.Hybrid.Provider.PowerShell.PowerShellProvider.PowerShellInstance.Invoke(String cmdlet, IReadOnlyDictionary2 parameters, Int32 millisecondsTimeout) at Microsoft.Online.CSE.Hybrid.PowerShell.RemotePowershellSession.Invoke(IPowerShell powershell, String cmdlet, IReadOnlyDictionary2 parameters, Int32 millisecondsTimeout) at Microsoft.Online.CSE.Hybrid.PowerShell.RemotePowershellSession.RunCommandInternal2(String cmdlet, SessionParameters parameters, Int32 millisecondsTimeout, Boolean skipCmdletLogging) at Microsoft.Online.CSE.Hybrid.PowerShell.RemotePowershellSession.RunCommandInternal(String cmdlet, SessionParameters parameters, Int32 millisecondsTimeout, PowerShellRetrySettings retrySettings, Boolean skipCmdletLogging) at Microsoft.Online.CSE.Hybrid.Session.PowerShellOnPremisesSession.SetFederatedOrganizationIdentifier(SmtpDomain accountNamespace, String delegationTrustLink, SmtpDomain defaultDomain) at Microsoft.Online.CSE.Hybrid.App.ViewModel.Pages.DomainProof.DomainInfo.AddFederatedDomain(IOnPremisesSession session, AppData appData) at System.Collections.Generic.List1.ForEach(Action`1 action) at Microsoft.Online.CSE.Hybrid.App.ViewModel.Pages.DomainProof.VerifyActivity(IOnPremisesSession session, EnvironmentBase environment)

Any tips to get the wizard to progress?

I have ruled out:

TLS (TLS is set to 1.2 only)
Proxy (there is no proxy server, and I've run this wizard from desktops on prem and in Azure)
Timezone (I changed to UTC and tested after finding an article online)

Thanks!

Santiago Carbonell Forment 1 Reputation point

2022-04-11T09:53:56.07+00:00

Hi,

I've the same problem but it doesn't work.... I have Exchange 2010 SP3 with 32 rollup, with .NET Framework 3.5 and 4.51...

I've configured TLS 1.2 in Exchange (you view TLS 1.2 in logs) and TLS with SystemDefaultTlsVersions in all net frameworks branches in regedit...

but the command

Set-FederatedOrganizationIdentifier -AccountNamespace 'mydomain.com' -DelegationFederationTrust 'Microsoft Federation Gateway' -Enabled:$true -VERBOSE

it doesn't work

I have tried everything...

Any help?

Thanks
Achmad Irvan Prasetyo 1 Reputation point

2023-01-02T16:53:52.683+00:00

Same here i already tried lukadrobrovis action but still no luck
Hasan Reza 161 Reputation points

2023-06-30T11:21:20.0733333+00:00

U are real super Hero , one week i was looking for a solution , even MS had raised hand,

2 answers

Your answer

Santiago Carbonell Forment 1 Reputation point

2022-04-11T09:53:56.07+00:00

Hi,

I've the same problem but it doesn't work.... I have Exchange 2010 SP3 with 32 rollup, with .NET Framework 3.5 and 4.51...

I've configured TLS 1.2 in Exchange (you view TLS 1.2 in logs) and TLS with SystemDefaultTlsVersions in all net frameworks branches in regedit...

but the command

Set-FederatedOrganizationIdentifier -AccountNamespace 'mydomain.com' -DelegationFederationTrust 'Microsoft Federation Gateway' -Enabled:$true -VERBOSE

it doesn't work

I have tried everything...

Any help?

Thanks
Achmad Irvan Prasetyo 1 Reputation point

2023-01-02T16:53:52.683+00:00

Same here i already tried lukadrobrovis action but still no luck
Hasan Reza 161 Reputation points

2023-06-30T11:21:20.0733333+00:00

U are real super Hero , one week i was looking for a solution , even MS had raised hand,

Answer 1

Luka Dobrović (Span) 21

Hello everyone,

I had the same issue with one customer. Exchange environment consists of 2 Exchange 2010 (SP3 RU 32) servers and one Exchange 2016 server (CU22). Hybrid configuration Wizard is running on Exchange 2016 from which I will migrate mailboxes to Office 365.

So firstly, in my test environment I had the same issue which was resolved by enabling Federation Trust from Exchange Control Panel.

In the production, when I wanted to enable Federation Trust through Exchange management shell , I got an error:

"Error:
An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An error occurred accessing Windows Live. Detailed information: "The underlying connection was closed: An unexpected error occurred on a send.".".
An error occurred accessing Windows Live. Detailed information: "The underlying connection was closed: An unexpected error occurred on a send.".
The underlying connection was closed: An unexpected error occurred on a send.
Authentication failed because the remote party has closed the transport stream.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.498.0&t=exchgf1&e=ms.exch.err.ExB5F48C

After a lot of troubleshooting I found that TLS wasn't enabled as it should be for this purpose, so I Downloaded IISCrypto and used best practices preset (https://www.nartac.com/Products/IISCrypto) and restarted server.
After boot up, I got the same issue so I ended up diving a bit deeper and the issue was resolved by enabling TLS 1.2 for .NET 3.5 and 4.x using the following registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

I did another reboot of a server and Hybrid Connection Wizard ran successfully without a problem.

hope this helps!

Luke Hogan 1 Reputation point

2022-04-02T00:11:45.083+00:00

Thanks for the suggestion Luka ... I was very excited to try something new ... I didnt consider the .NET TLS version.

However unfortunately after ensuring that all TLS versions are enabled in the OS, and the registry entries for .NET have been set as above, after the reboot I'm still getting the same error! So frustrating ... the same error occurs via the Exchange Admin Console while attempting to add Federated Domains.

We're almost at the point where we will just have to live with this free/busy sharing issue and try to migrate the whole organisation asap.
Thomas Luggiero 6 Reputation points

2022-04-05T15:18:12.693+00:00

Wow! After two months of troubleshooting and being told it could be our firewall, this fixed it. We even hired an outside consultant that mentioned the framework v2 but not the v4. I also ran that best practices and it looks like it disabled tls 1.0 even though it showed disabled in the registry! We got so much further into the Hybrid wizard now.

Now we error out at being deyhydrated! HCW8077 Tenant organization is dehydrated

2022.04.05 15:11:58.911 ERROR 10271 [Client=UX, Page=Configuring, fn=RunWorkflow, Workflow=Hybrid, Task=Initial, Phase=ValidateConfiguration, Thread=16] FINISH Time=812.5ms Results=FAILED - (Validation Failure)
2022.04.05 15:11:58.911 ERROR 10273 [Client=UX, Page=Configuring, fn=RunWorkflow, Workflow=Hybrid, Task=Initial, Thread=16] FINISH Time=85.1s Results=FAILED
2022.04.05 15:11:58.911 ERROR 10268 [Client=UX, Page=Configuring, fn=RunWorkflow, Workflow=Hybrid, Thread=16] FINISH Time=85.1s Results=FAILED
2022.04.05 15:11:58.911 ERROR 10025 [Client=UX, Page=Configuring, fn=RunWorkflow, Thread=16] HCW8077 Tenant organization is dehydrated. Try running the Hybrid wizard again and if the issue persists contact support to remediate this issue.
2022.04.05 15:11:58.911 ERROR 10025 [Client=UX, Page=Configuring, fn=RunWorkflow, Thread=16] HCW8092 One or more items failed validation during 'Hybrid Initialization' task. Please see log file for details.
Santiago Carbonell Forment 1 Reputation point

2022-04-11T09:52:21.103+00:00

Hi,

I'm the same as you.... Exchange 2010 SP3 with 32 rollup, with .NET Framework 3.5 and 4.51...

I've configured TLS 1.2 in Exchange (you view TLS 1.2 in logs) and TLS with SystemDefaultTlsVersions in all net frameworks branches in regedit...

but the command

Set-FederatedOrganizationIdentifier -AccountNamespace 'mydomain.com' -DelegationFederationTrust 'Microsoft Federation Gateway' -Enabled:$true -VERBOSE

it doesn't work

Any help?

Thanks
Justin Lord 6 Reputation points

2022-04-13T19:46:13.24+00:00

I've been stuck on this all week, this is the first mention I've seen about enabling for .Net, thank you, worked perfectly!
Luka Dobrović (Span) 21 Reputation points

2022-04-25T13:15:33.953+00:00

Hi Thomas,

I am happy that this resolved regarding the Hybrid connection. You can try to fix the issue with the tenant being hydrated with the link https://www.alitajran.com/tenant-organization-is-dehydrated/

enjoy your day!

Luka
Federico de los Santos 1 Reputation point

2022-04-26T23:47:34.203+00:00

Thank you LukaDobrovic-3499!

The registry editing solved the problem in my scenario. I opened a case in Microsoft but it was a waste of time.
Luke Hogan 1 Reputation point

2022-04-27T00:32:41.567+00:00

Glad you guys finally fixed it ... ours is still broken unfortunately :( We have a case open with Microsoft but they have been less than helpful so far!
Hopefully we get a resolution very soon as our CEO is getting frustrated that he cannot see our calendars!
Kyrilovo 1 Reputation point

2022-04-27T20:16:44.787+00:00

Спасибо!

It works for me
5 cents - not immediately, 30 minutes timeout
Shahir Thottathil 1 Reputation point

2022-06-01T11:38:00.29+00:00

Dear Luka,

Thanks for the post and it's helped me to save my life.

Thanks again.
God Bless you.

Thanks and Regards,
Sha
Ricardo Cruz 1 Reputation point

2022-09-01T12:54:37.58+00:00

Hey Luca thanks for the post, you helped us fixing the issue when trying to validate the Trust Federation in ECP

We have exchange 2016 servers CU22, and we had those registry keys already in our servers but we were still experiencing the issue, it wasn't until you mentioned .NET 3.5 that we decided to install it in all our servers

We had to install NetFramework 3.5 using a Windows server ISO but after installing it in all servers and restart we were able to validate the Trust Federation

This is really weird as Exchange 2016 CU22 is supposed to run on NetFramework 4.8, I'm guessing some modules still require older versions of NetFramework in order to work properly as Exchange 2016 in the initial CU's was running on .NET 3.5

Thanks again for the help!
Achmad Irvan Prasetyo 1 Reputation point

2023-01-02T16:52:23.877+00:00

I'll already try adding the TLS registry on Exchange 2010 SP3 Rollup 32, and still no luck. Any help?
Tao Song 0 Reputation points

2024-12-30T07:38:07.26+00:00

This solution worked straight away after the reboot. Thank you so much!

Answer 2

KyleXu-MSFT 26,391

@Luke Hogan

Did you verify your Exchange on-premises domain name on Office 365 before running HCW?

I would suggest you try to download the latest version of HCW (Mark sure download it with IE browser): Hybrid Configuration wizard FAQs

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Luke Hogan 1 Reputation point

2022-03-15T03:53:01.347+00:00

Hi thanks for the response!

Re: verifying domains ... each domain has been set up in the Office 365 Portal --> Settings --> Domains and the SPF records have been verified in our external DNS.

Also have tested with older versions of the hybrid configuration wizard, and the newest one ... same result:

Interestingly, I have tried to set up the "Federation" manually in EAC by going to:
EAC --> Organization --> Sharing --> Add

I was getting exactly the same error ..
KyleXu-MSFT 26,391 Reputation points

2022-03-15T05:44:58.02+00:00
Based on my searching, there are two suggestions which may be useful to you:

Suggestion 1: Check whether the configuration below is enabled:

Get-FederatedOrganizationIdentifier | fl Enabled

If it isn't enabled, try to enable it with command below:

Set-FederatedOrganizationIdentifier -DelegationFederationTrust "Microsoft Federation Gateway" -AccountNamespace "Contoso.com" -Enabled $true

Suggestion 2: Add information below into "SystemConfigurationTasks.Overrides.ini" file (Need to create manually).

[SystemConfigurationTasks.settings.ini:FederationTrustFromCache]Enabled=False

Then copy this file to “C:\Program Files\Microsoft\Exchange Server\V15\Config”
Luke Hogan 1 Reputation point

2022-03-15T21:06:11.343+00:00

Hi

Thanks again for your assistance!

Re: suggestion 1:

Result of the commands is below:

Looks like the same error message received from the Hybrid Configuration Wizard (The underlying connection was closed - an error accessing Windows Live)

Re: Suggestion 2
We already have this .ini in place ... it was one of the first troubleshooting steps we tried but unfortunately it doesn't seem to have an impact.

Any other ideas?
KyleXu-MSFT 26,391 Reputation points

2022-03-17T06:52:19.653+00:00
If the "SystemConfigurationTasks.Overrides.ini" file doesn't work for your organization, I would suggest you remove it before the following troubleshoot.

I want to double confirm with you whether domain names are verified on Office 365：

I also noticed that “each domain has been set up in the Office 365 Portal”. Do you use multiple domains on your Exchange on-premises? Please make sure use the local real domain name when running:

Set-FederatedOrganizationIdentifier -DelegationFederationTrust "Microsoft Federation Gateway" -AccountNamespace "domain.com" -Enabled $true -Verbose

I've run this wizard from desktops on prem and in Azure

About this one, could you provide more detailed information about it? How do you run HCW from Azure?
KyleXu-MSFT 26,391 Reputation points

2022-03-22T06:41:15.327+00:00

I am writing here to confirm with you any update about this thread now. Could you run HCW successfully?
Luke Hogan 1 Reputation point

2022-03-25T21:50:27.407+00:00
Hi Kyle
Finally got back to this ... unfortunately it's still not working for us.

Answering your points above:

I have now removed the SystemConfigurationTasks.overrides.ini file.

The domains have been verified using a TXT record in the ExchangeOnline portal. The default domain name has been used in the command (we have even tried the other ones).

We get the same error:
]1

My meaning by "I've run the wizard from desktops on prem and in Azure" ... we have some servers hosted in Azure (but still connected to our domain) ... I tried running the Hybrid Wizard from these servers (to rule out internet / proxy issues) but we still get the same error.

A bit more info ... we have both a Exchange 2010 and a Exchange 2016 server ... trying to run the Hybrid Configuration wizard from either server causes the same error (as well as the Exchange Shell command above).

Is there a different version of Hybrid Config wizard we might be able to try from our 2010 server?
KyleXu-MSFT 26,391 Reputation points

2022-03-29T07:16:42.407+00:00

For the old version of Exchange 2010, there exists another way to create hybrid which isn't supported download and using now.

I would suggest you try to update Exchange 2010 and Exchange 2016 to the latest version, then try to rerun HCW.

Share via

Office 365 Hybrid Connection Wizard error hangs?

2 answers

Your answer