Microsoft Exchange Online
A Microsoft email and calendaring hosted service.
1,936 questions
Whats the FQDN of the receive connector and does it match the subject of the GoDaddy Cert?
Exchange hybrid connector validation error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 45%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Damian M
20
Reputation points
Hi,
We recently setup Exchange Hybrid on Classic mode. Completed without errors.
During setup we ensure that the Transport Certificate is valid and we assigned our 3rd party cert (godaddy).
We checked on IIS that "Default Front End" certificates are assigned with 3rd party cert.
IIS 'Exchange Back End' is using the private "Exchange Server" certificate.
When checking Exchange online connectors and validating the O365-Onprem connector, it errors with
"450 4.4.317 Cannot connect to remote server [Message=SubjectMismatch Expected Subject: ...... Thumbprint:######"
When troubleshooting and Checking the certificate thumbprint from the error message on the server. Determined that the thumbprint belonged to the private certificate used in the 'Exchange Back End'
Not sure why it's presenting the wrong certificate and not the front-end certificate?
Normal email flow is still working.
Get-ReceiveConnector 'SERVER\Default Frontend #####' | fl tls*
Shows our public cert with godaddy:
TlsDomainCapabilities : {mail.protection.outlook.com:AcceptCloudServicesMail}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 35%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXQ%3C/text%3E%3C/svg%3E)
Xintao Qiao-MSFT 4,235 Reputation points Microsoft Vendor2024-11-05T02:26:05.74+00:00 Hi, @Damian M
Have you tried Andy's answer?
If you have any questions, you can always "Comment". If the problem has been resolved, you can also click "Accept Answer".
Sign in to comment
5 answers
Sort by: Most helpful
-
Andy David - MVP 149.7K Reputation points MVP2024-11-04T19:00:20.2866667+00:00 -
Damian M 20 Reputation points
2024-11-04T19:29:00.7933333+00:00 No. The FQDN of the receive connector is the server's internal fqdn. I have tried to change it to our external FQDN which is on the cert but would not allow me.
The cert is also a SANS Cert with a few subject alternative names.
450 4.4.317 Cannot connect to remote server [Message=SubjectMismatch Expected Subject: ###ourexternalmailserveraddress####. Presented Subject: CN=##NetbiosnameofServer##. Thumbprint:####
-
Damian M 20 Reputation points
2024-11-04T19:35:39.04+00:00 FQDN on the receive connector is the internal fqdn. I tried to change it to external fqdn but does not accept it. The odd thing is the error includes the certificate thumbprint of the "Exchange Server" private certificate and not the Public Certificate. Even though Public cert was selected in the Transport Certificate settings in the Hybrid Setup.
Sign in to comment -
-
Andy David - MVP 149.7K Reputation points MVP
2024-11-04T19:39:45.1366667+00:00 Ok, consider creating a custom receive connector then for the 365> On-prem connection and set the FQDN on that to match the endpoint and cert subject name ( which ever SAN you intend to use) and set the TlsDomainCapabilities : {mail.protection.outlook.com:AcceptCloudServicesMail}
-
Damian M 20 Reputation points
2024-11-05T15:26:14.0366667+00:00 I will test that out. Thank you.
-
Xintao Qiao-MSFT 4,235 Reputation points Microsoft Vendor
2024-11-08T06:44:11.9966667+00:00 Hi, @Damian M
Are you having trouble with your process? If there is a problem, we will do our best to help you. If the issue has been resolved, you can also let us know by clicking "Accept Answer".
Sign in to comment -
-
Xintao Qiao-MSFT 4,235 Reputation points Microsoft Vendor
2024-11-13T03:18:44.95+00:00 Hi, @Damian M
Here's a similar thread for your reference.
Exchange Hybrid connector validation from o365 to on-prem - Microsoft Q&A
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
-
Xintao Qiao-MSFT 4,235 Reputation points Microsoft Vendor
2024-11-18T01:42:37.4966667+00:00 Hi, @Damian M
Just circling back to check to see how things are going on with this thread. Should you need more help on this, you can feel free to post back.
Sign in to comment -
-
Damian M 20 Reputation points
2024-11-18T15:16:09.6666667+00:00 Thank you for everyone's input.
Was not able to figure the reason, ended up using the Classic Configuration and it seem to complete without any errors.
-
Xintao Qiao-MSFT 4,235 Reputation points Microsoft Vendor
2024-11-19T06:59:26.8433333+00:00 Hi, @Damian M
I'm glad you solved the problem in this way, and I've put it together in the following summary, which you can mark as "Accept Answer" so that others who are experiencing the problem can find a solution better and faster.
Sign in to comment -
-
Xintao Qiao-MSFT 4,235 Reputation points Microsoft Vendor
2024-11-19T07:00:09.37+00:00 Issue Symptom:
After successfully setting up an Exchange Hybrid environment, I encountered an issue where the certificate provided by the 'Exchange Back End' did not match the certificate of the 'Default Front End'.
Resolution:
Using the classic configuration temporarily resolves the problem.