Udostępnij za pośrednictwem


Office 365 Insight into the Hybrid Configuration Wizard Part 2

I decided to extend the Insight into the Hybrid Configuration Wizard article into another 2 parts. I've been getting numerous requests on troubleshooting the dreaded Get-FederationInformation Exception.

Let’s recap on what the high level steps for the HCW are:

  1. Global Prerequisites task – prerequisite check (covered here).
  2. Legacy Exchange Support Task – Legacy Exchange requirements (covered here).
  3. Recipient Configuration Task – Accepted domains and email address policy changes.
  4. Organization Relationship Task – Federation configuration.
  5. On Off Settings Task – Organization Relationship config like Availability Address Space, Free Busy Access, TargetOWAURL etc.
  6. Hybrid mail flow task – Creates send and receive connectors for Hybrid mail flow.

I’m going to skip the Recipient Configuration Task here and cover that in my next article. I want to focus on step 4, the Organization Relationship Task for this article.

So let’s get right into it.

As the task name suggests, this step will:

  1. Create the Federation Trust with the Microsoft Federation Gateway,
  2. Add federated domains and
  3. Create the organizational relationships between the two environments.

Now, from the things I’ve seen and heard in the field is that most of the issues occur at step 3.

Step 3 uses a process called ProvisionOrganizationRelationship. The very first step that this function does is it tries to get the federation information for the domain for the organization relationship settings – let’s use uclabz.com.

  • First, it will initiate the following from the On-premise session:
 Get-FederationInformation –domainname uclabz.onmicrosoft.com –BypassAdditionalDomainValidation $True
  • Then create the Organizational Relationship to Exchange Online using the results from the above:
 New-OrganizationRelationship -Name -TargetApplicationUri *.outlook.com -TargetAutodiscoverEpr <the Exchange Online Autodiscover URL> -Enabled:$True -DomainNames uclabz.mail.onmicrosoft.com
  • The next step will be to initiate Get-FederationInformation from the TenantSession. This is where everything breaks for most people:
 Get-FederationInformation –domainname uclabz.com –BypassAdditionalDomainValidation $True

Let’s pause here for a moment.

So why is the code doing this. Well, it’s simple. By using Get-FederationInformation, it’s very easy to get the correct values for TargetApplicationURI, TargetAutodiscoverEPR and DomainNames which is required for the New-OrganizationRelationship task.

The issues occur, because many customers have different ways of doing things, like Autodiscover, Certificates and Reverse Proxy etc.

Let’s take an example – Autodiscover:

  • You implement Autodiscover on the Public DNS by using a SRV record and you don’t specify an A record for autodiscover.company.com.
  • You run remote connectivity analyzer and everything seems to be working fine.
  • Then, you run the Hybrid Configuration Wizard and it bombs out at Get-FederationInformation with the following 
 Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.  
 
 Federation information could not be received from the external organization. 
 at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors) 
  '. 

See, the way Get-FederationInformation cmdlet works is that the discovery process only uses the following logic to determine the correct settings (in this order):

  1. https://autodiscover.uclabz.com/autodiscover/autodiscover.svc
  2. https://uclabz.com/autodiscover/autodiscover.svc
  3. https://autodiscover.uclabz.com/autodiscover/autodiscover.xml
  4. https://autodiscover.uclabz.com/autodiscover/autodiscover.xml

So as you can see from the above, you need to have the correct DNS record’s in public DNS for this step to work.

Here are some more tips on what to check for when you run into this problem:

  • Ensure Autodiscover is working as described above. Autodiscover DNS needs to point to the Hybrid Servers. Use remote connectivity analyzer to confirm that the steps are as per above.
  • Confirm that the svc-Integrated handler mapping is not missing in IIS on the Hybrid CAS - https://support.microsoft.com/kb/2626696 
  • Confirm WSSecurity is enabled on the Hybrid Server Autodiscover virtual directories –
 Get-autodiscovervirtualdirectory –server <hybridcas>|Set-AutodiscoverVirtualDirectory –WSSecurityAuthentication $true 
  • Confirm federation information results on the on-premise Hybrid server is working for the tenant target delivery domain.
 Get-FederationInformation –domainname domain.onmicrosoft.com -BypassAdditionalDomainValidation $True
  • Disable Pre-Authentication on TMG if you are using it – by default TMG will also block traffic to Autodiscover.svc. This can be solved by creating separate rules (higher order) in TMG for the following sites:

/EWS/Exchange.asmx/wssecurity
/Autodiscover/Autodiscover.svc
/Autodiscover/Autodiscover.svc/wssecurity

Allow All users and No Authentication, users can authenticate directly.
TMG will need to passthrough the traffic directly to the Hybrid CAS instead of authenticating as specified above.
Confirm that traffic is not being blocked to Autodiscover.svc by checking the TMG logs.
See this article on TMG - https://support.microsoft.com/kb/2821214

  • Open Exchange Online PowerShell session and confirm federation information results can be retrieved from the tenant shell – this is the remote check that Hybrid Config also does.
 Get-FederationInformation -domainname uclabz.com -BypassAdditionalDomainValidation $True 
  • Re-run Hybrid wizard, if you still get the same problem double check everything as above and wait a few hours to rerun.

Phew, I think that’s that for this article. Good luck with your hybrid configurations, I hope the above helps.

Until next time,

Michael Hall

Comments

  • Anonymous
    January 01, 2003
    Well done

  • Anonymous
    January 01, 2003
    Thanks Aleksandar! I hope the article helps people! Michael

  • Anonymous
    November 26, 2013
    Hi Michael, thanks for your great article, but the HCW still fails here. I noticed TargetAutodiscoverEpr has a wrong value when I Get-FederationInformation, I don't have an A record for autodiscover.domain.com which is the value actually set but a SRV record with points to mail.domain.com. All the remote connectivity analyzer tests are passed and on premises external clients (OA/activesync) fully working with autodiscover.

  • Anonymous
    November 27, 2013
    The comment has been removed

  • Anonymous
    December 15, 2013
    The comment has been removed

  • Anonymous
    January 20, 2014
    Great article Michael. Thanks.

  • Anonymous
    July 03, 2014
    When I run Get-FederationInformation -verbose internally or externally, it fails. Error is regarding autodiscover.svc endpoint. When I try to accesshttps://autodiscover.domain.com/autodiscover/autodiscover.xml I get the error code 600 which is correct. However when I try to access https://FQDN of CAS/autodiscover/autodiscover.svc externally, I get 404 not found error. I am able to get the desired response internally. svc-integrated handler is present in the IIS. No firewall.

  • Anonymous
    April 23, 2015
    https://autodiscover.uclabz.com/autodiscover/autodiscover.svc
    https://uclabz.com/autodiscover/autodiscover.svc
    https://autodiscover.uclabz.com/autodiscover/autodiscover.xml
    http://autodiscover.uclabz.com/autodiscover/autodiscover.xml

    I am able to access all the above link for my domain except second one "https://uclabz.com/autodiscover/autodiscover.svc" and hybrid error logs also showing this error that it start get-federation cmd for this link and gives error.

    Can you please advice how can we resolve this issue?

  • Anonymous
    April 29, 2015
    Hello,

    Great article thanks, I've encountered the dreaded Federation error a number of times now and normally find that it's just a case of waiting a little while for MFG to update. If you run get-federationinformation -domainname %hybriddomain% -verbose look to see if it says "Domain not federated" in the output. This suggests that the MFG hasn't caught up and normally waiting about an hour resolves this issue.

    David

  • Anonymous
    June 23, 2015
    Thanks you for this Great article,
    I unterstand my issue, for our web service we have added a third name: Domain: abc.com, we added service to all Exchange web service URL. and the autodiscover is configured as autodiscover.service.abc.com than autodiscover.abc.com. If there is a way to get this command working without reconfigure Exchange URLs.

    thanks

  • Anonymous
    May 06, 2017
    Thanks for confirming what I was discovering myself. The newer HCW will not throw an error but will give a warning that it can't connect to the autodiscover endpoint. It sets the Autodiscover endpoint in O365 side to autodiscover.contoso.com, this can be manually changed to the value that your regular SRV record points to and it then appears to work. However, any time you run the HCW it will overwrite this and break your Hybrid Free-Busy.