Showing posts with label Exchange Hybrid. Show all posts
Showing posts with label Exchange Hybrid. Show all posts

Wednesday, 27 June 2018

Test-OAuthConnectivity Error:Missing signing certificate.


Recently came across this issue where free/busy had stopped working from Exchange on-premises to Exchange Online in an Exchange 2013 Hybrid Environment. On-premises users could not see calendar free/busy information of a user in Exchange Online, but Exchange Online users could indeed see free/busy information for on-premises users and didn't have an issue.

First of all it's safe to say read this article, as free/busy issues can be a dark art to understand and resolve - however, in this instance there wasn't much information on this error so we had to work through it to find the resolution.

When running Test-OAuthConnectivity the following error presented itself:

Information:[OAuthCredentials:GetToken] start building a token for the user domain 'on-premisesdomain.com'
              Error:Missing signing certificate.
              
              Exchange Response Details:
              HTTP response message:
              Exception:
              System.Net.WebException: The request was aborted: The request was canceled. --->
              Microsoft.Exchange.Security.OAuth.OAuthTokenRequestFailedException: Missing signing certificate.



Now Exchange utilises an authconfig certificate which is installed by default when you install Exchange and is used for OAuth services. The default expiry of this certificate is 5 years from the installation date.

You can view the certificate in question by running this command:

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint |FL
 



What had happened in this instance, is that the certificate had expired 3 months into the Exchange Hybrid deployment.  So to resolve this issue we needed to generate a new cert firstly, and then apply this certificate as the new auth certificate which is performed with the following command:

Set-AuthConfig -NewCertificateThumbprint "Thumbprint of the new cert" -NewCertificateEffectiveDate XX/XX/XXXX


   

And then use Set-AuthConfig -PublishCertificate to make the change.

This command will push the certificate out to all CAS role servers so you don't have to push the cert out yourself.

 Finally, re-run the Hybrid Wizard and once completed you will find on-premises users will be able to see the free/busy information for Exchange Online users once more.

Take care,
 @OliverMoazzezi
Posted by at No comments:
Labels: , , , , ,

Thursday, 23 November 2017

An error occurred while attempting to provision Exchange to the Partner STS 'Client found response content type of 'text/html; charset=utf-8', but expected 'text/xml'

This week I had a very interesting Exchange Hybrid Wizard error present itself that I haven't seen before, or at least seen the root cause before. The purpose of this post is to actually have some data on it searchable on the internet so if you are facing this issue you know what to expect and do.

The error is: "An error occurred while attempting to provision Exchange to the Partner STS.  Detailed Information "An error occurred accessing Windows Live. Detailed information: "Client found response content type of 'text/html; charset=utf-8', but expected 'text/xml'"

This error never presents itself in the HCW, infact once you have added your TXT records to your required domains, the HCW will just hang at 'adding Federated Domain...' and sit on this screen forever:


You'll wait and wait and wait, and nothing will ever happen. This is when you hopefully dig into the HCW log and get dig through it to find the cause. Now I have had this happen before, and we know we have to look to the HCW log to see what's going on. However the issue wasn't what I was expecting.

In my case the error was caused because the web service that allows the HCW to provision the domains onto the Microsoft Federation Gateway had failed, and was returning a 500 error. This is why the HCW log was complaining it was expecting an html xml response but instead was getting an html response with text.

So if you recieve this error what can you do to check that it's Microsoft's issue and not yours?

It's a good idea if you're getting any "An error occurred while attempting to provision Exchange to the Partner STS" to check https://domains.live.com/service/managedelegation2.asmx


When working it will give you the following


In my instance, with the HCW stalled it was due to Microsoft actually having a service health issue.

It's good to point out that if you're getting other "An error occurred while attempting to provision Exchange to the Partner STS" errors to still check the web service. You may find you have a proxy or firewall in the way causing issues between the HCW and the functioning web service. Compare https://domains.live.com/service/managedelegation2.asmx from another network that you know won't have proxy or firewall issues or even check it on your phone via 4G.

On another note I have reached out to the Exchange Product Group as I think Office 365 Service Health should be reporting on STS services as they will have potential impacts with enabling Exchange Hybrid and federation capabilities.

Take care,


Oliver Moazzezi
@OliverMoazzezi




Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)