Office 365 Hybrid Configuration Error: Subtask Configure execution failed: Configure Mail Flow has thrown an exception

Symptoms:

When running Hybrid Configuration Wizard you may receive the following error:

Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Configure Mail Flow Execution of the New-SendConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. An Active Directory Constraint Violation error occurred on Domain_Controller_Name. Additional information: A value for the attribute was not in the acceptable range of values. Active directory response: 00002082: AtrErr: DSID-03151816, #1: 0: 00002082: DSID-03151816, problem 1005 ‎(CONSTRAINT_ATT_TYPE)‎, data 0, Att 811c7e35 ‎(msExchSmtpTLSCertificate)‎:len 552 at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand‎(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)‎ ‎'. Additional troubleshooting information is available in the Update-HybridConfiguration log file on server 365HYP01 located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\HybridConfiguration_4_13_2014_7_57_9_635329726296799568.log

In the above error note the highlighted parts which will be useful to troubleshoot the error. The first is indicating that the error occurred when executing New-SendConnector cmdlet.

The second one indicated that the response is coming from Active Directory but so far is not useful.

The third shows that A value for the attribute was not in the acceptable range of value.

The forth part shows ‎ (msExchSmtpTLSCertificate) ‎:len 552.

The following snapshot shows the error:

Troubleshooting:

The next step is to check the log file mentioned in the above error, when checking the log file under C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration the following error is logged:

04/13/2014 07:57:39] INFO : Task='Configure Mail Flow' Step='Configure' START

[04/13/2014 07:57:39] INFO : Session=OnPrem Cmdlet=New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces {smtp:TENANT_NAME.mail.onmicrosoft.com;1} -SourceTransportServers {SERVER_NAME} -DNSRoutingEnabled: $true -TLSDomain 'mail.protection.outlook.com' -RequireTLS: $true -TLSAuthLevel 'DomainValidation' -ErrorPolicies 'Default' -TLSCertificateName 'From your Certificate Issuer and Subject Fields' -CloudServicesMailEnabled: $true -Fqdn $null START

[04/13/2014 07:57:39] ERROR : System.Management.Automation.RemoteException: An Active Directory Constraint Violation error occurred on DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.

Active directory response: 00002082: AtrErr: DSID-03151816, #1:

0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35 (msExchSmtpTLSCertificate):len 552

[04/13/2014 07:57:39] INFO : Session=OnPrem Cmdlet=New-SendConnector FINISH Time=296.8075ms

[04/13/2014 07:57:39] ERROR : Subtask Configure execution failed: Configure Mail Flow

Execution of the New-SendConnector cmdlet has thrown an exception.

From the above log file we have some useful details:

1. We have the cmdlet that caused the error New-SendConnector.

2. We have the same attribute (msExchSmtpTLSCertificate):len 552

3. And we have the famous error of the cmdlet has thrown an exception.

So let’s try to execute the cmdlet from Exchange Management Shell, check the below snapshot:

The error returned in the snapshot:

An Active Directory Constraint Violation error occurred on YOUR_DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.

Active directory response: 00002082: AtrErr: DSID-03151816, #1:

0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35

(msExchSmtpTLSCertificate):len 552

First thing to notice from the snapshot and the log file that the switch –TLSCertificateName is using two fields from the certificate:

- Issuer: this field shows the name of the Certificate Authority (CA) who issued the certificate, and as you can see Comodo has a very long name compared with other CAs.

- Subject: this field shows information like Organization (O), Country (C), Common Name (CN). And again as you can see from the marked field in the snapshot the customer was using a very long name.

After searching I found this article: http://support.microsoft.com/kb/2860844

The KB explains the cause of the problem as:

“This issue occurs if the value of the rangeUpper attribute for the TlsCertificateName parameter contains more than 256 characters. Certificate names can't have more than 256 characters.”

The article also indicates that this problem has been fixed in Exchange 2013 Cumulative Update 3 (CU3), in this environment I’ve used Exchange 2013 with Service Pack 1 as the Hybrid Servers, it seems that the fix is not included in SP1 because checking the rangeupper limit attribute I found it as the old value 256.

To check the rangeupper limit value, run the following command:

dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper

The following snapshot shows the result:

Solution:

The first option now that we issue a new certificate with shorter name in the subject field as we don’t have control over the Issuer field.

The only remaining option is to modify the Schema manually and change the rangeupper limit to a higher value.

The following steps show how to modify the attribute using ADSIEDIT:

1. Use user account that member of Schema Admins and Enterprise Admins.

2. Open adsiedit.msc

3. Right click ADSI Edit and click on Connect To.

4. Select “Well known Naming Context” and from the drop down menu select “Schema” as the following snapshot:

5. Browse to CN=ms-Exch-Smtp-Tls-Certificate, open the properties and scroll down to rangeUpper as the following snapshot

6. Click Edit and enter the new value 1024, as the following snapshot:

7. Enforce the replication by running repadmin /syncall from the command prompt.

8. Verify that the rangeupper limit has been increased by running the following command:

dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper

Check the following snapshot for the result:

Rerun the Hybrid Configuration Wizard to complete the configuration

Kyle Green

7 May 2014 7:35 PM

It should be noted that if you don't want to change the schema you can simply re-word your subject field to get you under the 256 characters between the issuer and subject. This requires requesting a new certificate though.

Mohamed Marzouk [MSFT]

7 May 2014 7:39 PM

@Kyle : that's exactly what I said "The first option now that we issue a new certificate with shorter name in the subject field as we don’t have control over the Issuer field."

FranklinF

9 May 2014 4:51 PM

Great article! This work for me!

9 May 2014 7:19 PM

lets cif workS T hank Sthough

MikeM

25 Oct 2014 3:49 PM

Great post - this applies to anyone who happens to use a Comodo TLS certificate because that CA is issuing all of their certificates with strings that are longer than 256 characters.
The upper limit has been increased by Microsoft to 1024 in Exchange 2013 CU6.
http://technet.microsoft.com/en-us/library/bb738144(v=exchg.150).aspx#AttribModCU6

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

GD Bloggers

Office 365 Hybrid Configuration Error: Subtask Configure execution failed: Configure Mail Flow has thrown an exception