Team blog of MCS @ Middle East and Africa

This blog is created by Microsoft MEA HQ near shoring team, and it aims to share knowledge with the IT community.With its infrastructure and development sides,It brings to you the proven best practices and real world experiences from Subject Matter Experts
Follow Us On Twitter! Subscribe To Our Blog! Contact Us

Office 365 Hybrid Configuration Error: Subtask Configure execution failed: Configure Mail Flow has thrown an exception

Office 365 Hybrid Configuration Error: Subtask Configure execution failed: Configure Mail Flow has thrown an exception

  • Comments 5
  • Likes
 
 
Symptoms:
When running Hybrid Configuration Wizard you may receive the following error:
 
Updating hybrid configuration failed with error 'Subtask Configure execution failed: Configure Mail Flow Execution of the New-SendConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. An Active Directory Constraint Violation error occurred on Domain_Controller_Name. Additional information: A value for the attribute was not in the acceptable range of values. Active directory response: 00002082: AtrErr: DSID-03151816, #1: 0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35 (msExchSmtpTLSCertificate):len 552 at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors) '. Additional troubleshooting information is available in the Update-HybridConfiguration log file on server 365HYP01 located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\HybridConfiguration_4_13_2014_7_57_9_635329726296799568.log
 
 
In the above error note the highlighted parts which will be useful to troubleshoot the error. The first is indicating that the error occurred when executing New-SendConnector cmdlet.
The second one indicated that the response is coming from Active Directory but so far is not useful.
The third shows that A value for the attribute was not in the acceptable range of value.
The forth part shows (msExchSmtpTLSCertificate) :len 552.
 
 
The following snapshot shows the error:
clip_image002
 
 
Troubleshooting:
 
The next step is to check the log file mentioned in the above error, when checking the log file under C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration the following error is logged:
 
 
04/13/2014 07:57:39]    INFO : Task='Configure Mail Flow' Step='Configure' START
[04/13/2014 07:57:39]    INFO : Session=OnPrem Cmdlet=New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces {smtp:TENANT_NAME.mail.onmicrosoft.com;1} -SourceTransportServers {SERVER_NAME} -DNSRoutingEnabled: $true -TLSDomain 'mail.protection.outlook.com' -RequireTLS: $true -TLSAuthLevel 'DomainValidation' -ErrorPolicies 'Default' -TLSCertificateName 'From your Certificate Issuer and Subject Fields' -CloudServicesMailEnabled: $true -Fqdn $null START
[04/13/2014 07:57:39]   ERROR : System.Management.Automation.RemoteException: An Active Directory Constraint Violation error occurred on DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.
                              Active directory response: 00002082: AtrErr: DSID-03151816, #1:
                                             0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35 (msExchSmtpTLSCertificate):len 552
[04/13/2014 07:57:39]    INFO : Session=OnPrem Cmdlet=New-SendConnector FINISH Time=296.8075ms
[04/13/2014 07:57:39]   ERROR : Subtask Configure execution failed: Configure Mail Flow
                Execution of the New-SendConnector cmdlet has thrown an exception.
                                  
 
From the above log file we have some useful details:

1.      We have the cmdlet that caused the error New-SendConnector.

2.      We have the same attribute (msExchSmtpTLSCertificate):len 552

3.      And we have the famous error of the cmdlet has thrown an exception.

So let’s try to execute the cmdlet from Exchange Management Shell, check the below snapshot:
 
clip_image004
 
The error returned in the snapshot:
 
An Active Directory Constraint Violation error occurred on YOUR_DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.
Active directory response: 00002082: AtrErr: DSID-03151816, #1:
    0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35
(msExchSmtpTLSCertificate):len 552
 
 
 
First thing to notice from the snapshot and the log file that the switch –TLSCertificateName is using two fields from the certificate:

-        Issuer: this field shows the name of the Certificate Authority (CA) who issued the certificate, and as you can see Comodo has a very long name compared with other CAs.

-        Subject: this field shows information like Organization (O), Country (C), Common Name (CN). And again as you can see from the marked field in the snapshot the customer was using a very long name.

 
After searching I found this article: http://support.microsoft.com/kb/2860844
The KB explains the cause of the problem as:
 
“This issue occurs if the value of the rangeUpper attribute for the TlsCertificateName parameter contains more than 256 characters. Certificate names can't have more than 256 characters.”
 
The article also indicates that this problem has been fixed in Exchange 2013 Cumulative Update 3 (CU3), in this environment I’ve used Exchange 2013 with Service Pack 1 as the Hybrid Servers, it seems that the fix is not included in SP1 because checking the rangeupper limit attribute I found it as the old value 256.
 
To check the rangeupper limit value, run the following command:
dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper
 
 
The following snapshot shows the result:
clip_image005
 
 
Solution:
The first option now that we issue a new certificate with shorter name in the subject field as we don’t have control over the Issuer field.
The only remaining option is to modify the Schema manually and change the rangeupper limit to a higher value.
 
The following steps show how to modify the attribute using ADSIEDIT:

1.      Use user account that member of Schema Admins and Enterprise Admins.

2.      Open adsiedit.msc

3.      Right click ADSI Edit and click on Connect To.

4.      Select “Well known Naming Context” and from the drop down menu select “Schema” as the following snapshot:

clip_image007
 

5.      Browse to CN=ms-Exch-Smtp-Tls-Certificate, open the properties and scroll down to rangeUpper as the following snapshot

clip_image009

6.      Click Edit and enter the new value 1024, as the following snapshot:

clip_image011
 

7.      Enforce the replication by running repadmin /syncall from the command prompt.

8.      Verify that the rangeupper limit has been increased by running the following command:

dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper

 
Check the following snapshot for the result:
clip_image012
 
Rerun the Hybrid Configuration Wizard to complete the configuration
Comments
  • It should be noted that if you don't want to change the schema you can simply re-word your subject field to get you under the 256 characters between the issuer and subject. This requires requesting a new certificate though.

  • @Kyle : that's exactly what I said "The first option now that we issue a new certificate with shorter name in the subject field as we don’t have control over the Issuer field."

  • Great article! This work for me!

  • lets cif workS T hank Sthough

  • Great post - this applies to anyone who happens to use a Comodo TLS certificate because that CA is issuing all of their certificates with strings that are longer than 256 characters.
    The upper limit has been increased by Microsoft to 1024 in Exchange 2013 CU6.
    http://technet.microsoft.com/en-us/library/bb738144(v=exchg.150).aspx#AttribModCU6

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment