• Office 365 Hybrid Configuration Error: Subtask Configure execution failed: Configure Mail Flow has thrown an exception

    Posted 8 months ago
    by Mohamed Marzouk [MSFT]}
     
     
    Symptoms:
    When running Hybrid Configuration Wizard you may receive the following error:
     
    Updating hybrid configuration failed with error 'Subtask Configure execution failed: Configure Mail Flow Execution of the New-SendConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. An Active Directory Constraint Violation error occurred on Domain_Controller_Name. Additional information: A value for the attribute was not in the acceptable range of values. Active directory response: 00002082: AtrErr: DSID-03151816, #1: 0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35 (msExchSmtpTLSCertificate):len 552 at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors) '. Additional troubleshooting information is available in the Update-HybridConfiguration log file on server 365HYP01 located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\HybridConfiguration_4_13_2014_7_57_9_635329726296799568.log
     
     
    In the above error note the highlighted parts which will be useful to troubleshoot the error. The first is indicating that the error occurred when executing New-SendConnector cmdlet.
    The second one indicated that the response is coming from Active Directory but so far is not useful.
    The third shows that A value for the attribute was not in the acceptable range of value.
    The forth part shows (msExchSmtpTLSCertificate) :len 552.
     
     
    The following snapshot shows the error:
    clip_image002
     
     
    Troubleshooting:
     
    The next step is to check the log file mentioned in the above error, when checking the log file under C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration the following error is logged:
     
     
    04/13/2014 07:57:39]    INFO : Task='Configure Mail Flow' Step='Configure' START
    [04/13/2014 07:57:39]    INFO : Session=OnPrem Cmdlet=New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces {smtp:TENANT_NAME.mail.onmicrosoft.com;1} -SourceTransportServers {SERVER_NAME} -DNSRoutingEnabled: $true -TLSDomain 'mail.protection.outlook.com' -RequireTLS: $true -TLSAuthLevel 'DomainValidation' -ErrorPolicies 'Default' -TLSCertificateName 'From your Certificate Issuer and Subject Fields' -CloudServicesMailEnabled: $true -Fqdn $null START
    [04/13/2014 07:57:39]   ERROR : System.Management.Automation.RemoteException: An Active Directory Constraint Violation error occurred on DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.
                                  Active directory response: 00002082: AtrErr: DSID-03151816, #1:
                                                 0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35 (msExchSmtpTLSCertificate):len 552
    [04/13/2014 07:57:39]    INFO : Session=OnPrem Cmdlet=New-SendConnector FINISH Time=296.8075ms
    [04/13/2014 07:57:39]   ERROR : Subtask Configure execution failed: Configure Mail Flow
                    Execution of the New-SendConnector cmdlet has thrown an exception.
                                      
     
    From the above log file we have some useful details:

    1.      We have the cmdlet that caused the error New-SendConnector.

    2.      We have the same attribute (msExchSmtpTLSCertificate):len 552

    3.      And we have the famous error of the cmdlet has thrown an exception.

    So let’s try to execute the cmdlet from Exchange Management Shell, check the below snapshot:
     
    clip_image004
     
    The error returned in the snapshot:
     
    An Active Directory Constraint Violation error occurred on YOUR_DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.
    Active directory response: 00002082: AtrErr: DSID-03151816, #1:
        0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35
    (msExchSmtpTLSCertificate):len 552
     
     
     
    First thing to notice from the snapshot and the log file that the switch –TLSCertificateName is using two fields from the certificate:

    -        Issuer: this field shows the name of the Certificate Authority (CA) who issued the certificate, and as you can see Comodo has a very long name compared with other CAs.

    -        Subject: this field shows information like Organization (O), Country (C), Common Name (CN). And again as you can see from the marked field in the snapshot the customer was using a very long name.

     
    After searching I found this article: http://support.microsoft.com/kb/2860844
    The KB explains the cause of the problem as:
     
    “This issue occurs if the value of the rangeUpper attribute for the TlsCertificateName parameter contains more than 256 characters. Certificate names can't have more than 256 characters.”
     
    The article also indicates that this problem has been fixed in Exchange 2013 Cumulative Update 3 (CU3), in this environment I’ve used Exchange 2013 with Service Pack 1 as the Hybrid Servers, it seems that the fix is not included in SP1 because checking the rangeupper limit attribute I found it as the old value 256.
     
    To check the rangeupper limit value, run the following command:
    dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper
     
     
    The following snapshot shows the result:
    clip_image005
     
     
    Solution:
    The first option now that we issue a new certificate with shorter name in the subject field as we don’t have control over the Issuer field.
    The only remaining option is to modify the Schema manually and change the rangeupper limit to a higher value.
     
    The following steps show how to modify the attribute using ADSIEDIT:

    1.      Use user account that member of Schema Admins and Enterprise Admins.

    2.      Open adsiedit.msc

    3.      Right click ADSI Edit and click on Connect To.

    4.      Select “Well known Naming Context” and from the drop down menu select “Schema” as the following snapshot:

    clip_image007
     

    5.      Browse to CN=ms-Exch-Smtp-Tls-Certificate, open the properties and scroll down to rangeUpper as the following snapshot

    clip_image009

    6.      Click Edit and enter the new value 1024, as the following snapshot:

    clip_image011
     

    7.      Enforce the replication by running repadmin /syncall from the command prompt.

    8.      Verify that the rangeupper limit has been increased by running the following command:

    dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper

     
    Check the following snapshot for the result:
    clip_image012
     
    Rerun the Hybrid Configuration Wizard to complete the configuration

  • Office 365 Hybrid Configuration Error: Unexpected Result from Windows Live InvalidUri InvalidUri

    Posted 8 months ago
    by Mohamed Marzouk [MSFT]}
     
     
    Symptoms:
    When running Hybrid Configuration Wizard you may receive the following error:
     
    The wizard did not complete successfully. Please see the list below for error details.
    Updating hybrid configuration failed with error 'Subtask Configure execution failed: Configure Organization Relationship Execution of the Set-FederatedOrganizationIdentifier cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An unexpected result was received from Windows Live. Detailed information: "InvalidUri InvalidUri: Passed URI is not valid.".". at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)‎ ‎'. Additional troubleshooting information is available in the Update-HybridConfiguration log file on server 365HYP01 located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\HybridConfiguration_4_8_2014_10_17_44_635325490647602241.log.
     
     
     
    In the above error note the highlighted parts which will be useful to troubleshoot the error. The first is indicating that the error occurred when executing Set-FederatedOrganizationIdentifier cmdlet.
    The second part is not really helpful saying that the Windows Live responded with unexpected result and InvalidUri. Very helpfulJ.
     
     
    The following snapshot shows the error:
     
     
    image
     
     
     
    Troubleshooting:
     
    The next logical step is to check the log file mentioned in the above error, when checking the log file under C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration the following error is logged:
     
    INFO : Session=OnPrem Cmdlet=Set-FederatedOrganizationIdentifier -AccountNamespace 'DOMAIN_NAME' -DelegationFederationTrust 'Microsoft Federation Gateway' -Enabled: $true -DefaultDomain 'DOMAIN_NAME' START
    [04/08/2014 10:18:01]   ERROR : System.Management.Automation.RemoteException: An error occurred while attempting to provision Exchange to the Partner STS.  Detailed Information "An unexpected result was received from Windows Live.  Detailed information: "InvalidUri InvalidUri: Passed URI is not valid.".".
    [04/08/2014 10:18:01]    INFO : Session=OnPrem Cmdlet=Set-FederatedOrganizationIdentifier FINISH Time=2093.6758ms
     
    In the log file the main interesting part is the cmdlet which caused the error:
    Set-FederatedOrganizationIdentifier -AccountNamespace 'DOMAIN_NAME' -DelegationFederationTrust 'Microsoft Federation Gateway' -Enabled: $true -DefaultDomain 'DOMAIN_NAME'
     
     
    The second logical step is to try to execute the cmdlet from Exchange Management Shell, check the below snapshot:
     
    image
     
    The error in the snapshot indicates the same that “unexpected result was received from Windows Live “InvalidUri InvalidUri”
     
     
    Solution:
     
    Microsoft Knowledge Base Article (KB 2615183): http://support.microsoft.com/kb/2615183 mentioning that the cause of this error due to:
    “This issue occurs if the domain name for your organization is blocked. A domain name may be blocked in Windows Live for the Windows Azure Active Directory (Windows Azure AD) authentication system if the domain name is reserved or if it doesn't meet certain requirements.”
     
    To solve this problem you will need to contact Office 365 support, open service request with the error details and domain name and they will remove the domain names from the blocking list.
     
    Once the domain removed from the black list, run the HCW wizard again to complete the Hybrid configuration.
     
    Other Symptoms:
    You may also receive the following error:
    Updating hybrid configuration failed with error 'Subtask Configure execution failed: Configure Organization Relationship Execution of the Add-FederatedDomain cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Unable to reserve the URI "DOMAIN_NAME" for the domain "DOMAIN_NAME" on application identifier "000000004C022B11". Detailed information: "An unexpected result was received from Windows Live. Detailed information: "InvalidUri: Passed URI is not valid.
     
    In the above scenario the error was with the Add-FederatedDomain cmdlet and in this case the domain name was in the blocked list.

  • Office 365 ADFS Proxy Error Event ID 364

    Posted 8 months ago
    by Mohamed Marzouk [MSFT]}

     

    Symptoms:

    The environment contains two ADFS servers implemented in the internal network and two ADFS Proxy servers implemented in the DMZ network.

    When testing ADFS functionality from the internal network where sts.domain.com points to the NLB of the ADFS servers in the internal network the user can access Office 365.

    When testing ADFS from the Internet or from the DMZ the ADFS Proxy returned the following error:

    --------------------------------------------------------------------------

    Error:

    There was a problem accessing the site. Try to browse to the site again.

    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

    Reference number: 25b51e4b-a68d-47d6-8fc7-ee5a56337ed4

    --------------------------------------------------------------------------

     

    The following snapshot shows the error:

    clip_image002

     

    When checking the event viewer on the ADFS Proxy servers the error Event ID 346 were logged several times:

    --------------------------------------------------------------------------

    Event id 364

    Encountered error during federation passive request.

    Additional Data

    Exception details:

    System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.

    -----------------------------------------------------------------------

    The following snapshot shows the error in the event viewer:

    clip_image004

     

    Reason:

    ADFS Proxy configuration was fine as well as the certificate. However after troubleshooting the error the cause of it was due to time change.

    The internal ADFS servers synchronizing the time with the Domain Controllers (DCs), and there were 20 minutes time difference between the ADFS proxy servers and the ADFS servers.

     

    Solution:

    Reset the time on the ADFS proxy servers to match the time on the ADFS servers.