Exchange 2013 Hybrid – Content was blocked because it was not signed by a valid security certificate

Hello again. The last few days have given me lots of new things to do, so apologies if you are being inundated with blog posts!

So today I went to enable a new Exchange 2013 Hybrid configuration. I used the Start Menu launcher for ‘Exchange Administrative Centre’, which to be honest I don’t usually do. This took me to https://localhost/ecp/?ExchClientVer=15. I then went to Hybrid and enabled the Hybrid Configuration. I logged into Office 365 and was greeted by this friendly message of doom:

Content was blocked because it was not signed by a valid security certificate

This error is quite easily solved; do not use localhost as the server name when you access the ECP. Use your client access namespace instead. For example, if my CAS name was mail.misstech.co.uk, I would browse to https://mail.misstech.co.uk/ecp/?ExchClientVer=15.

Just be sure to put outlook.office365.com and your CAS name into your Intranet Zone too or you’ll then get an error about Cookies!

412 - Cookies are disabled

Thanks for reading!

Advertisements

Hybrid Configuration Wizard and Multiple Domains – Get-FederationInformation cmdlet had thrown an exception

When running the Exchange Hybrid Wizard for multiple domains, you may find it fails and shows you the error below:

Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.

Federation information could not be received from the external organization.

In addition to this, if you check the Update-HybridConfiguration log file in the Exchange Logging directory, you will find that the failure occurs just after the command Get-FederationInformation is run on one of your domains.

The first test you can run is to login to Microsoft Online PowerShell and try running:

Get-FederationInformation -DomainName domain.com

If this comes back with an error, then you likely have an issue with Autodiscover. It may be that autodiscover is not configured for all your domains, which is quite a common occurrence. There are 2 traditional ways to get around this:

  1. Configure multiple SRV DNS records to point Autodiscover at your primary Autodiscover service
  2. Add all your autodiscover domains to your SAN certificate and configure A records to point autodiscover to the public facing IP of your Exchange server/s

As of Exchange 2010 SP3 UR6 and Exchange 2012 SP1 however, there is a much cleaner way of doing this.

  1. Make sure Autodiscover is configured and working on your Primary SMTP domain (use https://testconnectivity.microsoft.com/ to verify functionality)
  2. Run the HCW (Hybrid Configuration Wizard) for just your Primary domain. This should complete without issues
  3. Go into the Exchange Management Shell on your On Premise Exchange environment and run:

Set-HybridConfiguration -Domains domainb.com,domainc.com,domain.com,autod:domaina.com

Where domaina.com is your Primary SMTP domain. This sets your autodiscover domain for all domains to domaina.com.

  1. Re-run the HCW. You should now see all domains populated and the HCW should complete successfully.

Powershell – Automatically Update E-mail Address based on Recipient Policy

During a recent large Office 365 Hybrid Deployment, I came across the issue of many users (400+) having the ‘Automatically Update E-mail Address based on Recipient Policy’ option unticked. This meant that the users in question did not have the correct routing address of username@domain.mail.onmicrosoft.com specified. When attempting to migrate the mailboxes of said user accounts, they failed with the following error:

The target mailbox doesn't have an SMTP proxy matching 'domain.mail.onmicrosoft.com'

This address is required for mail routing between On Premise users and Office 365 users, therefore without if the mailbox move cannot take place. This address is added to all Email Address Policies which contain the hybrid domains during the Hybrid Configuration, in order to put the correct routing in place.

The company in question only had one email address per user in the format of firstname.lastname@domain.com so there was no reason not to have this option enabled. The only exception were a few users who had a different SMTP suffix (domain2.com), so these users needed to be left alone. The first thing I had to do was identify which users had the email address policy disabled. To do this I ran the following command:

get-mailbox | Where {$_.EmailAddressPolicyEnabled -eq $false} > C:\Temp\emailpolicy.txt

After realising there were 400+ mailboxes to enable this on, it became obvious that this was a problem which only Powershell could solve. Before I started, I first used the command listed on a previous blog http://doubledit.co.uk/2014/12/02/how-to-export-a-list-of-all-primary-smtp-addresses-and-aliases/ to export a list of all Primary SMTP addresses as a reference. I then ran the following command to find all users with a particular SMTP suffix and enable the ‘Automatically Update E-mail Address based on Recipient Policy’ option:

Get-mailbox | Where {$_.EmailAddresses -like ‘*@domain.com’} | Set-mailbox -EmailAddressPolicyEnabled $true

If you just wanted to apply the policy to all users, you would use the following command:

Get-mailbox | Set-mailbox -EmailAddressPolicyEnabled $true

Exchange 2013 CU6 – Hybrid Configurations and Hardware Load Balancing…

Exchange 2013 CU6 was released at the end of August, and it’s fair to say it wasn’t Microsoft’s most elegant CU release ever. If you are already using a Hybrid Configuration, the following problems are faced after installation:

– You cannot use the On Premise Exchange Admin Center to create new Office 365 mailboxes, move mailboxes to Exchange Online, or create In-Place Archive mailboxes.

– You also cannot perform administration of Office 365 through the EAC, because when you click on the Office 365 management tab, it takes you to a marketing page for Office 365 rather than the 365 login page.

There has been a script released by Microsoft to fix this behaviour, which is available here: http://support.microsoft.com/kb/2997355/en-us

It’s lucky that this script is available, because Microsoft made some changes to Exchange Online in the last few weeks. These changes mean that if you now attempt to create or manage a Hybrid Configuration in Exchange 2013 CU5 or older, you will see the following error:

Subtask CheckPrereqs execution failed: Check Tenant Prerequisites

Deserialization fails due to one SerializationException: 

Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed: Microsoft.Exchange.Data.Directory.DirectoryBackendType

This can be resolved by, you guessed it, upgrading to Exchange 2013 CU6. Just remember to run the script which I linked to above after installation!

Another problem which a colleague of mine witnessed a few days back was related to CU6 and CAS Load Balancing. If you use a hardware load balancer such as a Kemp or NetScaler, and you install CU6, you will need to make some configuration changes to your availability monitors. Application aware load balancers will monitor Exchange Server 2013 using the Default Web Site in IIS, and a design change has been made in CU6 which will cause the load balancer to mark the Exchange 2013 server as down.

If you attempt to access the Default Web Site of an Exchange 2013 CU6 CAS server, it will return a status 302 and redirect you to the OWA site. A load balancer will see this and mark the server as being down. To resolve this problem, configure your load balancer to monitor https://CASFQDN/protocol/healthcheck.htm. For example, to monitor OWA you would use https://CASFQDN/owa/healthcheck.htm. The KB for this issue is here: http://support.microsoft.com/kb/3002351

Exchange Server 2013 CU6 has been a bit of a box of tricks so far, but if you are about to modify or create a Hybrid Configuration, then you MUST upgrade in order to be successful. Hopefully this article will help you in your quest for Hybrid greatness!