Federation Relationship issue

Question

Hi,We have a classic Hybrid configuration with several on-premises Exchange 2019 CU12 servers. Everything works as expected but we fail with Test-FederationRelationship cmdlet.&nbsp;On-premises servers:Get-OrganizationRelationship | Test-OrganizationRelationship -UserIdentity &lt;my email&gt;Begin testing for organization relationship CN=On-premises to O365 - &lt;some GUID&gt;,CN=Federation,CN=&lt;our organization&gt;,CN=Microsoft Exchange,CN=Services,CN=Configuration,&lt;our domain&gt;, enabled state True.Exchange D-Auth Federation Authentication STS Client Identities are urn:federation:MicrosoftOnline/FYDIBOHF25SPDLT.&lt;our domain&gt;;WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance of an object.Object reference not set to an instance of an object.+ CategoryInfo : NotSpecified: (:) [Test-OrganizationRelationship], NullReferenceException+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Exchange.Management.Sharing.TestOrganizationRelationship+ PSComputerName : &lt;any server&gt;&nbsp;When I test the trust, it returns ok:Test-FederationTrust -UserIdentity &lt;my email&gt;&nbsp;Begin process.STEP 1 of 6: Getting ADUser information for &lt;my email&gt;...RESULT: Success.STEP 2 of 6: Getting FederationTrust object for &lt;my email&gt;...RESULT: Success.STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.RESULT: Success.STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...RESULT: Success.Validating current configuration for FYDIBOHF25SPDLT.&lt;our domain&gt;...Validation successful.STEP 5 of 6: Requesting delegation token...RESULT: Success. Token retrieved.STEP 6 of 6: Validating delegation token...RESULT: Success.Closing Test-FederationTrust...RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097Id : FederationTrustConfigurationType : SuccessMessage : FederationTrust object in ActiveDirectory is valid.RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097Id : FederationMetadataType : SuccessMessage : The federation trust contains the same certificates published by the security token service in its federation metadata.RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097Id : StsCertificateType : SuccessMessage : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097Id : StsPreviousCertificateType : SuccessMessage : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097Id : OrganizationCertificateType : SuccessMessage : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097Id : TokenRequestType : SuccessMessage : Request for delegation token succeeded.RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097Id : TokenValidationType : SuccessMessage : Requested delegation token is valid.&nbsp;&nbsp;On cloud:(Get-OrganizationRelationship)[1] | Test-OrganizationRelationship -UserIdentity &lt;my email&gt;Begin testing for organization relationship CN=O365 to On-premises - &lt;some GUID&gt;,CN=Federation,CN=Configuration,CN=&lt;our organization&gt;.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR04A007,DC=PROD,DC=OUTLOOK,DC=COM, enabled state True.Exchange D-Auth Federation Authentication STS Client Identities are uri:WindowsLiveID/outlook.com;urn:federation:MicrosoftOnline/outlook.com;STEP 1: Validating user configurationRESULT: Success.STEP 2: Getting federation information from remote organization...RESULT: Unable to retrieve federation information from remote organization. Doing local testing only.STEP 3: Requesting delegation token from the STS...RESULT: Success.Retrieved token for target https://&lt;our access point&gt;/autodiscover/autodiscover.svc/wssecurtiy for offer Name=MSExchange.Autodiscover,Duration=28800(secs)STEP 4: Getting organization relationship settings from remote partner...RESULT: Unable to retrieve organization relationships from remote organization.RESULT: Error.LAST STEP: Writing results...Identity :Id : AutodiscoverServiceCallFailedStatus : ErrorDescription : The Autodiscover call failed.IsValid : TrueObjectState : NewCOMPLETE.WARNING: The federated domain &lt;our domain&gt; of the user is in the local organizational relationship which normally only contains the domains of externalorganizations.&nbsp;I didn't find any clues that could help in troubleshooting of the issue.&nbsp;Any ideas?&nbsp;King regards,Dmitry&nbsp;

fcomanigrasso · Answer

Hello!Did you re-run the hybrid Wizard in order to check if it returns any error? It usually helps a lot troubleshooting such scenarios. If the Wizard also comes back with the error "Object reference not set to an instance of an object " check this please: https://learn.microsoft.com/en-us/exchange/troubleshoot/hybrid-configuration-wizard-errors/object-reference-not-set-to-an-instance-of-an-object-error

dgk62 · Answer

Hi,Thank you for your answer.I've already tried the approach. Ok. I'll look again.I have an idea, that the STS signing certificate should be installed on Exchange servers alongside with the Federation certificate. Now, it's accessible only through Federation metadata.Regards,Dmitry.

sigfridobo · Answer

dgk62&nbsp; did u manage to solve the issue?We are in the process to deploy a new exchange 2019 server into a Hybrid 365-onpremise enviroment but we keep getting an error when we run:&nbsp;Test-FederationTrust -UserIdentity email address removed for privacy reasons -Verbose&nbsp;on the 7th verifycation which is "token validation" we get a "Failed to validate delegation token"&nbsp;&nbsp;

Forum Discussion

Federation Relationship issue

3 Replies

Resources