Exchange hybrid connector validation

Copper Contributor

I have a newly setup hybrid from an Exchange 2016 single server on premises. The migration of mailboxes has run ok but mail is not flowing between 365 and on-premise and before we redirected the MX record it wasn't flowing the other way either.


A few of the symptoms I have are

  • Running a validation email on the 365 outbound connector fails with the message

450 4.4.317 Cannot connect to remote server [Message=SubjectMismatch] []


The newly purchased GoDaddy certificate clearly has that as a SAN. Specifically, the subject is and the Subject Alternative Names are, and Exactly as specified by the MS documentation for hybrid certificates


  • On the Exchange server we still have messages held in the queue to, those that came in from external before the MX record change. The last error is 
  • (LED=451 4.4.395 Target host responded with the error. -> 454.4.7.5 Certificate validation failure, Reason:untrustedRoot);(MSG=);(

Everything seems to state that there's a certificate issue. The server is fully patched and up to date and root certificate windows updates isn't blocked. We have rerun the HCW, disabled TLS 1.0 and 1.1 and remove and re-added the certificate. The state is exactly the same


1 Reply

The TlsCertName on those connectors, have they been configured and has the certificate recently been renewed and is there a mismatch between TlsCertName <I>X<S>Y, where X is not the actual issues any longer or Y mismatches the subject? Sometimes CA's change (intermediate) root certs and you have this phenomenom.