Federation Relationship issue

Copper Contributor

Hi,

We have a classic Hybrid configuration with several on-premises Exchange 2019 CU12 servers. Everything works as expected but we fail with Test-FederationRelationship cmdlet.

 

On-premises servers:

Get-OrganizationRelationship | Test-OrganizationRelationship -UserIdentity <my email>

Begin testing for organization relationship CN=On-premises to O365 - <some GUID>,CN=Federation,CN=<our organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<our domain>, enabled state True.

Exchange D-Auth Federation Authentication STS Client Identities are urn:federation:MicrosoftOnline/FYDIBOHF25SPDLT.<our domain>;
WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance of an object.
Object reference not set to an instance of an object.
+ CategoryInfo : NotSpecified: (:) [Test-OrganizationRelationship], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Exchange.Management.Sharing.TestOrganizationRelationship
+ PSComputerName : <any server>

 

When I test the trust, it returns ok:

Test-FederationTrust -UserIdentity <my email>

 

Begin process.

STEP 1 of 6: Getting ADUser information for <my email>...
RESULT: Success.

STEP 2 of 6: Getting FederationTrust object for <my email>...
RESULT: Success.

STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.
RESULT: Success.

STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
RESULT: Success.

Validating current configuration for FYDIBOHF25SPDLT.<our domain>...

Validation successful.

STEP 5 of 6: Requesting delegation token...
RESULT: Success. Token retrieved.

STEP 6 of 6: Validating delegation token...
RESULT: Success.

Closing Test-FederationTrust...


RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : FederationTrustConfiguration
Type : Success
Message : FederationTrust object in ActiveDirectory is valid.

RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : FederationMetadata
Type : Success
Message : The federation trust contains the same certificates published by the security token service in its federation metadata.

RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : StsCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : StsPreviousCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : OrganizationCertificate
Type : Success
Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.

RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : TokenRequest
Type : Success
Message : Request for delegation token succeeded.

RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : TokenValidation
Type : Success
Message : Requested delegation token is valid.

 

 

On cloud:

(Get-OrganizationRelationship)[1] | Test-OrganizationRelationship -UserIdentity <my email>

Begin testing for organization relationship CN=O365 to On-premises - <some GUID>,CN=Federation,CN=Configuration,CN=<our organization>.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR04A007,DC=PROD,DC=OUTLOOK,DC=COM, enabled state True.

Exchange D-Auth Federation Authentication STS Client Identities are uri:WindowsLiveID/outlook.com;urn:federation:MicrosoftOnline/outlook.com;

STEP 1: Validating user configuration

RESULT: Success.

STEP 2: Getting federation information from remote organization...
RESULT: Unable to retrieve federation information from remote organization. Doing local testing only.

STEP 3: Requesting delegation token from the STS...

RESULT: Success.
Retrieved token for target https://<our access point>/autodiscover/autodiscover.svc/wssecurtiy for offer Name=MSExchange.Autodiscover,Duration=28800(secs)

STEP 4: Getting organization relationship settings from remote partner...

RESULT: Unable to retrieve organization relationships from remote organization.
RESULT: Error.

LAST STEP: Writing results...


Identity :
Id : AutodiscoverServiceCallFailed
Status : Error
Description : The Autodiscover call failed.
IsValid : True
ObjectState : New


COMPLETE.

WARNING: The federated domain <our domain> of the user is in the local organizational relationship which normally only contains the domains of external
organizations.

 

I didn't find any clues that could help in troubleshooting of the issue. 

Any ideas?

 

King regards,

Dmitry 

3 Replies
Hello!
Did you re-run the hybrid Wizard in order to check if it returns any error? It usually helps a lot troubleshooting such scenarios. If the Wizard also comes back with the error "Object reference not set to an instance of an object " check this please: https://learn.microsoft.com/en-us/exchange/troubleshoot/hybrid-configuration-wizard-errors/object-re...
Hi,
Thank you for your answer.
I've already tried the approach. Ok. I'll look again.
I have an idea, that the STS signing certificate should be installed on Exchange servers alongside with the Federation certificate. Now, it's accessible only through Federation metadata.
Regards,
Dmitry.

@dgk62  did u manage to solve the issue?

We are in the process to deploy a new exchange 2019 server into a Hybrid 365-onpremise enviroment but we keep getting an error when we run:

 

Test-FederationTrust -UserIdentity email address removed for privacy reasons -Verbose

 

on the 7th verifycation which is "token validation" we get a "Failed to validate delegation token"