Feb 13 2023 06:23 AM
Hi,
We have a classic Hybrid configuration with several on-premises Exchange 2019 CU12 servers. Everything works as expected but we fail with Test-FederationRelationship cmdlet.
On-premises servers:
Get-OrganizationRelationship | Test-OrganizationRelationship -UserIdentity <my email>
Begin testing for organization relationship CN=On-premises to O365 - <some GUID>,CN=Federation,CN=<our organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<our domain>, enabled state True.
Exchange D-Auth Federation Authentication STS Client Identities are urn:federation:MicrosoftOnline/FYDIBOHF25SPDLT.<our domain>;
WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance of an object.
Object reference not set to an instance of an object.
+ CategoryInfo : NotSpecified: (:) [Test-OrganizationRelationship], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Exchange.Management.Sharing.TestOrganizationRelationship
+ PSComputerName : <any server>
When I test the trust, it returns ok:
Test-FederationTrust -UserIdentity <my email>
Begin process.
STEP 1 of 6: Getting ADUser information for <my email>...
RESULT: Success.
STEP 2 of 6: Getting FederationTrust object for <my email>...
RESULT: Success.
STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.
RESULT: Success.
STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
RESULT: Success.
Validating current configuration for FYDIBOHF25SPDLT.<our domain>...
Validation successful.
STEP 5 of 6: Requesting delegation token...
RESULT: Success. Token retrieved.
STEP 6 of 6: Validating delegation token...
RESULT: Success.
Closing Test-FederationTrust...
RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : FederationTrustConfiguration
Type : Success
Message : FederationTrust object in ActiveDirectory is valid.
RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : FederationMetadata
Type : Success
Message : The federation trust contains the same certificates published by the security token service in its federation metadata.
RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : StsCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.
RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : StsPreviousCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.
RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : OrganizationCertificate
Type : Success
Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.
RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : TokenRequest
Type : Success
Message : Request for delegation token succeeded.
RunspaceId : 5cbacaf9-78ab-45a3-ab89-029cb4ced097
Id : TokenValidation
Type : Success
Message : Requested delegation token is valid.
On cloud:
(Get-OrganizationRelationship)[1] | Test-OrganizationRelationship -UserIdentity <my email>
Begin testing for organization relationship CN=O365 to On-premises - <some GUID>,CN=Federation,CN=Configuration,CN=<our organization>.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR04A007,DC=PROD,DC=OUTLOOK,DC=COM, enabled state True.
Exchange D-Auth Federation Authentication STS Client Identities are uri:WindowsLiveID/outlook.com;urn:federation:MicrosoftOnline/outlook.com;
STEP 1: Validating user configuration
RESULT: Success.
STEP 2: Getting federation information from remote organization...
RESULT: Unable to retrieve federation information from remote organization. Doing local testing only.
STEP 3: Requesting delegation token from the STS...
RESULT: Success.
Retrieved token for target https://<our access point>/autodiscover/autodiscover.svc/wssecurtiy for offer Name=MSExchange.Autodiscover,Duration=28800(secs)
STEP 4: Getting organization relationship settings from remote partner...
RESULT: Unable to retrieve organization relationships from remote organization.
RESULT: Error.
LAST STEP: Writing results...
Identity :
Id : AutodiscoverServiceCallFailed
Status : Error
Description : The Autodiscover call failed.
IsValid : True
ObjectState : New
COMPLETE.
WARNING: The federated domain <our domain> of the user is in the local organizational relationship which normally only contains the domains of external
organizations.
I didn't find any clues that could help in troubleshooting of the issue.
Any ideas?
King regards,
Dmitry
Feb 14 2023 01:36 AM
Feb 14 2023 07:46 AM