is the Microsoft Remote Connectivity Analyzer broken?

%3CLINGO-SUB%20id%3D%22lingo-sub-2743609%22%20slang%3D%22en-US%22%3Eis%20the%20Microsoft%20Remote%20Connectivity%20Analyzer%20broken%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2743609%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20having%20issues%20configuring%20my%20autodiscover%20configuration%20after%20an%20exchange%20server%20rebuild%20(Single%20exchange%20server%20which%20failed%20and%20had%20to%20be%20rebuilt%20using%20the%20setup.exe%20%2Fm%3Arecover%20option)%20and%20it's%20not%20working.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20go%20across%20the%20the%20normally%20faithful%20connectivity%20analyzer%20and%20I%20get%20the%20following%20results%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CDIV%20class%3D%22ms-Stack%20css-55%22%3E%3CDIV%20class%3D%22ms-Stack%20css-256%22%3E%3CSPAN%20class%3D%22css-257%22%3ETesting%20TCP%20port%20443%20on%20host%20%3CCORRECT%20dns%3D%22%22%20for%3D%22%22%20autodiscover%3D%22%22%3E%20to%20ensure%20it's%20listening%20and%20open.%3CBR%20%2F%3E%3C%2FCORRECT%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22css-257%22%3EThe%20port%20was%20opened%20successfully.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20css-55%22%3E%3CBR%20%2F%3E%3CDIV%20class%3D%22ms-Stack%20css-256%22%3E%3CSPAN%20class%3D%22css-257%22%3ETesting%20the%20SSL%20certificate%20to%20make%20sure%20it's%20valid.%3C%2FSPAN%3E%3CSPAN%20class%3D%22css-257%22%3EThe%20SSL%20certificate%20failed%20one%20or%20more%20certificate%20validation%20checks.%3C%2FSPAN%3E%3CDIV%20class%3D%22ms-Stack%20root-260%22%3E%3CDIV%20class%3D%22ms-Stack%20css-261%22%3E%3CSPAN%20class%3D%22css-257%22%3E%3CBR%20%2F%3ETest%20Steps%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20root-267%22%3E%3CDIV%20class%3D%22ms-Stack%20css-55%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20css-55%22%3E%3CSPAN%20class%3D%22css-257%22%3EThe%20Microsoft%20Connectivity%20Analyzer%20is%20probing%20the%20TCP%20endpoint%20%3CCORRECT%20ip%3D%22%22%20address%3D%22%22%3E%20on%20port%20443%20to%20detect%20which%20SSL%2FTLS%20protocols%20and%20cipher%20suites%20are%20enabled.%3C%2FCORRECT%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20css-55%22%3E%3CSPAN%20class%3D%22css-257%22%3EWe%20were%20able%20to%20detect%20the%20enabled%20protocols%20and%20cipher%20suites.%3C%2FSPAN%3E%3CDIV%20class%3D%22ms-Stack%20css-256%22%3E%3CDIV%20class%3D%22ms-Stack%20root-260%22%3E%3CDIV%20class%3D%22ms-Stack%20css-261%22%3E%3CDIV%20class%3D%22ms-TooltipHost%20root-56%22%3EAdditional%20Details%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20css-55%22%3E%3CDIV%20class%3D%22ms-Stack%20css-256%22%3E%3CSPAN%20class%3D%22css-257%22%3EChecking%20that%20your%20server%20supports%20modern%20TLS%20protocols%20and%20cipher%20suites.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22css-257%22%3EYour%20server%20supports%20modern%20TLS%20protocols%20and%20cipher%20suites%3B%20it%20should%20be%20compatible%20with%20Microsoft%20365%20services.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20css-55%22%3E%3CDIV%20class%3D%22ms-Stack%20css-256%22%3E%3CSPAN%20class%3D%22css-257%22%3EThe%20Microsoft%20Connectivity%20Analyzer%20is%20attempting%20to%20obtain%20the%20SSL%20certificate%20from%20remote%20server%20%3CCORRECT%20dns%3D%22%22%20name%3D%22%22%20for%3D%22%22%20autodiscover%3D%22%22%3E%20on%20port%20443.%3C%2FCORRECT%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22css-257%22%3EThe%20Microsoft%20Connectivity%20Analyzer%20wasn't%20able%20to%20obtain%20the%20remote%20SSL%20certificate.%3C%2FSPAN%3E%3CDIV%20class%3D%22ms-Stack%20root-260%22%3E%3CDIV%20class%3D%22ms-Stack%20css-261%22%3E%3CSPAN%20class%3D%22css-257%22%3EAdditional%20Details%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20root-267%22%3E%3CSPAN%20class%3D%22css-257%22%3EThe%20certificate%20couldn't%20be%20validated%20because%20SSL%20negotiation%20wasn't%20successful.%20This%20could%20have%20occurred%20as%20a%20result%20of%20a%20network%20error%20or%20because%20of%20a%20problem%20with%20the%20certificate%20installation.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20root-267%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22ms-Stack%20root-267%22%3E%3CSPAN%20class%3D%22css-257%22%3EClearly%20its%20not%20a%20network%20error.%26nbsp%3B%20So%20there%20is%20something%20wrong%20with%20my%20certificate%3F%26nbsp%3B%20What%20could%20be%20wrong%3F%26nbsp%3B%20It%20is%20a%20GoDaddy%20SAN%20cert.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2743609%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2777312%22%20slang%3D%22en-US%22%3ERe%3A%20is%20the%20Microsoft%20Remote%20Connectivity%20Analyzer%20broken%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2777312%22%20slang%3D%22en-US%22%3EHi%20Brent%2C%3CBR%20%2F%3EWe%20are%20experiencing%20the%20same%20issue.%20We%20are%20running%20Exchange%20Server%202016%20CU21%20(15.1.2308.8)%20on%20our%20server.%20This%20happens%20on%20domains%20using%20the%20autodiscover.contoso.com%20method%20and%20using%20the%20DNS%20SRV%20method%20(other%20ones%20we%20dont%20use).%20Outlook%20connect%20just%20fine%20remotely.%20Before%20the%20test%20was%20fine.%20We%20use%20Sectigo%20(former%20Comodo)%20certificates.%20This%20is%20a%20full%20on-prem%20environment.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2791764%22%20slang%3D%22en-US%22%3ERe%3A%20is%20the%20Microsoft%20Remote%20Connectivity%20Analyzer%20broken%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2791764%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1164254%22%20target%3D%22_blank%22%3E%40BasL86%3C%2FA%3E%26nbsp%3BThanks%20for%20this%20feedback.%20We're%20investigating%20the%20problem.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am having issues configuring my autodiscover configuration after an exchange server rebuild (Single exchange server which failed and had to be rebuilt using the setup.exe /m:recover option) and it's not working.

I go across the the normally faithful connectivity analyzer and I get the following results:

Testing TCP port 443 on host <correct DNS for autodiscover> to ensure it's listening and open.
The port was opened successfully.

Testing the SSL certificate to make sure it's valid.The SSL certificate failed one or more certificate validation checks.

Test Steps
 
The Microsoft Connectivity Analyzer is probing the TCP endpoint <correct IP address> on port 443 to detect which SSL/TLS protocols and cipher suites are enabled.
We were able to detect the enabled protocols and cipher suites.
Additional Details
Checking that your server supports modern TLS protocols and cipher suites. Your server supports modern TLS protocols and cipher suites; it should be compatible with Microsoft 365 services.
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server <correct DNS name for autodiscover> on port 443.The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
 
Clearly its not a network error.  So there is something wrong with my certificate?  What could be wrong?  It is a GoDaddy SAN cert.
5 Replies
Hi Brent,
We are experiencing the same issue. We are running Exchange Server 2016 CU21 (15.1.2308.8) on our server. This happens on domains using the autodiscover.contoso.com method and using the DNS SRV method (other ones we dont use). Outlook connect just fine remotely. Before the test was fine. We use Sectigo (former Comodo) certificates. This is a full on-prem environment.

@BasL86 Thanks for this feedback. We're investigating the problem.

Hello, any update on this issue? I am doing some autodiscover testing for my exchange 2013 server on-prem, and seem to be getting the same issue.

@mohsan466 - yes, sorry for the delay. We released a new deployment which seems to have resolved the issue. If you are still having problems, send mail using the feedback link in the footer of the site with your specific issue and someone can take a look.

@bradhugh Hi Brad, the update seems to have solved our issues. Thank you! Great tool!