SOLVED

Test-OAuthConnectivity fails from on premises exchange to O365

%3CLINGO-SUB%20id%3D%22lingo-sub-1333649%22%20slang%3D%22en-US%22%3ETest-OAuthConnectivity%20fails%20from%20on%20premises%20exchange%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1333649%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BI%20ran%20HCW%20and%20it%20completed%20successfully%20but%20at%20the%20end%20it%20gave%20warning%20that%20OAuth%20could%20not%20be%20setup%20please%20re%20run%20the%20HCW%20or%20try%20setting%20up%20OAuth%20manually.%20I%20re%20ran%20the%20Oauth%20still%20same%20issue%20hence%20followed%20the%20steps%20mentioned%20in%20the%20TechNet%26nbsp%3B%20article%3C%2FP%3E%3CP%3EAfter%20successfully%20following%20al%20the%20steps%20I%20tried%20to%20test%20the%20OAuth%20connectivity%20from%20on%20premises%20exchange%20to%20office%20365%20by%20running%20the%20command%3A%26nbsp%3BTest-OAuthConnectivity%20-Service%20EWS%20-TargetUri%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2Fews%2Fexchange.asmx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2Fews%2Fexchange.asmx%3C%2FA%3E%20-Mailbox%20-Verbose%20%7C%20Format-List%26nbsp%3B%3C%2FP%3E%3CP%3EGot%20the%20error%20below%3A%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ERunspaceId%26nbsp%3B%20%3A%2033d7dd07-9028-40f8-bfa9-1f8ed554765gf%3CBR%20%2F%3ETask%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3A%20Checking%20EWS%20API%20Call%20Under%20Oauth%3CBR%20%2F%3EDetail%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3A%20The%20configuration%20was%20last%20successfully%20loaded%20at%2001-01-0001%2000%3A00%3A00%20UTC.%20This%20was%2010923476%20minutes%20ago.%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20The%20token%20cache%20is%20being%20cleared%20because%20%22use%20cached%20token%22%20was%20set%20to%20false.%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Exchange%20Outbound%20Oauth%20Log%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Exchange%20Response%20Details%3A%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20HTTP%20response%20message%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Exception%3A%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20System.Net.WebException%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EThe%20underlying%20connection%20was%20closed%3A%20Could%20not%20establish%20trust%20relationship%20for%20the%20SSL%2FTLS%20secure%20channel.%20---%26gt%3B%26nbsp%3B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20System.Security.Authentication.AuthenticationException%3A%20The%20remote%20certificate%20is%20invalid%20according%20to%20the%20validation%20procedure.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BWhen%20testing%20the%20OAuth%20connectivity%20from%20O365%20to%20exchange%20server%20it%20is%20successful.%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20appreciated%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1333649%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338952%22%20slang%3D%22en-US%22%3ERe%3A%20Test-OAuthConnectivity%20fails%20from%20on%20premises%20exchange%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338952%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F595852%22%20target%3D%22_blank%22%3E%40serverpro%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20what%20version%20of%20Exchange%20is%20your%20hybrid%20server%20running%2C%20and%20do%20you%20have%20any%20other%20Exchange%20servers%20in%20the%20environment.%20%26nbsp%3BIf%20so%2C%20what%20versions%20are%20they%20running%2C%20and%20are%20they%20all%20up%20to%20date%20with%20latest%20SP%20and%20CUs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20what%20SSL%20certificate%20do%20you%20have%20for%20your%20hybrid%20config%3F%20%26nbsp%3BIt%20needs%20to%20be%20an%20externally%20signed%20SSL%20cert%20and%20I%20usually%20find%20that%20a%20wildcard%20or%20SAN%20cert%20works%20best.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1354028%22%20slang%3D%22en-US%22%3ERe%3A%20Test-OAuthConnectivity%20fails%20from%20on%20premises%20exchange%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354028%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20help..%3C%2FP%3E%3CP%3EThe%20issue%20was%20due%20to%20the%20firewall%20blocking%20office%20365%20ews%20.%20I%20allowed%20the%20URL%20in%20F5%20firewall%20and%20it%20resolved%20the%20issue%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

 I ran HCW and it completed successfully but at the end it gave warning that OAuth could not be setup please re run the HCW or try setting up OAuth manually. I re ran the Oauth still same issue hence followed the steps mentioned in the TechNet  article

After successfully following al the steps I tried to test the OAuth connectivity from on premises exchange to office 365 by running the command: Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Premises Mailbox> -Verbose | Format-List 

Got the error below:

                           

RunspaceId  : 33d7dd07-9028-40f8-bfa9-1f8ed554765gf
Task        : Checking EWS API Call Under Oauth
Detail      : The configuration was last successfully loaded at 01-01-0001 00:00:00 UTC. This was 10923476 minutes ago.
              The token cache is being cleared because "use cached token" was set to false.
              Exchange Outbound Oauth Log:


              Exchange Response Details:
              HTTP response message: 
              Exception:
              System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> 
              System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

 

 When testing the OAuth connectivity from O365 to exchange server it is successful.

Any help would be appreciated 

2 Replies

@serverpro 

 

Hi, what version of Exchange is your hybrid server running, and do you have any other Exchange servers in the environment.  If so, what versions are they running, and are they all up to date with latest SP and CUs?

 

Also, what SSL certificate do you have for your hybrid config?  It needs to be an externally signed SSL cert and I usually find that a wildcard or SAN cert works best.

best response confirmed by serverpro (Occasional Contributor)
Solution

@PeterRising thanks for your help..

The issue was due to the firewall blocking office 365 ews . I allowed the URL in F5 firewall and it resolved the issue