TLS 1.2 is coming to Exchange on-premises using hybrid and free/busy might fail

%3CLINGO-SUB%20id%3D%22lingo-sub-3260911%22%20slang%3D%22en-US%22%3ETLS%201.2%20is%20coming%20to%20Exchange%20on-premises%20using%20hybrid%20and%20free%2Fbusy%20might%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3260911%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20is%20intended%20to%20help%20customers%20and%20motivate%20them%20to%20check%20their%20on-premises%20TLS%20settings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20spring%2C%20your%20on-premises%20users%20might%20not%20be%20able%20to%20do%20free%2Fbusy%20requests%20in%20calendaring%20from%20on-premises%20mailboxes%20towards%20Exchange%20online%20mailboxes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20your%20on-premises%20Exchange%20servers%20might%20start%20logging%20events%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Application%3C%2FP%3E%0A%3CP%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20MSExchange%20Availability%3C%2FP%3E%0A%3CP%3EDate%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2017.03.2022%2009%3A45%3A01%3C%2FP%3E%0A%3CP%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%204001%3C%2FP%3E%0A%3CP%3ETask%20Category%3A%20Availability%20Service%3C%2FP%3E%0A%3CP%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Error%3C%2FP%3E%0A%3CP%3EKeywords%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Classic%3C%2FP%3E%0A%3CP%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20N%2FA%3C%2FP%3E%0A%3CP%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20server01.contoso.com%3C%2FP%3E%0A%3CP%3EDescription%3A%3C%2FP%3E%0A%3CP%3EProcess%20Microsoft.Exchange.InfoWorker.Common.Delayed%601%5BSystem.String%5D%3A%20%3CUSER1%3ESMTP%3AUser1%40contoso.mail.onmicrosoft.com%20failed%20in%20application%20Mailtips.%20Exception%20returned%20is%20Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException%3A%20Autodiscover%20failed%20for%20email%20address%20User1%40contoso.mail.onmicrosoft.com%20with%20error%20System.Net.WebException%3A%20The%20underlying%20connection%20was%20closed%3A%20An%20unexpected%20error%20occurred%20on%20a%20send.%20---%26gt%3B%20System.IO.IOException%3A%20Unable%20to%20read%20data%20from%20the%20transport%20connection%3A%20An%20existing%20connection%20was%20forcibly%20closed%20by%20the%20remote%20host.%20---%26gt%3B%20System.Net.Sockets.SocketException%3A%20An%20existing%20connection%20was%20forcibly%20closed%20by%20the%20remote%20host%3C%2FUSER1%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20interesting%20parts%20of%20the%20event%20above%20are%20the%20following%20pieces%20of%20information%3A%3C%2FP%3E%0A%3CP%3EAutoDiscoverFailedException%3A%20Autodiscover%20failed%3C%2FP%3E%0A%3CP%3Eand%3C%2FP%3E%0A%3CP%3EThe%20underlying%20connection%20was%20closed%3A%20An%20unexpected%20error%20occurred%20on%20a%20%3CSTRONG%3Esend%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20Autodiscover%20fails%2C%20let%E2%80%99s%20test%20it%20from%20the%20on-prem%20server%20and%20see%20if%20it%20can%20reach%20the%20server%20in%20Exchange%20online%20via%20Powershell%3A%3C%2FP%3E%0A%3CP%3EInvoke-WebRequest%20-Uri%20%22%3CA%20href%3D%22https%3A%2F%2Fautodiscover-s.outlook.com%2Fautodiscover%2Fautodiscover.svc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fautodiscover-s.outlook.com%2Fautodiscover%2Fautodiscover.svc%22%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20a%20non-working%20on-prem%20server%2C%20I%20get%20the%20result%3A%3C%2FP%3E%0A%3CP%3EThe%20underlying%20connection%20was%20closed%3A%20An%20unexpected%20error%20occurred%20on%20a%20send.%3C%2FP%3E%0A%3CP%3EThis%20error%20is%20unexpected%2C%20whereas%20this%20401%20would%20have%20been%20expected%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22FrankPlawetzki_0-1647601369983.png%22%20style%3D%22width%3A%20653px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F356812i4E732E44E9A10009%2Fimage-dimensions%2F653x98%3Fv%3Dv2%22%20width%3D%22653%22%20height%3D%2298%22%20role%3D%22button%22%20title%3D%22FrankPlawetzki_0-1647601369983.png%22%20alt%3D%22FrankPlawetzki_0-1647601369983.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20raises%20some%20suspicion%2C%20if%20the%20TLS%20settings%20on-premises%20are%20ok%20when%20the%20on-prem%20servers%20try%20to%20reach%20the%20servers%20in%20Exchange%20online.%3C%2FP%3E%0A%3CP%3EYou%20can%20verify%20that%20your%20on-prem%20TLS%20settings%20are%20outdated%2C%20by%20forcing%20TLS%201.2%20for%20the%20above%20test%20connection%20trying%20this%20Powershell%20call%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%5BNet.ServicePointManager%5D%3A%3ASecurityProtocol%20%2B%3D%20%5BNet.SecurityProtocolType%5D%3A%3ATls12%3C%2FP%3E%0A%3CP%3EInvoke-WebRequest%20-Uri%20%22%3CA%20href%3D%22https%3A%2F%2Fautodiscovers.outlook.com%2Fautodiscover%2Fautodiscover.svc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fautodiscover-s.outlook.com%2Fautodiscover%2Fautodiscover.svc%3C%2FA%3E%22%3C%2FP%3E%0A%3CP%3EThe%20result%20now%20as%20expect%20is%3A%3C%2FP%3E%0A%3CP%3EInvoke-WebRequest%20%3A%20The%20remote%20server%20returned%20an%20error%3A%20(401)%20Unauthorized.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20now%20have%20proof%20that%20the%20TLS%20settings%20on-premises%20are%20outdated%20and%20your%20on-prem%20server%20not%20using%20TLS%201.2%20prevents%20your%20server%20from%20connecting%20to%20the%20Exchange%20online%20servers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20hast%20announced%20in%20Messager%20Center%20Post%20MC240160%20and%20here%3A%3C%2FP%3E%0A%3CP%3EDisabling%20TLS%201.0%20and%201.1%20for%20Microsoft%20365%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Ftls-1.0-and-1.1-deprecation-for-office-365%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Ftls-1.0-and-1.1-deprecation-for-office-365%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Ethat%20we%20are%20enabling%20TLS%201.2%20more%20and%20more%20in%20Exchange%20online%20starting%20October%202020%20and%20now%20it%20affects%20more%20and%20more%20Exchange%20customers%20who%20so%20far%20have%20not%20enabled%20support%20for%20TLS%201.2%20on-premises.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20has%20announced%20the%20deprecation%20of%20TLS%201.0%20and%20TLS%201.1%20already%20in%202018.%20Those%20articles%20also%20contain%20detailed%20information%20on%20how%20you%20can%20enable%20TLS%201.2%2C%20which%20in%20short%20is%20only%20adding%20some%20registry%20keys%20and%20doing%20a%20reboot%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fexchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2%2Fba-p%2F607649%22%20target%3D%22_blank%22%3EExchange%20Server%20TLS%20guidance%2C%20part%201%3A%20Getting%20Ready%20for%20TLS%201.2%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fexchange-server-tls-guidance-part-2-enabling-tls-1-2-and%2Fba-p%2F607761%22%20target%3D%22_blank%22%3EExchange%20Server%20TLS%20guidance%20Part%202%3A%20Enabling%20TLS%201.2%20and%20Identifying%20Clients%20Not%20Using%20It%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fexchange-server-tls-guidance-part-3-turning-off-tls-1-0-1-1%2Fba-p%2F607898%22%20target%3D%22_blank%22%3EExchange%20Server%20TLS%20guidance%20Part%203%3A%20Turning%20Off%20TLS%201.0%2F1.1%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAs%20these%20articles%20above%20explain%2C%20you%20can%20enable%20TLS%201.2%20in%20addition%20to%20your%20current%20usage%20of%20older%20TLS%20versions%20and%20solve%20your%20Free%2FBusy%20issue.%3C%2FP%3E%0A%3CP%3ELater%2C%20you%20can%20disable%20TLS%201.0%20and%201.1%20since%20they%20are%20not%20secure%20anymore.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20prevent%20configuration%20errors%20like%20this%2C%20Microsoft%20recommends%20running%20the%20Exchange%20health%20checker%20on%20your%20on-premises%20Exchange%20servers%20on%20a%20regular%20basis%2C%20e.g.%20each%20month%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FExchangeHealthChecker%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FExchangeHealthChecker%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3260911%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3263781%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.2%20is%20coming%20to%20Exchange%20on-premises%20using%20hybrid%20and%20free%2Fbusy%20might%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3263781%22%20slang%3D%22en-US%22%3EExcellent%20write-up!%20My%20company%20got%20bit%20by%20this%20a%202%20months%20ago%20and%20it%20took%205%20weeks%20worth%20of%20troubleshooting%20with%20MS%20to%20find%20the%20root%20cause.%20Hopefully%20this%20saves%20others!%3C%2FLINGO-BODY%3E
Microsoft

 

This article is intended to help customers and motivate them to check their on-premises TLS settings.

 

This spring, your on-premises users might not be able to do free/busy requests in calendaring from on-premises mailboxes towards Exchange online mailboxes.

 

In addition, your on-premises Exchange servers might start logging events like this:

 

Log Name:      Application

Source:        MSExchange Availability

Date:          17.03.2022 09:45:01

Event ID:      4001

Task Category: Availability Service

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      server01.contoso.com

Description:

Process Microsoft.Exchange.InfoWorker.Common.Delayed`1[System.String]: <User1@contoso.mail.onmicrosoft.com>SMTP:User1@contoso.mail.onmicrosoft.com failed in application Mailtips. Exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException: Autodiscover failed for email address User1@contoso.mail.onmicrosoft.com with error System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

 

The interesting parts of the event above are the following pieces of information:

AutoDiscoverFailedException: Autodiscover failed

and

The underlying connection was closed: An unexpected error occurred on a send

 

Since Autodiscover fails, let’s test it from the on-prem server and see if it can reach the server in Exchange online via Powershell:

Invoke-WebRequest -Uri "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc"

 

On a non-working on-prem server, I get the result:

The underlying connection was closed: An unexpected error occurred on a send.

This error is unexpected, whereas this 401 would have been expected:

FrankPlawetzki_0-1647601369983.png

 

This raises some suspicion, if the TLS settings on-premises are ok when the on-prem servers try to reach the servers in Exchange online.

You can verify that your on-prem TLS settings are outdated, by forcing TLS 1.2 for the above test connection trying this Powershell call:

 

[Net.ServicePointManager]::SecurityProtocol += [Net.SecurityProtocolType]::Tls12

Invoke-WebRequest -Uri "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc"

The result now as expect is:

Invoke-WebRequest : The remote server returned an error: (401) Unauthorized.

 

 

You now have proof that the TLS settings on-premises are outdated and your on-prem server not using TLS 1.2 prevents your server from connecting to the Exchange online servers.

 

Microsoft hast announced in Messager Center Post MC240160 and here:

Disabling TLS 1.0 and 1.1 for Microsoft 365

https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365...

that we are enabling TLS 1.2 more and more in Exchange online starting October 2020 and now it affects more and more Exchange customers who so far have not enabled support for TLS 1.2 on-premises.

 

Microsoft has announced the deprecation of TLS 1.0 and TLS 1.1 already in 2018. Those articles also contain detailed information on how you can enable TLS 1.2, which in short is only adding some registry keys and doing a reboot:

Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

As these articles above explain, you can enable TLS 1.2 in addition to your current usage of older TLS versions and solve your Free/Busy issue.

Later, you can disable TLS 1.0 and 1.1 since they are not secure anymore.

 

To prevent configuration errors like this, Microsoft recommends running the Exchange health checker on your on-premises Exchange servers on a regular basis, e.g. each month:

https://aka.ms/ExchangeHealthChecker

1 Reply
Excellent write-up! My company got bit by this a 2 months ago and it took 5 weeks worth of troubleshooting with MS to find the root cause. Hopefully this saves others!