Hosted Exchange to Exchange Online Migration - Outlook Profile Creation

%3CLINGO-SUB%20id%3D%22lingo-sub-1810815%22%20slang%3D%22en-US%22%3EHosted%20Exchange%20to%20Exchange%20Online%20Migration%20-%20Outlook%20Profile%20Creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1810815%22%20slang%3D%22en-US%22%3E%3CP%3EHello.%3C%2FP%3E%3CP%3EWe%20are%20currently%20in%20a%20divestiture%20scenario%20where%20we%20are%20migrating%20from%20an%20existing%20Hybrid%20Exchange%202010%20environment%20into%20a%20separate%20365%20tenant%20as%20our%20target.%20Our%20source%20mailboxes%20are%20hosted%20On-Premises%20and%20we%20are%20using%20a%203rd%20party%20tool%20to%20migrate%20data%20into%20the%20target%20Exchange%20Online%20environment.%20The%20source%20PC's%20are%20maintaining%20their%20source%20Active%20Directory%20Domain%20membership%20for%20the%20time%20being.%20Exchange%20is%20the%20only%20workload%20migrating%20at%20this%20point%20so%20we%20need%20to%20maintain%20two%20identities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20occurs%20where%20when%20the%20PC%20is%20connected%20via%20VPN%20or%20directly%20on%20the%20On-Premises%20network%2C%20Outlook%20does%20not%20create%20a%20new%20profile.%20Internet%20connected%20PC's%20are%20able%20to%20create%20a%20profile%20successfully.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20attempted%20to%20bypass%20Autodiscover%20by%20using%20the%20following%20registry%20keys%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPreferLocalXML%2C%201%3C%2FP%3E%3CP%3EExcludeHttpsAutodiscoverDomain%2C%201%3C%2FP%3E%3CP%3EExcludeHttpsRootDomain%2C1%3C%2FP%3E%3CP%3EExcludeSCPLookup%2C%201%3C%2FP%3E%3CP%3EExcludeSrvLookup%2C%201%3C%2FP%3E%3CP%3EExcludeSrvRecord%2C%201%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20have%20the%20following%20key%20set%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5CExchange%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAlwaysUseMSOAuthForAutoDiscover%3C%2FSTRONG%3E%2C%201%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Profile%20creation%20fails%20with%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20sorry%20we%20couldn't%20setup%20your%20account%20automatically%2C%20to%20try%20setting%20up%20your%20account%20yourself%20click%20Next.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EManual%20Setup%20does%20not%20work%20either.%20We%20have%20run%20the%20SARA%20tool%20and%20the%20results%20are%20somewhat%20inconsistent.%20We%20do%20have%20Autodiscover%20failures%20but%20then%20successes%20as%20well.%20In%20the%20end%20the%20only%20error%20from%20the%20SARA%20log%20that%20we%20see%20somewhat%20consistently%20is%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CRESULTSUPPORTMESSAGE%3EWe%20couldn't%20obtain%20the%20remote%20SSL%20certificate.%3C%2FRESULTSUPPORTMESSAGE%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EWe%20couldn't%20validate%20the%20SSL%20certificate%20because%20the%20SSL%20negotiation%20was%20unsuccessful.%20This%20could%20have%20happened%20because%20of%20a%20network%20error%20or%20a%20problem%20with%20the%20certificate%20installation.%20%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ESystem.IO.IOException%3A%20Authentication%20failed%20because%20the%20remote%20party%20has%20closed%20the%20transport%20stream.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20System.Net.Security.SslState.StartReadFrame(Byte%5B%5D%20buffer%2C%20Int32%20readBytes%2C%20AsyncProtocolRequest%20asyncRequest)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20System.Net.Security.SslState.StartReceiveBlob(Byte%5B%5D%20buffer%2C%20AsyncProtocolRequest%20asyncRequest)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken%20message%2C%20AsyncProtocolRequest%20asyncRequest)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20System.Net.Security.SslState.StartSendBlob(Byte%5B%5D%20incoming%2C%20Int32%20count%2C%20AsyncProtocolRequest%20asyncRequest)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20System.Net.Security.SslState.ForceAuthentication(Boolean%20receiveFirst%2C%20Byte%5B%5D%20buffer%2C%20AsyncProtocolRequest%20asyncRequest)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult%20lazyResult)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20System.Net.Security.SslStream.AuthenticateAsClient(String%20targetHost%2C%20X509CertificateCollection%20clientCertificates%2C%20SslProtocols%20enabledSslProtocols%2C%20Boolean%20checkCertificateRevocation)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20Microsoft.Online.CSE.HRC.Analysis.Analyzers.AutoD.SSLCertificateAnalyzer.CollectSSLCertificate()%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CBR%20%2F%3E%3CEM%3E%3CADVANCEDHTTPRESPONSEINFO%3E%3C%2FADVANCEDHTTPRESPONSEINFO%3E%3C%2FEM%3E%3CP%3E%3C%2FP%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1810815%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ehybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hello.

We are currently in a divestiture scenario where we are migrating from an existing Hybrid Exchange 2010 environment into a separate 365 tenant as our target. Our source mailboxes are hosted On-Premises and we are using a 3rd party tool to migrate data into the target Exchange Online environment. The source PC's are maintaining their source Active Directory Domain membership for the time being. Exchange is the only workload migrating at this point so we need to maintain two identities.

 

The issue occurs where when the PC is connected via VPN or directly on the On-Premises network, Outlook does not create a new profile. Internet connected PC's are able to create a profile successfully.

 

We have attempted to bypass Autodiscover by using the following registry keys:

 

PreferLocalXML, 1

ExcludeHttpsAutodiscoverDomain, 1

ExcludeHttpsRootDomain,1

ExcludeSCPLookup, 1

ExcludeSrvLookup, 1

ExcludeSrvRecord, 1

 

We also have the following key set:

 

HKEY_CURRENT_USER\Software\Microsoft\Exchange

 

AlwaysUseMSOAuthForAutoDiscover, 1

 

The Profile creation fails with the following error:

 

We're sorry we couldn't setup your account automatically, to try setting up your account yourself click Next.

 

Manual Setup does not work either. We have run the SARA tool and the results are somewhat inconsistent. We do have Autodiscover failures but then successes as well. In the end the only error from the SARA log that we see somewhat consistently is the following:

 

<ResultSupportMessage>We couldn't obtain the remote SSL certificate.
We couldn't validate the SSL certificate because the SSL negotiation was unsuccessful. This could have happened because of a network error or a problem with the certificate installation.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Microsoft.Online.CSE.HRC.Analysis.Analyzers.AutoD.SSLCertificateAnalyzer.CollectSSLCertificate()</ResultSupportMessage>
<AdvancedHttpResponseInfo />

0 Replies