locked
Exchange Federation issue EX2013-Ex2010 RRS feed

  • Question

  • Dear all,

     

    we have got a problem after upgrading our Exchange 2010 environment to Exchange 2013 CU5 and our partner who is using Exchange 2010 SP3 RU5.

    In Forest A we are in transition from Exchange 2010 to Exchange 2013, HUB and CAS 2013 are already in production, only 99% of the mailboxes are located on the Exchange 2010 Mailbox Servers. Only some of our test accounts are already migrated to exchange 2013 mailbox servers.

     

    In Forest B we got a regular Exchange 2010 SP3 RU5 environment.

    In both forests exchange is secured with Microsoft TMGs.

     

    Right now Users from Forest B (EX2010, and also our Test-User on EX2013) are able to check – via Federation – Free/Busy information from Forest A.

    Users from Forest B can only check free/Busy informations from users who are located on Exchange 2010 Servers. To all our Test User, who are already migrated to Exchange 2013, there is no free/busy available.

     

    We already set Get-webservicesVirtualDirectory | Set-webservicesVirtualDirectory -WSSecurityAuthentication:$true and Get-AutoDiscoverVirtualDirectory | Set-AutoDiscoverVirtualDirectory -WSSecurityAuthentication:$true on all Exchange 2013 CAS Servers. We also restarted IIS Services on this servers.

     

    We did serveral tests and we also got an error message, but we can´t find a solution on that.

    This was the significant line in the federation trust test:

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd:InvalidSecurity

    Thank you in advance for your help.

    Kind regards, Jens

     

    [PS] C:\Windows\system32>Test-OrganizationRelationship -UserIdentity Testuser@forestB.com -Identity forestA.com -verbose

    VERBOSE: [05:47:16.270 GMT] Test-OrganizationRelationship : Active Directory session settings for

    'Test-OrganizationRelationship' are: View Entire Forest: 'False', Default Scope: 'forstB.com', Configuration

    Domain Controller: DC.forestB.com, Preferred Global Catalog: 'dc.forestB.com', Preferred Domain

     Controllers: '{ dc.forestB.com }'

    VERBOSE: [05:47:16.270 GMT] Test-OrganizationRelationship : Runspace context: Executing user:

    forest\testuser, Executing user organization: , Current organization: , RBAC-enabled: Enabled.

    VERBOSE: [05:47:16.270 GMT] Test-OrganizationRelationship : Beginning processing &

    VERBOSE: [05:47:16.302 GMT] Test-OrganizationRelationship : Instantiating handler with index 0 for cmdlet extension

    agent "Admin Audit Log Agent".

    VERBOSE: [05:47:16.692 GMT] Test-OrganizationRelationship : Current ScopeSet is: { Recipient Read Scope: {{, }},

    Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive

    Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} }

    VERBOSE: [05:47:16.692 GMT] Test-OrganizationRelationship : Searching objects "testuser@forestB.com" of type

    "ADUser" under the root "$null".

    VERBOSE: [05:47:16.708 GMT] Test-OrganizationRelationship : Previous operation run on global catalog server

    'dc.forestB.com'.

    VERBOSE: [05:47:16.708 GMT] Test-OrganizationRelationship : Searching objects "forestA.com" of type

    "OrganizationRelationship" under the root "$null".

    VERBOSE: [05:47:16.723 GMT] Test-OrganizationRelationship : Previous operation run on domain controller

    dc.forestA.com.

    VERBOSE: Test that organization relationships are properly configured.

    VERBOSE: [05:47:16.723 GMT] Test-OrganizationRelationship : Resolved current organization: .

    VERBOSE: [05:47:16.723 GMT] Test-OrganizationRelationship : The client is using the following proxy for the remote

    call: http://192.168.0.1:8080/.

    VERBOSE: [05:47:16.723 GMT] Test-OrganizationRelationship : Calling the Microsoft Exchange Autodiscover service for the

     remote federation information.

    VERBOSE: [05:47:17.130 GMT] Test-OrganizationRelationship : The Autodiscover call succeeded for the following URL:

    https://autodiscover.forestA.com/autodiscover/autodiscover.svc.

    VERBOSE: [05:47:17.130 GMT] Test-OrganizationRelationship : Generating delegation token for user

    testuser@forestB.com for application FYDIBOHF25SPDLT.forestA.com.

    VERBOSE: [05:47:18.489 GMT] Test-OrganizationRelationship : The delegation token was successfully generated.

    VERBOSE: [05:47:18.489 GMT] Test-OrganizationRelationship : The Microsoft Exchange Autodiscover service is being called

     to determine the remote organization relationship settings.

    VERBOSE: [05:47:18.489 GMT] Test-OrganizationRelationship : The client is using the following proxy for the remote

    call: http://192.168.0.1:8080/.

    VERBOSE: [05:47:18.489 GMT] Test-OrganizationRelationship : The Client will call the Microsoft Exchange Autodiscover

    service using the following URL: https://autodiscover.forestA/autodiscover/autodiscover.svc/WSSecurity.

    VERBOSE: [05:47:18.833 GMT] Test-OrganizationRelationship : The Microsoft Exchange Autodiscover service failed to be

    called at 'https://autodiscover.forestA/autodiscover/autodiscover.svc/WSSecurity' because the following error

    occurred: SoapException.Code =

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd:InvalidSecurity

    Exception:

    System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message.

       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse

    response, Stream responseStream, Boolean asyncCall)

       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

       at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.<Invoke>b__3()

       at

    Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NoHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol

     client, AuthenticateAndExecuteHandler`1 handler)

       at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol

    client, AuthenticateAndExecuteHandler`1 handler)

       at

    Microsoft.Exchange.SoapWebClient.AutoDiscover.DefaultBinding_Autodiscover.GetOrganizationRelationshipSettings(GetOrgani

    zationRelationshipSettingsRequest Request)

       at

    Microsoft.Exchange.Management.Sharing.TestOrganizationRelationship.<>c__DisplayClass8.<GetInvokeDelegate>b__7(DefaultBi

    nding_Autodiscover binding)

       at

    Microsoft.Exchange.SoapWebClient.AutodiscoverClient.<>c__DisplayClassf.<InvokeAndFollowSecureRedirects>b__c(IWebProxy

    webProxy)

       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeWithWebProxy(String url, InvokeWithWebProxyDelegate

    invokeWithWebProxy at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeAndFollowSecureRedirects(InvokeDelegate invokeDelegate,

     Uri url)

       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeForUrl(InvokeDelegate invokeDelegate, Uri url)

     

    .

    VERBOSE: [05:47:18.833 GMT] Test-OrganizationRelationship : The Autodiscover call failed.

     

     

    RunspaceId  : d80668f1-bedf-4fd3-ad08-90db0132da5c

    Identity    :

    Id          : AutodiscoverServiceCallFailed

    Status      : Error

    Description : The Autodiscover call failed.

    IsValid     : True

     

    VERBOSE: [05:47:18.833 GMT] Test-OrganizationRelationship : Admin Audit Log: Entered Handler:OnComplete.

    VERBOSE: [05:47:18.833 GMT] Test-OrganizationRelationship : Ending processing &



    Wednesday, June 18, 2014 6:04 AM

All replies

  • All Forest A URLs are pointing to the Exchange 2013 CAS servers, right?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Sunday, June 22, 2014 3:02 AM
    Moderator
  • yes, exactly
    Monday, June 23, 2014 11:22 AM