none
Search-AdminAuditLog - need to enable TLS 1.0 to work correctly RRS feed

  • Question

  • Hi All,

    I use a third party audit tool for our environment.  The third party tool uses Search-AdminAuditLog.  I noticed errors appearing in Event Viewer showing Search-AdminAuditLog failed.  If run the command in EMS, I see the error Search-AdminAuditLog:  The attempt to search the administrator audit log failed.  Please try again later. 

    I made multiple changes to the Exchange 2013 and had to undo 1 by 1 until I found why the cmdlet was failing.  I discovered it was disabled TLS1.0.  I enable TLS1.0 and Search-AdminAuditLog works correctly.  Other services works fine when only TLS1.2 is enabled, like OWA.  I do not use POP3 and IMAP.  I have read TLS1.0 disabled can break POP3 and IMAP.  Any other cmdlets that did not work correctly when TLS1.0 is disabled?

    In a test environment, I update from CU18 to CU23 and did not correct the issue.  Does anyone know why TLS1.0 needs to be enabled for the cmdlet to work correctly?   Is there something else that needs to be updated, enabled, or disabled to make Search-AdminAuditLog work correctly when TLS1.0 is disabled?  I assume this is not the behavior for Exchange 2016 and 2019.  Yes or No?

    Regards,

    Jason M.


    • Edited by JasonRoM Monday, July 15, 2019 8:55 PM
    Monday, July 15, 2019 6:59 PM

Answers

  • I posted the issue on another forum at https://community.spiceworks.com/topic/2222892-search-adminauditlog-need-to-enable-tls-1-0-to-work-correctly?page=1#entry-8477596

    CrazyLefty provided the solution.  Enable TLS 1.2 for .NET

    Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001

    https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-net-framework-to-support-tls-12

    Jason M.

    • Marked as answer by JasonRoM Monday, July 29, 2019 2:17 PM
    Monday, July 29, 2019 2:17 PM

All replies

  • Hi Jason,

     

    Could you search admin audit in ECP?

     

    With my research,  there's no related clarificatiom that the Search-AdminAuditLog cmdlet needs to enable TLS1.0.

     

    Please try the methods in the articles below to disable TLS1.0 and enable TLS1.1 manually.

     

    Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

    Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

     

    To avoid third party audit tool impact, please remove the tool from the server temporarily, then run the Search-AdminAuditLog cmdlet on EMS, check the result.

     

    What’s more, make sure Microsoft Exchange Search service is running properly.

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, July 16, 2019 3:42 AM
  • Hi Kelvin,

    When TLS1.0 is disabled, I can't run any Search-AdminAuditLog with parameters directly on the Exchange server.   I can't run Search-AdminAuditLog by itself, no parameters.  The 3rd party audit tool is not installed on the Exchange server.  The audit tool is installed on a workstation.  The audit tool supports TLS1.2 and older.  The audit tool uses the Search-AdminAuditLog cmdlets to gather logs and imports into the software.

    I previously used the same links you provided as a guide to enable and disable SSL and TLS. 

    Regards,

    Jason M.

    Tuesday, July 16, 2019 5:30 PM
  • Hi Jason,

     

    Could you search admin audit in ECP?

     

    1.Make sure the Microsoft Exchange Search and the Microsoft Exchange Search Host Controller service are running.

    2.Check the properties of the DiscoverySearchMailbox and verify that the homeMDB attribute is set to a mounted database.

    3.If the steps above don't work, you could keep TLS 1.0 and TLS 1.2 enbaled, which not afftect the server function. Or re-create a new Discovery System Mailbox to check the result. You can refer to the following article.

     

    Re-Create the Discovery System Mailbox

     

    By the way, review application log for some related errors if there are.

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Friday, July 19, 2019 8:29 AM
  • Kelvin,

    I cannot not search admin audits in ECP when TLS1.0 is disabled.  Microsoft Exchange Search and the Microsoft Exchange Search Host Controller service are running.  The properties of the DiscoverySearchMailbox and the homeMDB attribute is set to a mounted database.  I have recreated the discovery system mailbox ,SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}.  I also recreated the "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}". 

    Regards,

    Jason M,

    Monday, July 22, 2019 5:48 PM
  • Here is the Event ID when I use search-adminauditlog AND TLS1.0 is disabled.  Searc-AdminAuditLog work correctly when TLS1.00 is enabled.

    The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    Search-AdminAuditLog
    mydomain.com/Domain Administrators/AdminUser
    S-1-5-21-202776249-1970015660-313073093-500
    S-1-5-21-202776249-1970015660-313073093-500
    Remote-ManagementShell-Unknown
    2800 w3wp#MSExchangePowerShellAppPool
    42
    00:00:00.0621417
    View Entire Forest: 'False', Default Scope: 'mydomain.com', Configuration Domain Controller: 'ad.mydomain.com', Preferred Global Catalog: 'ad.mydomain.com', Preferred Domain Controllers: '{ ad.mydomain.com }'
    Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogSearchException: The attempt to search the administrator audit log failed. Please try again later. ---> Microsoft.Exchange.Data.ApplicationLogic.AuditLogException: An error occurred while trying to access the audit log. For more details, see the inner exception. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
       at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
       --- End of inner exception stack trace ---
       at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.ConnectStream.WriteHeaders(Boolean async)
       --- End of inner exception stack trace ---
       at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](CustomSoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
       at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.GetFolder(GetFolderType GetFolder1)
       at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
       at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CheckAndCreateWellKnownFolder(DistinguishedFolderIdNameType parentFolder, DistinguishedFolderIdNameType targetFolder, FolderIdType& targetFolderId)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogSearchWorker.Search()
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
       at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.SearchAdminAuditLog.WriteResult[T](IEnumerable`1 dataObjects)
       at Microsoft.Exchange.Configuration.Tasks.GetTaskBase`1.InternalProcessRecord()
       at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
       at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)Admin audit log search criteria:
    OrganizationId=
    StartDateUtc=7/7/2019 5:49:55 PM
    EndDateUtc=7/22/2019 5:49:55 PM
    ExternalAccess=NULL
    Cmdlets
    Parameters
    ObjectIds
    UserIds
    Succeeded=
    0
    Microsoft.Exchange.Data.ApplicationLogic.AuditLogException: An error occurred while trying to access the audit log. For more details, see the inner exception. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
       at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
       --- End of inner exception stack trace ---
       at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.ConnectStream.WriteHeaders(Boolean async)
       --- End of inner exception stack trace ---
       at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](CustomSoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
       at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.GetFolder(GetFolderType GetFolder1)
       at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
       at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CheckAndCreateWellKnownFolder(DistinguishedFolderIdNameType parentFolder, DistinguishedFolderIdNameType targetFolder, FolderIdType& targetFolderId)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogSearchWorker.Search()
    Ex14B396
    False
    0 objects execution has been proxied to remote server.
    Request Filter used is: (&(objectCategory=msExchAdminAuditLogConfig)(|(&(msExchVersion<=1125899906842624)(!(msExchVersion=1125899906842624)))(!(msExchVersion=*))))
    0
    ActivityId: 3ccfc256-a541-4cd4-864e-82456ded8ca2
    ServicePlan:;IsAdmin:True;
    en-US

    the message resource is present but the message is not found in the string/message table

    Monday, July 22, 2019 5:59 PM
  • Hi Jason,

     

    After my further research, since the complexity of the issue, and the support resource limit in our forum, I suggest you refer to the following link and open a ticket, the engineers will provide professional support with you.

     

    https://support.microsoft.com/en-sg/hub/4343728/support-for-business

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Thursday, July 25, 2019 5:57 AM
  • I posted the issue on another forum at https://community.spiceworks.com/topic/2222892-search-adminauditlog-need-to-enable-tls-1-0-to-work-correctly?page=1#entry-8477596

    CrazyLefty provided the solution.  Enable TLS 1.2 for .NET

    Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001

    https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-net-framework-to-support-tls-12

    Jason M.

    • Marked as answer by JasonRoM Monday, July 29, 2019 2:17 PM
    Monday, July 29, 2019 2:17 PM