Office 365 Insight into the Hybrid Configuration Wizard Part 2

I decided to extend the Insight into the Hybrid Configuration Wizard article into another 2 parts. I've been getting numerous requests on troubleshooting the dreaded Get-FederationInformation Exception.

Let’s recap on what the high level steps for the HCW are:

  1. Global Prerequisites task – prerequisite check (covered here).
  2. Legacy Exchange Support Task – Legacy Exchange requirements (covered here).
  3. Recipient Configuration Task – Accepted domains and email address policy changes.
  4. Organization Relationship Task – Federation configuration.
  5. On Off Settings Task – Organization Relationship config like Availability Address Space, Free Busy Access, TargetOWAURL etc.
  6. Hybrid mail flow task – Creates send and receive connectors for Hybrid mail flow.

I’m going to skip the Recipient Configuration Task here and cover that in my next article. I want to focus on step 4, the Organization Relationship Task for this article.

So let’s get right into it.

As the task name suggests, this step will:

  1. Create the Federation Trust with the Microsoft Federation Gateway,
  2. Add federated domains and
  3. Create the organizational relationships between the two environments.

Now, from the things I’ve seen and heard in the field is that most of the issues occur at step 3.

Step 3 uses a process called ProvisionOrganizationRelationship. The very first step that this function does is it tries to get the federation information for the domain for the organization relationship settings – let’s use uclabz.com.

  • First, it will initiate the following from the On-premise session:
 Get-FederationInformation –domainname uclabz.onmicrosoft.com –BypassAdditionalDomainValidation $True
  • Then create the Organizational Relationship to Exchange Online using the results from the above:
 New-OrganizationRelationship -Name -TargetApplicationUri *.outlook.com -TargetAutodiscoverEpr <the Exchange Online Autodiscover URL> -Enabled:$True -DomainNames uclabz.mail.onmicrosoft.com
  • The next step will be to initiate Get-FederationInformation from the TenantSession. This is where everything breaks for most people:
 Get-FederationInformation –domainname uclabz.com –BypassAdditionalDomainValidation $True

Let’s pause here for a moment.

So why is the code doing this. Well, it’s simple. By using Get-FederationInformation, it’s very easy to get the correct values for TargetApplicationURI, TargetAutodiscoverEPR and DomainNames which is required for the New-OrganizationRelationship task.

The issues occur, because many customers have different ways of doing things, like Autodiscover, Certificates and Reverse Proxy etc.

Let’s take an example – Autodiscover:

  • You implement Autodiscover on the Public DNS by using a SRV record and you don’t specify an A record for autodiscover.company.com.
  • You run remote connectivity analyzer and everything seems to be working fine.
  • Then, you run the Hybrid Configuration Wizard and it bombs out at Get-FederationInformation with the following 
 Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.  
 
 Federation information could not be received from the external organization. 
 at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors) 
  '. 

See, the way Get-FederationInformation cmdlet works is that the discovery process only uses the following logic to determine the correct settings (in this order):

  1. https://autodiscover.uclabz.com/autodiscover/autodiscover.svc
  2. https://uclabz.com/autodiscover/autodiscover.svc
  3. https://autodiscover.uclabz.com/autodiscover/autodiscover.xml
  4. https://autodiscover.uclabz.com/autodiscover/autodiscover.xml

So as you can see from the above, you need to have the correct DNS record’s in public DNS for this step to work.

Here are some more tips on what to check for when you run into this problem:

  • Ensure Autodiscover is working as described above. Autodiscover DNS needs to point to the Hybrid Servers. Use remote connectivity analyzer to confirm that the steps are as per above.
  • Confirm that the svc-Integrated handler mapping is not missing in IIS on the Hybrid CAS - https://support.microsoft.com/kb/2626696 
  • Confirm WSSecurity is enabled on the Hybrid Server Autodiscover virtual directories –
 Get-autodiscovervirtualdirectory –server <hybridcas>|Set-AutodiscoverVirtualDirectory –WSSecurityAuthentication $true 
  • Confirm federation information results on the on-premise Hybrid server is working for the tenant target delivery domain.
 Get-FederationInformation –domainname domain.onmicrosoft.com -BypassAdditionalDomainValidation $True
  • Disable Pre-Authentication on TMG if you are using it – by default TMG will also block traffic to Autodiscover.svc. This can be solved by creating separate rules (higher order) in TMG for the following sites:

/EWS/Exchange.asmx/wssecurity
/Autodiscover/Autodiscover.svc
/Autodiscover/Autodiscover.svc/wssecurity

Allow All users and No Authentication, users can authenticate directly.
TMG will need to passthrough the traffic directly to the Hybrid CAS instead of authenticating as specified above.
Confirm that traffic is not being blocked to Autodiscover.svc by checking the TMG logs.
See this article on TMG - https://support.microsoft.com/kb/2821214

  • Open Exchange Online PowerShell session and confirm federation information results can be retrieved from the tenant shell – this is the remote check that Hybrid Config also does.
 Get-FederationInformation -domainname uclabz.com -BypassAdditionalDomainValidation $True 
  • Re-run Hybrid wizard, if you still get the same problem double check everything as above and wait a few hours to rerun.

Phew, I think that’s that for this article. Good luck with your hybrid configurations, I hope the above helps.

Until next time,

Michael Hall