Scott Townsend
asked on
Office 365 Users cant See On-Premise Free/Busy Information
Exchange 2010 Hybrid Office 365 Free Busy Issues.
On-Premise users can see Free/Busy Information of On-Premise users.
On-Premise users can see Free/Busy Information of O365 Users.
O365 Users can See Free/Bust Information of O365 Users.
O365 Users cannot See Free/Bust Information of On-Premise Users.
The O365 user can Open the Users calendar and see everything, though when they use the Scheduling Assistant when creating a Meeting they get:
MS Remote Connectivity Analyzer comes back with all okay for AutoDiscover.
https://www.testconnectivity.microsoft.com/
The User's Default Calendar Permissions allow for "AvailabilityOnly", I have also tried "LimitedDetails" with no success.
Here is the Default Sharing Policy:
On-Premise users can see Free/Busy Information of On-Premise users.
On-Premise users can see Free/Busy Information of O365 Users.
O365 Users can See Free/Bust Information of O365 Users.
O365 Users cannot See Free/Bust Information of On-Premise Users.
The O365 user can Open the Users calendar and see everything, though when they use the Scheduling Assistant when creating a Meeting they get:
No Information.
No free/busy information could be retrieved
the external recipient's server could not be determined.
Contact your administrator
MS Remote Connectivity Analyzer comes back with all okay for AutoDiscover.
https://www.testconnectivity.microsoft.com/
The User's Default Calendar Permissions allow for "AvailabilityOnly", I have also tried "LimitedDetails" with no success.
RunspaceId : c704d8d7-fc2a-4c5e-84ee-f9387189b798
FolderName : Calendar
User : Default
AccessRights : {AvailabilityOnly}
Identity : Default
IsValid : True
RunspaceId : c704d8d7-fc2a-4c5e-84ee-f9387189b798
FolderName : Calendar
User : Anonymous
AccessRights : {None}
Identity : Anonymous
IsValid : True
Here is the Default Sharing Policy:
RunspaceId : c70458d7-f52a-4c55-84e5-f9387189b758
Domains : {Anonymous:CalendarSharingFreeBusyReviewer, *:CalendarSharingFreeBusySimple}
Enabled : True
Default : True
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Default Sharing Policy
DistinguishedName : CN=Default Sharing Policy,CN=Federation,CN=<site>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=costono,DC=com
Identity : Default Sharing Policy
Guid : 35eca126-d55b-4d84-95e9-6f7f99a6c46e
ObjectCategory : costono.com/Configuration/Schema/ms-Exch-Sharing-Policy
ObjectClass : {top, msExchSharingPolicy}
WhenChanged : 3/28/2018 11:24:37 AM
WhenCreated : 6/20/2011 4:22:52 PM
WhenChangedUTC : 3/28/2018 6:24:37 PM
WhenCreatedUTC : 6/20/2011 11:22:52 PM
OrganizationId :
OriginatingServer : addc.costono.COM
IsValid : True
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your org relationship (the one on the on-prem server - to O365) should have all the domains added, or at least the domain for said user. The info you posted above only shows the default routing O365 domain, which means that only users with user@tenant.mail.onmicroso ft.com addresses will be able to do lookups. This should pop up as an error when you run the Test-OrganizationRelations hip cmdlet. So try to add to the domain list and retest.
Apart from that, I see some strange value for the other org relationship (O365 to on-prem), but since free/busy seems to be working OK for on-prem users, I guess we can ignore them.
Apart from that, I see some strange value for the other org relationship (O365 to on-prem), but since free/busy seems to be working OK for on-prem users, I guess we can ignore them.
ASKER
Thank you for your reply. What typically sets the domains in the OrganizationRelationship? HCW? I have selected all of my Domains when I run it.
I have about 25 Domain names that we are hosting. Many users have at least 5 different addresses. Should they be listed in a Specific order?
<tenant>.mail.onmicrosoft. com fist? AD Connected Domain First?
Listing out all of the Domains for the 'Get-OrganizationRelations hip "O365 to On-premises - *" ' does not include <tenant>.mail.onmicrosoft. com, should it?
What was odd about the results from: Get-OrganizationRelationsh ip "O365 to On-premises ?
Below are the results from the Test-OrganizationRelations hip from both On-Prem and O365.
Test-OrganizationRelations hip from On-Premise Server
I have about 25 Domain names that we are hosting. Many users have at least 5 different addresses. Should they be listed in a Specific order?
<tenant>.mail.onmicrosoft.
Listing out all of the Domains for the 'Get-OrganizationRelations
What was odd about the results from: Get-OrganizationRelationsh
Below are the results from the Test-OrganizationRelations
Test-OrganizationRelations
[PS] C:\Scripts>Test-OrganizationRelationship -UserIdentity <user>@<PrimaryDomain>.com -Identity "On-premises to O365 - 722b8d45-5f4a-4f48-a049-55437fe57d8d"
RunspaceId : be97b0cf-bbac-440a-a1ca-253bda110e87
Identity :
Id : ApplicationUrisDiffer
Status : Error
Description : The TargetApplicationUri of the remote organization doesn't match the local ApplicationUri of the Federation Trust object. The remote URI value is FYDIBOHF25SPDLT.<Random-Domain-we-host>.com. The local URI value is outlook.com.
IsValid : True
RunspaceId : be97b0cf-bbac-440a-a1ca-253bda110e87
Identity :
Id : PropertiesDiffer
Status : Warning
Description : The values of property MailboxMoveEnabled are different and should match. The local organization relationship On-premises to O365 - 722b8d45-5f4a-4f48-a049-55437fe57d8d has value True, and the remote organization relationship O365 to On-premises - 72
2b8d45-5f4a-4f48-a049-55437fe57d8d has value False.
IsValid : True
RunspaceId : be97b0cf-bbac-440a-a1ca-253bda110e87
Identity :
Id : VerificationOfRemoteOrganizationRelationshipFailed
Status : Error
Description : There were errors while verifying the remote organization relationship O365 to On-premises - 722b8d45-5f4a-4f48-a049-55437fe57d8d.
IsValid : True
PS C:\Windows\system32> Test-OrganizationRelationship -UserIdentity <user>@<PrimaryDomain>.com -Identity "O365 to On-premises - 722b8d45-5f4a-4f48-a049-55437fe57d8d"
Begin testing for organization relationship CN=O365 to On-premises - 722b8d45-5f4a-4f48-a049-55437fe57d8d,CN=Federation,CN=Configuration,CN=<tenant>.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR15A003,DC=PROD,DC=OUTLOOK,DC=COM, enabled state True.
Exchange D-Auth Federation Authentication STS Client Identities are urn:federation:MicrosoftOnline/outlook.com;uri:WindowsLiveID/outlook.com;
STEP 1: Validating user configuration
WARNING: The federated domain '<AD-Connected Domain>' of the user is in the local organizational relationship which normally only contains the domains of
external organizations.
RESULT: Success.
STEP 2: Getting federation information from remote organization...
RESULT: Success.
STEP 3: Validating consistency in returned federation information
RESULT: Success.
STEP 4: Requesting delegation token from the STS...
RESULT: Success.
Retrieved token for target https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity for offer Name=MSExchange.Autodiscover,Duration=28800(secs)
STEP 5: Getting organization relationship setting from remote partner...
RESULT: Unable to retrieve organization relationships from remote organization.
RESULT: Error.
LAST STEP: Writing results...
RunspaceId : 95c54737-df4e-4ec6-b1e5-c75d838c036b
Identity :
Id : AutodiscoverServiceCallFailed
Status : Error
Description : The Autodiscover call failed.
IsValid : True
ObjectState : New
COMPLETE.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was able to add the On-Premise Autodiscover URL to TargetAutodiscoverEpr manually.
This is the Error I'm getting now from OWA warm trying to check Free/Busy status:
Looks like there are Federation Issues?
Set-OrganizationRelationship "O365 to On-premises - 722b8d45-5f4a-4f48-a049-55437fe57d8d" -TargetAutodiscoverEpr "https://<on-prem-host>/autodiscover/autodiscover.svc/WSSecurity"
This is the Error I'm getting now from OWA warm trying to check Free/Busy status:
Autodiscover failed for email address <On-Premise-User> with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message
Looks like there are Federation Issues?
ASKER
Here is the output from the Test-FederationTrust and Test-FederationTrustCertif icate Commands
[PS] C:\Scripts>Test-Federation Trust
[PS] C:\Scripts>Test-Federation TrustCerti ficate
[PS] C:\Scripts>Test-Federation
RunspaceId : f07537f0-9935-4f05-96c1-640b0e4df4ba
Id : FederationTrustConfiguration
Type : Success
Message : FederationTrust object in ActiveDirectory is valid.
RunspaceId : f07537f0-9935-4f05-96c1-640b0e4df4ba
Id : FederationMetadata
Type : Success
Message : The federation trust contains the same certificates published by the security token service in its federation metadata.
RunspaceId : f07537f0-9935-4f05-96c1-640b0e4df4ba
Id : StsCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.
RunspaceId : f07537f0-9935-4f05-96c1-640b0e4df4ba
Id : StsPreviousCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.
RunspaceId : f07537f0-9935-4f05-96c1-640b0e4df4ba
Id : OrganizationCertificate
Type : Success
Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.
RunspaceId : f07537f0-9935-4f05-96c1-640b0e4df4ba
Id : TokenRequest
Type : Success
Message : Request for delegation token succeeded.
RunspaceId : f07537f0-9935-4f05-96c1-640b0e4df4ba
Id : TokenValidation
Type : Success
Message : Requested delegation token is valid.
[PS] C:\Scripts>Test-Federation
RunspaceId : f07537f0-9935-4f05-96c1-640b0e4df4ba
Site : <AD-Domain>/Configuration/Sites/Corporate
Server : <On-Prem-Host>
State : Installed
Thumbprint : 61CC86446535A6368FD94975F6C1F7C0B0332A7E
Havent seen this one previously, but quick check on google suggest it's related to the security settings on the virtual directory: https://www.inthecloud247.com/exchange-federated-calendar-sharing-issue/
ASKER
I was just reading that one and this one:
https://social.technet.microsoft.com/Forums/exchange/en-US/c74d883b-ed39-41bd-9118-78dd17d95369/federation-trust-freebusy-not-showing-onpremise?forum=exchange2010
I'll let you know how it goes...
https://social.technet.microsoft.com/Forums/exchange/en-US/c74d883b-ed39-41bd-9118-78dd17d95369/federation-trust-freebusy-not-showing-onpremise?forum=exchange2010
I'll let you know how it goes...
ASKER
I ran the Following Commands:
Still getting:
Here is the output of tje Test-OrganizationRelatonsh ip again. the AutoDiscover errors are no longer there.
Though This is a bit troubling: FYDIBOHF25SPDLT.<One-of-th e-accepted -Domains>
<One-of-the-accepted-Domai ns> is listed that many times and is the same domain. Its one of the First few test Domains I Migrated over.
Test-OrganizationRelations hip -UserIdentity <on-Premise-User> -Identity "O365 to On-premises - 722b8d45-5f4a-4f48-a049-55 437fe57d8d "
Get-FederationTrust | Set-FederationTrust –RefreshMetaData
Get-AutodiscoverVirtualDirectory –Server "<on-prem-server>" | Set-Autodiscovervirtualdirectory –WSSecurityAuthentication $false
Get-WebServicesVirtualDirectory –Server "<on-prem-server>" | Set-WebServicesVirtualDirectory –WSSecurityAuthentication $false
IISRESET
Get-AutodiscoverVirtualDirectory –Server "<on-prem-server>" | Set-Autodiscovervirtualdirectory –WSSecurityAuthentication $True
Get-WebServicesVirtualDirectory –Server "<on-prem-server>" | Set-WebServicesVirtualDirectory –WSSecurityAuthentication $True
IISRESET
Then reset the Application pools. Still getting:
Autodiscover failed for email address <on-prem-user> with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Exchange.SoapWebClient.AutoDiscover.DefaultBinding_Autodiscover.EndGetUserSettings(IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.SoapAutoDiscoverRequest.<>c__DisplayClass48_0.<EndInvoke>b__0()
at Microsoft.Exchange.InfoWorker.Common.Availability.SoapAutoDiscoverRequest.ExecuteAndHandleException(ExecuteAndHandleExceptionDelegate operation).,
inner exception: An error occurred when verifying security for the message. LID: 37772
Here is the output of tje Test-OrganizationRelatonsh
Though This is a bit troubling: FYDIBOHF25SPDLT.<One-of-th
<One-of-the-accepted-Domai
Test-OrganizationRelations
Begin testing for organization relationship CN=O365 to On-premises - 722b8d45-5f4a-4f48-a049-55437fe57d8d,CN=Federation,CN=Configuration,CN=<tenant>.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR15A003,DC=PROD,DC=OUTLOO
K,DC=COM, enabled state True.
Exchange D-Auth Federation Authentication STS Client Identities are urn:federation:MicrosoftOnline/outlook.com;uri:WindowsLiveID/outlook.com;
STEP 1: Validating user configuration
WARNING: The federated domain '<AD-Domain>' of the user is in the local organizational relationship which normally only contains the domains of external organizations.
RESULT: Success.
STEP 2: Getting federation information from remote organization...
RESULT: Success.
STEP 3: Validating consistency in returned federation information
RESULT: Error.
LAST STEP: Writing results...
RunspaceId : 4fb0e4fa-20d5-42e4-bf77-f203288d3ac7
Identity :
Id : MismatchedFederation
Status : Warning
Description : The federation information returned from remote organization is different from local organization relationship configuration. The local organization relationship uses Security Token Service
'urn:federation:MicrosoftOnline;uri:WindowsLiveID' and the remote organization uses Security Token Services 'urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:
federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:Microsoft
Online;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federatio
n:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;ur
n:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:Microso
ftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federat
ion:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline;urn:federation:MicrosoftOnline'. The local organization relationship has Application URI
'outlook.com' and the remote organization uses Application URIs 'FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPD
LT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.EvanTownsen
d.me,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF2
5SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.EvanTow
nsend.me,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIB
OHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.Eva
nTownsend.me,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>,FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>'.
IsValid : True
ObjectState : New
COMPLETE.
ASKER
I found out where <One-of-the-accepted-Domai ns> is coming from, its the Domain listed in the Federation.
It is the Domain I selected when I first set things up. Though its the AD Connected Domain, its just one of the 35 Domain Names. Its Actually My Son's Domain, so not sure how (or if) I can change it at this point?
C:\Scripts>Get-FederatedOr ganization Identifier | fl
It is the Domain I selected when I first set things up. Though its the AD Connected Domain, its just one of the 35 Domain Names. Its Actually My Son's Domain, so not sure how (or if) I can change it at this point?
C:\Scripts>Get-FederatedOr
RunspaceId : 4e2ceaa7-4f27-488a-8e55-27362dc67316
AccountNamespace : FYDIBOHF25SPDLT.<One-of-the-accepted-Domains>
Domains : {<list of my Accepted domains>}
Enabled : True
OrganizationContact :
DelegationTrustLink : Microsoft Federation Gateway
IsValid : True
ExchangeVersion : 0.10 (14.0.100.0)
Name : Federation
DistinguishedName : CN=Federation,CN=myenm,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<AD-Domain>,DC=com
Identity : Federation
Guid : b4e24116-995b-4886-abbe-001e41de6cd2
ObjectCategory : <AD-Domain>/Configuration/Schema/ms-Exch-Fed-OrgId
ObjectClass : {top, msExchFedOrgId}
WhenChanged : 12/6/2017 11:11:08 AM
WhenCreated : 6/20/2011 4:22:52 PM
WhenChangedUTC : 12/6/2017 7:11:08 PM
WhenCreatedUTC : 6/20/2011 11:22:52 PM
OrganizationId :
OriginatingServer : <AD-Server>
ASKER
I went through this page too:
http://www.shudnow.net/2017/12/01/pass-through-authentication-without-password-hash-synchronization-breaks-online-to-on-premises-freebusy/
The password Hash was already being Sync'd, so that was not an issue.
As well as this one:
https://support.microsoft.com/en-gb/help/4056251/free-busy-lookup-fails-from-exchange-on-premises-to-exchange-online
Glad I tested with my own account though... After issuing the Command:
http://www.shudnow.net/2017/12/01/pass-through-authentication-without-password-hash-synchronization-breaks-online-to-on-premises-freebusy/
The password Hash was already being Sync'd, so that was not an issue.
As well as this one:
https://support.microsoft.com/en-gb/help/4056251/free-busy-lookup-fails-from-exchange-on-premises-to-exchange-online
Glad I tested with my own account though... After issuing the Command:
Set-MsolUserPassword -UserPrincipalName John@contoso.com -ForceChangePassword $false
My user's Password was no longer accepted on any of the Online Services. I had to Login to the Office Portal and reset my password before I could login to the Online Services again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Contact MS Support
ASKER
Using the connectivity Analyzer for Free/Busy Test with O365 Source and On-Prem Destination returns Test was Good.
Open in new window
Creating the Appointment in OWA has the same issue as Outlook 2016. Using the information here: https://blogs.technet.microsoft.com/exchange/2018/03/02/demystifying-hybrid-freebusy-finding-errors-and-troubleshooting/
I was able to get the GetUserAvailabilityInterna
Open in new window
Googling that said to be sure that the O365 user has the user@<tenant>.mail.onmicro
Same article said to set: Set-OrganizationRelationsh
Issuing the following Command:
Against On-premise returns "The term 'Get-IntraOrganizationConn
Issuing the Command:
Against On-premise returns "The term 'Get-IntraOrganizationConf
Running the Following Command:
Open in new window
Running the Following Command:
Open in new window
I'm not sure why this is:
How does it Choose this: <One-Of-My-Domains> Its a Random Domain, Possible it was the first one I test migrated to O365. Though Its not the Primary Domain.
Running the Following Command:
Open in new window
Running the Following Command:
Open in new window
Running the Following Command:
Open in new window