Exchange 2016 Federation Between Two On Prem Organizations In Not Displaying Availability Information

Ok. Here is the situation I am currently wrestling with. Two different on premise Exchange 2016 Organizations. Had a need to establish Federation between them in order to share Availability Information. One thing to note, although they are two separate Exchange Organizations, they both actually belong to my company and are housed in the same data center and share connected networks. So the Federation Trusts were established without issue along with the organizational relationships. Everything looks to be in order However, I have as yet been able to successfully retrieve Free/Busy from either organization. For example, if I log on with a mailbox in Organization A and I add a recipient from Organization B and then look for availability information for the recipient in B in the scheduling assistant, I get the slash marks and information not available. So I began to trouble shoot. Here is what I tested and the results:
1.      Autodiscover for each organization is resolvable from the other
2.      https://autodiscover.remoteorg.com/autodiscover/autodiscover.xml gets a login prompt
3.      https://mail.remoteorg.com/ews/exchange.asmx gets a login prompt
4.      [PS] C:\Windows\system32>Test-FederationTrust -USerIdentity xxxxx

Begin process.

STEP 1 of 6: Getting ADUser information for xxxxx...
RESULT: Success.

STEP 2 of 6: Getting FederationTrust object for xxxxx...
RESULT: Success.

STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.
RESULT: Success.

STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
RESULT: Success.


Validating current configuration for FYDIBOHF25SPDLT.OrgB.com...


Validation successful.

STEP 5 of 6: Requesting delegation token...
RESULT: Success. Token retrieved.

STEP 6 of 6: Validating delegation token...
RESULT: Success.

Closing Test-FederationTrust...


RunspaceId : b3e333ff-7693-40d3-9fbc-821b3eb51c69
Id         : FederationTrustConfiguration
Type       : Success
Message    : FederationTrust object in ActiveDirectory is valid.

RunspaceId : b3e333ff-7693-40d3-9fbc-821b3eb51c69
Id         : FederationMetadata
Type       : Success
Message    : The federation trust contains the same certificates published by the security token service in its federation metadata.

RunspaceId : b3e333ff-7693-40d3-9fbc-821b3eb51c69
Id         : StsCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

RunspaceId : b3e333ff-7693-40d3-9fbc-821b3eb51c69
Id         : StsPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

RunspaceId : b3e333ff-7693-40d3-9fbc-821b3eb51c69
Id         : OrganizationCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.

RunspaceId : b3e333ff-7693-40d3-9fbc-821b3eb51c69
Id         : TokenRequest
Type       : Success
Message    : Request for delegation token succeeded.

RunspaceId : b3e333ff-7693-40d3-9fbc-821b3eb51c69
Id         : TokenValidation
Type       : Success
Message    : Requested delegation token is valid.

5.      Test-OrganizationRelationship -Identity "Org A" -UserIdentity xxxxx@OrgB

Begin testing for organization relationship CN=OrgA,CN=Federation,CN=MCDSORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=OrgB,DC=local, enabled state True.

Exchange D-Auth Federation Authentication STS Client Identities are urn:federation:MicrosoftOnline/FYDIBOHF25SPDLT.OrgB.com;

STEP 1: Validating user configuration

RESULT: Success.

STEP 2: Getting federation information from remote organization...

RESULT: Success.

STEP 3: Validating consistency in returned federation information

RESULT: Success.

STEP 4: Requesting delegation token from the STS...

RESULT: Success.
Retrieved token for target https://autodiscover.OrgA.com/autodiscover/autodiscover.svc/WSSecurity for offer Name=MSExchange.Autodiscover,Duration=28800(secs)

STEP 5: Getting organization relationship setting from remote partner...

RESULT: Unable to retrieve organization relationships from remote organization.
RESULT: Error.

LAST STEP: Writing results...


RunspaceId  : b3e333ff-7693-40d3-9fbc-821b3eb51c69
Identity    :
Id          : AutodiscoverServiceCallFailed
Status      : Error
Description : The Autodiscover call failed.
IsValid     : True
ObjectState : New


COMPLETE.
As can be seen, everything appears to be in order and all tests pass except the very last one, Step 5 Getting Organizational Relationships from Remote Organization.

I have read where it is advised to refresh the Trust metadata, re-save the organizational relationship, and then lastly recycle the Autodiscover application pool in order to correct this.  I am going to do that this evening but if that does not work I am running out of ideas. So, any and all thoughts or ideas will be greatly appreciated.
LVL 1
Jim StivesonSr. Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Saif ShaikhServer engineer Commented:
Are you able to browse URL from both the domains.

https://autodiscover.orga.com/autodiscover/autodiscover.svc/WSSecurity

This issue occurs because the WSSecurity property of the "EWS" virtual directory or the "Autodiscover" virtual directory is disabled on the Client Access servers in the local Exchange Server 2010 organization.

If both the organization have exchange server then you need to reset the WSSecurity authentication for the virtual directories on the Exchange Back End site for each server in the remote organization.

Article-https://support.microsoft.com/en-sg/help/2752387/users-from-a-federated-organization-cannot-see-the-free-busy-informati
0
Jim StivesonSr. Systems AdministratorAuthor Commented:
Good day Saif, I am able to reach both directories from both sides and get a login prompt as expected. WSSecurity IS enabled.

Thank you
0
Saif ShaikhServer engineer Commented:
Good day Jim,

I was checking on the question closely which you posted and found that test-federation trust is failing on below error:

5.Test-OrganizationRelationship -Identity "Org A" -UserIdentity xxxxx@OrgB

STEP 5: Getting organization relationship setting from remote partner...

RESULT: Unable to retrieve organization relationships from remote organization.
RESULT: Error.


So basically the problem lies with fetching information from remote organization and not local. I was also little curious to see if you have already followed below article to configure the availability service for cross-forest topologies.

https://blogs.technet.microsoft.com/exchange/2011/03/04/how-to-configure-the-availability-service-for-cross-forest-topologies/

I would also like to discuss on below points which are mandatory for cross forest free/busy i.e.

1. verify if autodiscover allows WS Security for authentication
2. verify the external EWS url
3. verify if Exchange Web Services will allow WS Security for authentication


Since you have already verified WSSecurity is enabled. I wanted you to disable and re-enable the same on Autodiscover virtual directory and EWS virtual directory.

For 2010
Set-WebServicesVirtualDirectory "<ServerName>\ews (Default Web Site)" -WSSecurityAuthentication:$False
Set-AutodiscoverVirtualDirectory "<ServerName>\Autodiscover (Default Web Site)" -WSSecurityAuthentication:$False

For 2013
Set-WebServicesVirtualDirectory "<ServerName>\ews (Exchange Back End)" -WSSecurityAuthentication:$False
Set-AutodiscoverVirtualDirectory "<ServerName>\Autodiscover (Exchange Back End)" -WSSecurityAuthentication:$False

Once you disable and re-enable, perform an IISReset to activate the authentication method.

Besides this the ExternalUrl needs to contains a valid value. This url needs to accessible from the internet. If this is not the case it simply won’t work.

For this run command: Get-WebServicesVirtualDirectory|select server, ExternalUrl, WSSecurityAuthentication

Get-WebServicerVirtualDirectory|Set-WebServicesVirtualDirectory -Externalurl “https://ews.domain.com/EWS/exchange.asmx”

Additional you can verify if the svc-integrated handler is attached to the autodiscover virtual directory in IIS. I have attached the screenshot for the same.

To verify if the certificate contains the correct names we will use Powershell.

1. Add-PSsnapin *Exchange* -ErrorAction SilentlyContinue

2. Get-ExchangeCertificate|? {$_.Services -like “*IIS*”}|select Subject, CertificateDomains|FL

Verify if the CertificateDomains contain the FQDN you are planning to use for EWS, for example mail.domain.com of ews.domain.com. If this name is not on the certificate you will need to renew your certificate.

Run the Test-FederationTrustCertificate which will verify if the certificate used for the trust is correct and is installed on all CAS. Verify that the State column for all CAS contain the value installed. Screenshot attached.

Lastly run the following command on both the organizations exchange server.

Get-FederationTrust | Set-FederationTrust –RefreshMetadata

Now run the Test-FederationTrust to validate it is success and no failure has occurred during fetching organization relationship from remote organization.

Now if things still not work, then we have more for troubleshooting and drilling to the solution. You may also collect logs i.e. outlook logs which will provide you more information on the error.  You can Enable troubleshooting logging in Outlook which is best described in below article.

http://msexchangeguru.com/2017/02/28/cross-forest-free-busy/

You may also trace using ExTRA with the InfoWorker.RequestDispatch tag selected. Instructions can be found here:

https://blogs.technet.microsoft.com/samdrey/2012/08/28/exchange-2010-how-to-take-traces-using-extra-traces-analysis-by-support-engineers-only/

If there are errors like you got when running test-federation, you will get more information in the EXTRA.  

Example Errors would be like:

Unable to find a organization Relationship with domain Contoso.com.

Failed to discover Availability service for mailbox <Dude>SMTP:Dude@Contoso.com because AvailabilityAddressSpace is misconfigured.

Failed to discover Availability Service for user Dude@Contoso.com using both the target address and primary SMTP address.


You can then run the the Remote Connectivity Analyzer for both the organizations and figure out the problem as per error you got in EXTRA.

If there are any errors you can check the Additional Details: section in the Remote Connectivity Analyzer which will provide you more information.

For example: The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

Reference Article: https://blogs.technet.microsoft.com/exchangechallengeaccepted/2016/07/15/shared-freebusy-between-two-untrusted-forests-failing-in-one-or-both-directions/

I hope that this information will be helpful in fixing the issue.

Regards
Saif..
Test-FederationTrustCertificate-300x.png
IIS-300x193.png
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jim StivesonSr. Systems AdministratorAuthor Commented:
Saif

Thank you for that very thorough and thoughtful reply. For whatever reason I didn't get a notification that you replied or I would have replied sooner. Some of these steps I have taken and others not. I will attempt to try them all. One thing I did want to emphasize is that while these are separate Exchange Organizations, they are in the same data center and on the same physical network. So, they do not need to go out to the internet to reach each other.
0
Saif ShaikhServer engineer Commented:
Thanks Jim,

For providing more information on your network design. Even though they fall in same data center and on the same physical network they are separate to each other just like a cross forest or onpremise and O365 cloud.

I think enabling logging and trace is which will help in getting to the point directly where it is failing. Try to enable the logging on outlook on both the sides, enable trace as discussed above and do not stop the trace let it run continously.

Then reproduce issue by sending a test meeting and check free/busy from both the sides and then verify the logs i.e. trace log and outlook logging location.

Mostly the problem might be with the remote side so logs from remote might help in checking what exactly is going wrong, but we cannot say problem might also be on local side, hence I said to enable logging and trace on both the ends.

Let me know how things go..
0
Saif ShaikhServer engineer Commented:
On a side note: Also try to add the administrator user account in the local administrator group or administrator group on both the sides in local AD.

I mean,

Add local administrator(site A) user to remote local administrator group or administrator group (site B)and
Add remote administrator user (site B)to local administrator user group or administrator group in local AD (site A).

This will provide exchange trusted subsystem permission on both the forest. We used to do this when working on cross forest.
0
Jim StivesonSr. Systems AdministratorAuthor Commented:
Saif

I wanted to update you and let you know that we plan on going through the outlined steps this evening. I will post and update here when completed.
1
Saif ShaikhServer engineer Commented:
OK gr8.
0
Saif ShaikhServer engineer Commented:
Hi Jim,

Hope you are doing well. Can you provide some insights on how did the plan went after execution... ?
0
Jim StivesonSr. Systems AdministratorAuthor Commented:
Good day all,

Unfortunately other issues had pulled me away from this issue for a bit. I will be taking what I hope to be the corrective steps this evening. I will post the results.
0
Jim StivesonSr. Systems AdministratorAuthor Commented:
Hello Saif

I took the following actions last night on all Exchange Servers involved and the Federation is now functioning and Free/Busy is available.

Get-WebServicesVirtualDirectory -server servername | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $false

Get-AutoDiscoverVirtualDirectory -server servername | Set-AutoDiscoverVirtualDirectory -WSSecurityAuthentication $false

Get-WebServicesVirtualDirectory -server servername | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $true

Get-AutoDiscoverVirtualDirectory -server servername | Set-AutoDiscoverVirtualDirectory -WSSecurityAuthentication $true

Get-Federationtrust | Set-Federationtrust -Refreshmetadata

Restart-WebAppPool MSExchangeServicesAppPool

Restart-WebAppPool MSExchangeAutodiscoverAppPool
0
Saif ShaikhServer engineer Commented:
That's good to hear Jim that finally the issue is resolved. Got something to learn here.

Have a good day ahead.
0
Jim StivesonSr. Systems AdministratorAuthor Commented:
Get-WebServicesVirtualDirectory -server servername | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $false

Get-AutoDiscoverVirtualDirectory -server servername | Set-AutoDiscoverVirtualDirectory -WSSecurityAuthentication $false

Get-WebServicesVirtualDirectory -server servername | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $true

Get-AutoDiscoverVirtualDirectory -server servername | Set-AutoDiscoverVirtualDirectory -WSSecurityAuthentication $true

Get-Federationtrust | Set-Federationtrust -Refreshmetadata

Restart-WebAppPool MSExchangeServicesAppPool

Restart-WebAppPool MSExchangeAutodiscoverAppPool
0
Jim StivesonSr. Systems AdministratorAuthor Commented:
Thank you for your insights and assistance Saif!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.