Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Hybrid Configuration Wizard fails when using a Wildcard certificate

With Exchange 2010 Service Pack 2, the Hybrid Configuration Wizard was introduced which helps you hooking up your on-premise Exchange Server with Office 365.

When the Hybrid Configuration Wizard (HCW) is ran, the following tasks are executed:

  1. Verifies if both your on-premise and cloud environments meet the prerequisites
  2. Provisions the Exchange federation trust
  3. Creates organization relationships between your on-premise and Exchange online organization (both ways)
  4. Modifies e-mail address policies
  5. Configures F/B calendar sharing, message tracking and MailTips between both environments
  6. Configures secure mail flow between your on-premise and Exchange online organization
  7. Enables support for online archives

As part of the tasks above, the HCW tries to create a send and receive connectors (to and from Office 365) using the following cmdlets:

New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces 'System.Collections.Generic.List`1[Microsoft.Exchange.Data.AddressSpace]' -SourceTransportServers 'Microsoft.Exchange.Data.Directory.ADMultiValuedProperty`1[Microsoft.Exchange.Data.Directory.ADObjectId]' -Fqdn '*.exblog.be' -RequireTLS 'True' -TLSAuthLevel 'DomainValidation' -TLSDomain 'outlook.com' -ErrorPolicies 'DowngradeAuthFailures'

the FQDN in the cmdlet above is derived from the SubjectName of the certificate that is configured for the Exchange server. Since we’re using a wildcard certificate, the HCW will try using “*.domain.tld”. Doing so, however, will throw the following error:

Execution of the New-SendConnector cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.

Cannot process argument transformation on parameter 'Fqdn'. Cannot convert value "*.exblog.be" to type "Microsoft.Exchange.Data.Fqdn". Error: ""*.exblog.be" isn't a valid SMTP domain."
   at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke()
   at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)
'.

Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_1_24_2012_10_20_1_634629972013461101.log.

 

The error is thrown because the New-SendConnector cmdlet cannot handle a FQDN which includes a wildcard (“*”).

Microsoft has got a hotfix for this issue, but hasn’t made it publicly available (yet). The hotfix changes the behavior of the HCW so that it is forced to use a valid FQDN as service domain for the hybrid coexistence:

New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces 'System.Collections.Generic.List`1[Microsoft.Exchange.Data.AddressSpace]' -SourceTransportServers 'Microsoft.Exchange.Data.Directory.ADMultiValuedProperty`1[Microsoft.Exchange.Data.Directory.ADObjectId]' -Fqdn 'mail.exblog.be' -RequireTLS 'True' -TLSAuthLevel 'DomainValidation' -TLSDomain 'outlook.com' -ErrorPolicies 'DowngradeAuthFailures'

(Note the value of the FQDN parameter.  It appears as the HCW is forced to put “mail.” in front of the domain name.)

In order to get the hotfix, you will have to open a ticket with MSFT support. Note that this is an interim update and you will have to uninstall it before installing regular Update Rollups (!). Actually, there is – to my knowledge – no need to keep the update installed after successfully configuring the hybrid scenario… Since I haven’t seen any official statement about this, please make sure that you follow the guidelines from the Microsoft support engineer.

Until later!

Michael


Posted 01-24-2012 10:32 by Michael Van Horenbeeck