I was adding couple of Exchange 2016 servers with CU2 to the Hybrid configuration wizard to send and receive emails to Exchange Online. On Exchange Online Admin center, I configured the receive connector to Office 365 o verify the subject name on the certificate for TLS authentication.
The problem is that emails are not being sent to Office 365 via the send connector. After enabling the protocol logging on my Exchange 2016 hybrid servers [Get-SendConnector “outbound to Office 365” |Set-SendConnector -ProtocolLoggingLevel verbose] , and opening the smtpsend log file, I can see many TLS failures:
016-07-19T12:13:14.863Z,Outbound to Office 365,08D3AFC581A92DD3,3,10.28.2.202:8105,126.96.36.199:25,>,EHLO mail.contoso.com,
2016-07-19T12:13:14.910Z,Outbound to Office 365,08D3AFC581A92DD4,2,10.28.2.202:8106,188.8.131.52:25,<,”220 DB3FFO11FD036.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 19 Jul 2016 12:13:14 +0000″,
2016-07-19T12:13:14.910Z,Outbound to Office 365,08D3AFC581A92DD4,3,10.28.2.202:8106,184.108.40.206:25,>,EHLO mail.contoso.com,
2016-07-19T12:13:15.004Z,Outbound to Office 365,08D3AFC581A92DD3,4,10.28.2.202:8105,220.127.116.11:25,<,250 DB3FFO11FD029.mail.protection.outlook.com Hello [18.104.22.168] SIZE 157286400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING,
2016-07-19T12:13:15.004Z,Outbound to Office 365,08D3AFC581A92DD3,5,10.28.2.202:8105,22.214.171.124:25,>,STARTTLS,
2016-07-19T12:13:15.051Z,Outbound to Office 365,08D3AFC581A92DD4,4,10.28.2.202:8106,126.96.36.199:25,<,250 DB3FFO11FD036.mail.protection.outlook.com Hello [188.8.131.52] SIZE 157286400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING,
2016-07-19T12:13:15.051Z,Outbound to Office 365,08D3AFC581A92DD4,5,10.28.2.202:8106,184.108.40.206:25,>,STARTTLS,
2016-07-19T12:13:15.145Z,Outbound to Office 365,08D3AFC581A92DD3,6,10.28.2.202:8105,220.127.116.11:25,<,220 2.0.0 SMTP server ready,
2016-07-19T12:13:15.145Z,Outbound to Office 365,08D3AFC581A92DD3,7,10.28.2.202:8105,18.104.22.168:25,*,” CN=*.contoso.com, OU=IT, O=contoso International (L.L.C), L=Dubai, S=Dubai, C=AE CN=thawte SHA256 SSL CA, O=””thawte, Inc.””, C=US 0D92CFF6070B73AD5722EC8B4DA3389B AAA3D3DADA6891A2CCB3134D0B2D7764F1351BC4 *.contoso.com”,Sending certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names
2016-07-19T12:13:15.145Z,Outbound to Office 365,08D3AFC581A92DD3,8,10.28.2.202:8105,22.214.171.124:25,*,,TLS negotiation failed with error UnknownCredentials
I am sure the certificate is fine as the other hybrid servers are using the same certificate and they are able to send emails to Office 365. Also on the event viewer, I am seeing the following error:
So finally, I tried something and it worked. I opened the certificate store, and I was checking the permissions on my certificate private key, the certificate I am using for the TLS connection.
I can see the following permissions on the private key:
So I added the Network Service and I gave it READ access. After that everything worked just fine. Try to give EVERYONE Read access if things are not working yet.
Hope this will help someone, leave a note if it did 🙂