Exchange 2016 Hybrid : TLS negotiation failed with error UnknownCredenta

 

I was adding couple of Exchange 2016 servers with CU2 to the Hybrid configuration wizard to send and receive emails to Exchange Online. On Exchange Online Admin center, I configured the receive connector to Office 365 o verify the subject name on the certificate for TLS authentication.

The problem is that emails are not being sent to Office 365 via the send connector. After enabling the protocol logging on my Exchange 2016 hybrid servers [Get-SendConnector “outbound to Office 365” |Set-SendConnector -ProtocolLoggingLevel verbose] , and opening the smtpsend log file, I can see many TLS failures:

016-07-19T12:13:14.863Z,Outbound to Office 365,08D3AFC581A92DD3,3,10.28.2.202:8105,213.199.154.87:25,>,EHLO mail.contoso.com,
2016-07-19T12:13:14.910Z,Outbound to Office 365,08D3AFC581A92DD4,2,10.28.2.202:8106,213.199.154.87:25,<,”220 DB3FFO11FD036.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 19 Jul 2016 12:13:14 +0000″,
2016-07-19T12:13:14.910Z,Outbound to Office 365,08D3AFC581A92DD4,3,10.28.2.202:8106,213.199.154.87:25,>,EHLO mail.contoso.com,
2016-07-19T12:13:15.004Z,Outbound to Office 365,08D3AFC581A92DD3,4,10.28.2.202:8105,213.199.154.87:25,<,250 DB3FFO11FD029.mail.protection.outlook.com Hello [86.96.206.50] SIZE 157286400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING,
2016-07-19T12:13:15.004Z,Outbound to Office 365,08D3AFC581A92DD3,5,10.28.2.202:8105,213.199.154.87:25,>,STARTTLS,
2016-07-19T12:13:15.051Z,Outbound to Office 365,08D3AFC581A92DD4,4,10.28.2.202:8106,213.199.154.87:25,<,250 DB3FFO11FD036.mail.protection.outlook.com Hello [86.96.206.50] SIZE 157286400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING,
2016-07-19T12:13:15.051Z,Outbound to Office 365,08D3AFC581A92DD4,5,10.28.2.202:8106,213.199.154.87:25,>,STARTTLS,
2016-07-19T12:13:15.145Z,Outbound to Office 365,08D3AFC581A92DD3,6,10.28.2.202:8105,213.199.154.87:25,<,220 2.0.0 SMTP server ready,
2016-07-19T12:13:15.145Z,Outbound to Office 365,08D3AFC581A92DD3,7,10.28.2.202:8105,213.199.154.87:25,*,” CN=*.contoso.com, OU=IT, O=contoso International (L.L.C), L=Dubai, S=Dubai, C=AE CN=thawte SHA256 SSL CA, O=””thawte, Inc.””, C=US 0D92CFF6070B73AD5722EC8B4DA3389B AAA3D3DADA6891A2CCB3134D0B2D7764F1351BC4 *.contoso.com”,Sending certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names
2016-07-19T12:13:15.145Z,Outbound to Office 365,08D3AFC581A92DD3,8,10.28.2.202:8105,213.199.154.87:25,*,,TLS negotiation failed with error UnknownCredentials

I am sure the certificate is fine as the other hybrid servers are using the same certificate and they are able to send emails to Office 365. Also on the event viewer, I am seeing the following error:

TLS Error Office 365 Exchange Hybrid

 

So finally, I tried something and it worked. I opened the certificate store, and I was checking the permissions on my certificate private key, the certificate I am using for the TLS connection.

TLS Error Office 365 Exchange Hybrid2

I can see the following permissions on the private key:

TLS Error Office 365 Exchange Hybrid3

 

So I added the Network Service and I gave it READ access. After that everything worked just fine. Try to give EVERYONE Read access if things are not working yet.

Hope this will help someone, leave a note if it did 🙂

7 comments on “Exchange 2016 Hybrid : TLS negotiation failed with error UnknownCredenta

  1. It helped and I would love to know ‘why’ it occurred. I can tell you in my case it was working previously. There were 5 2016 hybrid servers and my only theory is that the hybrid wizard may have broken this running it a second time to add more email domains, but I have been unable to absolutely validate that.

    All I can say is that it worked previously, and that adding network service with ‘read’ permissions did the trick immediately. No service restarts needed. Thanks for the suggested fix.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s