Exchange Online and Exchange Server Hybrid Federation Metadata Refresh Error: Unable to Access the Federation Metadata Document From the Federation Partner

By | January 9, 2016

I was working on an Exchange Online and Exchange Server hybrid environment where the customer complained that on premises users cannot view free/busy status of Exchange Online users. Primary cause for this issue to occur is, if certificate and other metadata information in the Microsoft Federation Gateway or in the on-premises environment become stale or invalid.

If the on-premises environment is Exchange Server 2013 SP1 or later, the refreshing outdated metadata is an automatic process. But, as a troubleshooting step, I ran below command on an on-premises Exchange server to see the result.

Test-FederationTrust

As suspected the result was not successful.

Test-FederationTrust

Therefore I decided to update these metadata information manually by running below command.

Get-FederationTrust | Set-FederationTrust -RefreshMetadata

That’s when I was presented with the next error,

Unable to access the Federation Metadata document from the federation partner. Detailed information: “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.”.

From the looks of it, I realized this was due to an SSL certificate validation problem. Therefore, I tried to access the metadata endpoint https://nexus.microsoftonline-p.com/FederationMetadata/2007-06/FederationMetadata.xml using Internet Explorer.

As I suspected, I was presented with a warning about the SSL certificate. I checked the certificate information and the CA was identified as the customer’s firewall appliance. This was due to the browser being unable to access the original CA that used to sign the certificate for verification. After instructing the customer to open the firewall for the certificate validation URLs for O365, the problem was rectified.

Below screenshot shows the error messages in red before the corrective action being taken and the warning  message in yellow after the corrective actions have taken.

Refresh Federation Metadata

Root cause of this issue is a very common one that can give you various problems with Office 365 deployments. But an easily avoidable one too. Always make sure to create rules on your firewall appliance to allow for URL and IP ranges for Office 365 services you use. Subscribe to Office 365 URLs and IP address ranges and keep up to date with changes.

Leave a Reply