How to Address Federation Trust Issues in Hybrid Configuration Wizard (HCW)?

When deploying on-premises Exchange organizations in full Hybrid configuration (whether Classic or Modern Hybrid), you need to establish a trust relationship between the on-premises Microsoft Exchange Servers and Azure Active Directory (AAD) system. Also, you need to allow the federated sharing between other federated Exchange environments or organizations. This process of establishing trust and sync identities between on-premises and Exchange Online organizations is known as Federation Trust.

In this article, we have discussed some common federation trust issues and errors that you may encounter during the deployment of full hybrid Exchange organizations using the Hybrid Configuration Wizard (HCW) and the solutions to troubleshoot and fix them.

Common Federation Trust Errors and Issues in Hybrid Configuration Wizard

After a failure or error, you must check the logs to see what went wrong. Once the issue is identified, you can apply the solutions to troubleshoot and fix the federation trust issues. Here are some federation trust errors and the solutions to fix them.

1. Federation Trust Fails with "Object reference not set to an instance of an object"

The federation trust issue “Object reference not set to an instance of an object” is encountered on Exchange Server 2016 CU7.

To fix it, ensure your server is running on the latest Cumulative Updates (CU). ?You can refer to: How to update your Exchange Server to the latest CU.

2. Federation Fails with "An unexpected error occurred on a receive" or "An unexpected error occurred on a send"

If the federation fails due to underlying connection issues, you may encounter “An unexpected error occurred on a receive” or “….. send”. In such cases, you need to investigate the outbound access of all the Exchange Servers to Microsoft Gateway using the Internet Explorer with PsExec tool.

You need to use the –I and -s switches while using the PsExec tool. For instance,

PsExec.exe -i -s "c:\Program Files\Internet Explorer\iexplore.exe"        

Execute the above command after navigating to the location where the PsExec.exe is stored.

Also, verify that the system can access the following Microsoft Federation Gateway URLs:

• https://nexus.microsoftonline-p.com/federationmetadata/2006-12/federationmetadata.xml—An .xml page is displayed.
• https://login.microsoftonline.com/extSTS.srf—displays a message “Sorry, but we’re having trouble signing you in”.
• https://domains.live.com/service/managedelegation2.asmx—displays the operations supported by ManageDelegation2.

3. Federation Fails with "Proof of domain ownership has failed"

If the federation trust failed with the error “Proof of domain ownership has failed” in the HCW logs, it indicates missing records, errors, or formatting issues in the TXT records. To resolve this federation trust issue, perform these checks:

• Verify the TXT records of your domain in the HCW log via Exchange Management Shell using the following command:

?Get-FederatedDomainProof -DomainName <MyDomain.com>        

• Check the TXT records and ensure that they match with the nslookup. You can also use whatsmydns.net to check and verify the propagated TXT records and fix them if discrepancies are found.

4. There is no specific error/exception. In the HCW log, you would see it stops without any specific error

When checking the HCW logs, you may come across an unspecific error causing issues in establishing the federation trust. In such cases, use the following command to check the orphaned federation trust:

Get-FederatedOrganizationIdentifier | FL        

You may also check the HCW logs for the line starting with “DEL.”

The solution is to remove the orphaned federation trust and re-run the Hybrid Configuration Wizard (HCW).

5. Federation Trust Fails with "InternalError InternalError: Internal error.".". "

The error “InternalError InternalError: Internal error" with codes 10277 and 10276 occurs when you run Set-FederatedOrganizationIdentifier to configure a hybrid deployment using the HCW. The error is caused when you try to reconfigure the domain name for your organization that was previously in use.

If you encounter the error, open a request with Microsoft Support to resolve the issue. Alternatively, you may refer to this document to resolve the error.

6. Federation Trust Fails with "1007 Access Denied"

The federation trust failure with error "1007 Access Denied" usually occurs when there are issues with the Date/Time on the Exchange Server or an outdated federation trust, such as an expired federation trust certificate. For instance, you may see the following in the HCW log:

[Not Before] 5/13/2014 11:21:36 AM [Not After] 5/13/2019 11:21:36 AM        

To troubleshoot and resolve the error, try removing the federation trust by following this detailed guide.

7. Federation Trust Fails with “Federation Certificate cannot be found”

If you are trying to make changes to the federation trust, create a new certificate for the federation trust, use federation services, or remove federated trust or domains, you may encounter the error “Federation Certificate cannot be found.”

To resolve this, you may delete the current federation trust from the AD and create a new one manually using the HCW wizard. For detailed instructions, refer to this guide.

Conclusion

Establishing federation trust between the on-premises Exchange Server and Exchange Online or Microsoft 365 (Office 365) is a critical part of Hybrid Deployment. For more details on Federation Trust issues and their solutions, you may also refer to this guide.

However, you can use an EDB to PST converter, such as Stellar Converter for EDB to migrate specific or all mailboxes from on-premises Exchange to Office 365 tenant directly in a few clicks. The tool can help overcome the issues and avoid errors encountered while using the HCW and while moving/migrating the mailboxes from on-premises to Exchange Online.