Office 365 Hybrid – Federation Configuration Issues

Recently I have been faced with an issue for one of our customers running MS Windows Small Business Server 2011 – Exchange 2010 SP3.

When running the Hybrid Configuration wizard I got an error stating:
Unable to access the Federation Metadata document from the federation partner. Detailed information: “The remote server returned an error: (407) Proxy Authentication Required.”

This happened on the initial phase of the Hybrid config wizard which actually is an attempt to create a federation trust with the MS Federation Gateway.

I checked the IE settings and removed the proxy settings and tried again. Same thing. Not surprising really – Exchange uses the system account which would ignore IE settings. I turned to ‘netsh’ to see what settings the system account would use.

Run from a command prompt: netsh winhttp show proxy

This came back as ‘DIRECT’.
For good measure, I ran ‘netsh winhttp reset proxy
No difference.

The customer did have a proxy – I could have just configured the system to use the proxy with another netsh command (‘netsh winhttp import proxy source=ie’), however Exchange won’t allow this if your proxy requires authentication which was the case. Why was I being forced through the proxy?

I checked one last place using the Exchange Management Shell:

Get-ExchangeServer ‘SERVER’ |ft InternetWebProxy

This came back blank. There was surely no other place where a proxy could be specified?

Not quite – apparently the SYSTEM account will always attempt to use WPAD (Windows Proxy Auto Discovery). Surely nobody uses this anymore? WRONG! This particular customer so happened to have it configured.

Easy way to get rid of it? Simply disable the service (by default it sits in a manual startup mode).

After disabling WPAD, I restarted the IIS service (the w3wp process is responsible for performing the Hybrid Configuration wizard task) but this didn’t quite fix it. It looks like the proxy settings get cached – after a server reboot the problem was resolved.

I did also contact MS support to resolve this, but they drew a dead end.. they asked me to reapply service packs, check to make sure my internet connection was not filtered and there were no firewall rules blocking access.. this will be going down in my notes as one to remember.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s