Figured out the answer to my own question – I clicked on the drop down for the certificate in the Hybrid Wizard and then chose the only option available, and that solved it.
I guess I did have a different cert installed on the 2013 server previously after all…. (too many plates spinning, perhaps?) Thanks, Jonathan From: [email protected] [mailto:[email protected]] On Behalf Of Jonathan Raper Sent: Thursday, March 19, 2015 3:32 PM To: [email protected] Subject: [Exchange] O365 Ex 2013 Hybrid configuration wizard fails due to certificate mismatch Hi everyone, I’m trying to enable hybrid mode between Exchange 2013 and Office 365 Exchange Online (in coexistence with 2007, for what it is worth). 2013 servers are on CU7 2007 servers are on SP3 rollup 15 2012R2 ADFS (built in Azure) is used for O365 authentication Everything points to my 2013 servers: mail flow, Autodiscover, EAS, Outlook Anywhere, etc are working just fine, in production, with no end user complaints (roughly 500 end users). When I launched the HCW, it seemed to go along just fine for a bit, then failed with this error: Updating hybrid configuration failed with error 'Subtask CheckPrereqs execution failed: Configure Mail Flow A Secure Mail Certificate with matching subject 'CN=mail.contoso.com, OU=Domain Control Validated, O=mail.contoso.com' and issuer 'SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US' cannot be found on transport server Exchange002. All transport servers are required to have this certificate installed at Microsoft.Exchange.Management.Hybrid.MailFlowTask.CheckCertPrereqs() at Microsoft.Exchange.Management.Hybrid.MailFlowTask.CheckPrereqs(ITaskContext taskContext) at Microsoft.Exchange.Management.Hybrid.Engine.ExecuteSubStep(String subStepName, ITaskContext taskContext, ITask task, Func`3 substep, Func`4 createException, Boolean throwOnFalse) '. Additional troubleshooting information is available in the Update-HybridConfiguration log file on server Exchange001 located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\HybridConfiguration_3_19_2015_4_18_16_635623354964456962.log. We have determined that the reason for the failure is that the issuer and subject are different. Here’s a comparison, with the missing bits highlighted in yellow: The error: ERROR : Subtask CheckPrereqs execution failed: Configure Mail Flow A Secure Mail Certificate with matching subject 'CN=mail.contoso.com, OU=Domain Control Validated, O=mail.contoso.com' and issuer 'SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US' cannot be found on transport server Exchange002. All transport servers are required to have this certificate installed at Microsoft.Exchange.Management.Hybrid.MailFlowTask.CheckCertPrereqs() The actual cert as listed in PowerShell: Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US Subject : CN=mail.contoso.com, OU=Domain Control Validated There has only ever been one GoDaddy certificate installed on the 2013 servers, and it is the one that is listed in PowerShell. It was originally added via the EAC GUI….I discovered yesterday that it was not the designated certificate for transport yesterday, and made it so using PowerShell, so I know that is correct. I did not, however run an iisreset after doing so. Not sure whether that is necessary or not, but that still does not answer my question about why the HCW is looking for different bits than what is actually installed on the server…. So then the question is why is HCW looking for a cert that has the extra highlighted attributes? Can that be cleared out and it pointed at the appropriate cert? Thanks, Jonathan ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
