MSExchangeGuru.com

Recently worked on an issue Freebusy not viewable for a cross-forest setup

Let’s consider we have 2 forest

• Forest A
  
• Forest B
  

Forest A consists of Exchange 2013 and forest B consists of Exchange 2010

When a user from forest A looks up the FB of a User B he is not is not able to get the FB data instead he gets the below error

“No information. No free/busy information could be retrieved. Your server location could not be determined. Contact your administrator.”

When a user from Forest B looks up the FB they are able to see the FB of forest A

We found that the customer was using federation to look up the FB of the other forest, How?

By running Get-OrganizationRelationship forestB | FL I was able to find the below

RunspaceId : fb9d6166-28ae-4f06-8d3a-87eabc4a06c4

DomainNames : {ForestB.net}

FreeBusyAccessEnabled : True

FreeBusyAccessLevel : LimitedDetails

FreeBusyAccessScope :

MailboxMoveEnabled : False

DeliveryReportEnabled : False

MailTipsAccessEnabled : False

MailTipsAccessLevel : None

MailTipsAccessScope :

PhotosEnabled : False

TargetApplicationUri : FYDIBOHF25SPDLT.ForestB.net

TargetSharingEpr :

TargetOwaURL :

TargetAutodiscoverEpr : https://autodiscover.ForestB.net/autodiscover/autodiscover.svc/WSSecurity

OrganizationContact :

Enabled : True

ArchiveAccessEnabled : False

AdminDisplayName :

ExchangeVersion : 0.10 (14.0.100.0)

Name : FORESTB

DistinguishedName : CN=FORESTB,CN=Federation,CN=ForestB Services,CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC=ForestA,DC=cds

Identity : FORESTB

Guid : 65bb1901-4168-4d35-b165-ea797fe20ad2

ObjectCategory : ForestA/Configuration/Schema/ms-Exch-Fed-Sharing-Relationship

ObjectClass : {top, msExchFedSharingRelationship}

WhenChanged : 1/30/2017 1:29:18 PM

WhenCreated : 1/27/2017 7:25:34 AM

WhenChangedUTC : 1/30/2017 7:29:18 PM

WhenCreatedUTC : 1/27/2017 1:25:34 PM

OrganizationId :

Id : FORESTB

OriginatingServer : FORESTADC.ForestA

IsValid : True

ObjectState : Unchanged

Checked the Availability service configuration it looks good

Get-AvailabilityConfig

RunspaceId : fb9d6166-28ae-4f06-8d3a-87eabc4a06c4

Name : Availability Configuration

PerUserAccount :

OrgWideAccount :

AdminDisplayName :

ExchangeVersion : 0.1 (8.0.535.0)

DistinguishedName : CN=Availability Configuration,CN=ForestAServices,CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC=ForestA,DC=cds

Identity : Availability Configuration

Guid : 422da0ee-75ee-4008-ba32-c8ffdf93559e

ObjectCategory : ForestA.cds/Configuration/Schema/ms-Exch-Availability-Config

ObjectClass : {top, container, msExchAvailabilityConfig}

WhenChanged : 8/26/2014 10:38:13 AM

WhenCreated : 10/13/2008 9:49:32 AM

WhenChangedUTC : 8/26/2014 3:38:13 PM

WhenCreatedUTC : 10/13/2008 2:49:32 PM

OrganizationId :

Id : Availability Configuration

OriginatingServer : FORESTADC.ForestA.cds

IsValid : True

ObjectState : Unchanged

To isolate this further, lets collect Outlook logs. How to collect outlook logs?

Step 1: Open Outlook

Step 2: Go to File à options

Step 3: click on options, Once you click on option it will take you another window where you can find advanced, under other you will see Enable troubleshooting logging (requires restarting outlook)

Step 4: Close and reopen outlook

I reproduced the issue and found the below error in the logs

“An error occurred when verifying security for the message”

Followed the below article

https://support.microsoft.com/en-us/help/2752387/users-from-a-federated-organization-cannot-see-the-free-busy-information-of-anotherexchange-organization

So ran the below commands on my Exchange 2013

1: Open Windows PowerShell and add the Exchange Management snap-in.

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

2: Disable WSSecurity authentication for the EWS virtual directory using the Set-WebServicesVirtualDirectory cmdlet.

Set-WebServicesVirtualDirectory “<ServerName>ews (Exchange Back End)” -WSSecurityAuthentication:$False

3: Enable WSSecurity authentication for the EWS virtual directory using the Set-WebServicesVirtualDirectory cmdlet.

Set-WebServicesVirtualDirectory “<ServerName>ews (Exchange Back End)” -WSSecurityAuthentication:$True

4: Disable WSSecurity authentication for the Autodiscover virtual directory using the Set-AutodiscoverVirtualDirectory cmdlet.

Set-AutodiscoverVirtualDirectory “<ServerName>Autodiscover (Exchange Back End)” -WSSecurityAuthentication:$False

5: Eable WSSecurity authentication for the Autodiscover virtual directory using the Set-AutodiscoverVirtualDirectory cmdlet.

Set-AutodiscoverVirtualDirectory “<ServerName>Autodiscover (Exchange Back End)” -WSSecurityAuthentication:$True

6: Restart the application pools using the Restart-WebAppPool cmdlet.

Restart-WebAppPool MSExchangeAutodiscoverAppPool

Restart-WebAppPool MSExchangeServicesAppPool

Post that I could get the free/busy working between the forests.

Ratish Nair

Microsoft MVP | Exchange Server

Team @MSExchangeGuru.com

Posted February 28th, 2017 under Exchange 2013, Exchange 2016. RSS 2.0 feed. Leave a response, or trackback.