Unsecure redirect warning when you run the Get-FederationInformation cmdlet
Original KB number: 3115825
Problem
When you run the Get-FederationInformation cmdlet for a particular domain, you receive an "unsecure redirect" warning message. For example, when you run the Get-FederationInformation -DomainName contoso.mail.onmicrosoft.com command, you receive the following warning:
The autodiscovery request for federation information sent to '
http://autodiscover.contoso.mail.onmicrosoft.com/autodiscover/autodiscover.xml' returned an unsecure redirect to 'https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml'. If you trustautodiscover-s.outlook.comhost name, you can continue to get the federation information. Do you want to continue?"[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
If you select Yes or Yes to All, you see the rest of the message:
RunspaceId : RunspaceId
TargetApplicationUri : outlook.com
DomainNames : {contoso.mail.onmicrosoft.com}
TargetAutodiscoverEpr :https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity
TokenIssuerUris : {urn:federation:MicrosoftOnline}
IsValid : True
Additionally, you can't successfully run and complete the Hybrid Configuration wizard to set up a hybrid deployment of on-premises Exchange Server and Exchange Online in Microsoft 365. The wizard cannot create the organization relationship.
Cause
This issue occurs if one of the following conditions is true:
- The Autodiscover service connection point (SCP) object, CN=Microsoft Exchange Online, is missing.
- The Autodiscover SCP object, CN=Microsoft Exchange Online, exists, but its
serviceBindingInformationproperty is missing the *.outlook.com value.
Solution
To resolve this issue, follow these steps.
Warning
These steps require Active Directory Service Interfaces Editor (ADSI Edit). Using ADSI Edit incorrectly can cause serious problems that may require you to reinstall your operating system. We can't guarantee that problems that result from the incorrect use of ADSI Edit can be resolved. Use ADSI Edit at your own risk.
Open ADSI Edit, and then connect to the Configuration container.
Determine whether the Autodiscover SCP object exists. It should be in the following location:
CN=Microsoft Exchange Online,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=Contoso,DC=com
Do one of the following:
- If the object exists, locate the
serviceBindingInformationattribute, click Edit, and then add *.outlook.com. - If the object doesn't exist, run Exchange Setup together with the
/prepareADparameter to re-create it, and then edit theserviceBindingInformationattribute. To do this, follow these steps:On the Exchange server, open a command prompt as an administrator, navigate to the folder where the installation files are stored, and then run the following command:
setup /prepareADThis step re-creates the SCP object. For more information, see Prepare Active Directory and domains.
Locate the serviceBindingInformation attribute, click Edit, and then add *.outlook.com.
- If the object exists, locate the
More information
Still need help? Go to Microsoft Community or the Exchange TechNet Forums.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for