Troubleshooting Intune On-Premises Exchange Connector in Microsoft Intune


What does this guide do?
This guide helps administrators understand and troubleshoot problems that they may encounter when they implement the Microsoft Intune On-Premises Exchange Connector in an Intune standalone environment.

Who is it for?
This guide is for administrators who manage and oversee Microsoft Intune environments.

How does it work?
This guide provides insight into how to troubleshoot and resolve some of the more common errors that may occur when you set up and configure the Intune On-Premises Exchange Connector.

Estimated time of completion:
15-30 minutes.

Before you start troubleshooting an Exchange Connector setup in Intune, collect some basic information so that you’re working on a solid foundation. This approach can help you better understand the nature of the problem and resolve it more quickly. Start by considering the following:

  • Verify that your process meets the installation requirements that are documented at  Set up the Intune on-premises Exchange connector in Microsoft Intune Azure.
  • Verify that you have both Exchange and Intune administrator permissions.
  • Note the complete and exact error message content, and also note where the message is displayed.
  • Determine when the problem started. Was the connector working correctly and then suddenly failed, or are you setting it up for the first time? If it was working previously, what changes occurred in the Intune environment, in the Exchange environment, or on the computer that’s running the connector software?
  • What is the MDM authority? If it’s System Center Configuration Manager, which version of Configuration Manager are you using?
  • What is the Exchange version?

    Note Exchange Online requires a different setup.

After you gather this information, examine the error message itself. Select your error or symptom from the following list to continue.

Before you start troubleshooting an Exchange Connector setup in Intune, collect some basic information so that you’re working on a solid foundation. This approach can help you better understand the nature of the problem and resolve it more quickly. Start by considering the following:

  • Verify that your process meets the installation requirements that are documented at  Set up the Intune on-premises Exchange connector in Microsoft Intune Azure.
  • Verify that you have both Exchange and Intune administrator permissions.
  • Note the complete and exact error message content, and also note where the message is displayed.
  • Determine when the problem started. Was the connector working correctly and then suddenly failed, or are you setting it up for the first time? If it was working previously, what changes occurred in the Intune environment, in the Exchange environment, or on the computer that’s running the connector software?
  • What is the MDM authority? If it’s System Center Configuration Manager, which version of Configuration Manager are you using?
  • What is the Exchange version?

    Note Exchange Online requires a different setup.

After you gather this information, examine the error message itself. Select your error or symptom from the following list to continue.

Symptoms

An iOS device fails to enroll in Intune and generates one of the the following error messages:

Log Name:      System
Source:            Service Control Manager
Date:               <time>
Task Category: None
Level:               Error
Keywords:        Classic
User:                N/A
Computer:      <computer>
Description:
The Microsoft Intune Exchange Connector Service service failed to start because of the following error:
The service did not start because of a logon failure.

 

Log Name:      System
Source:            Service Control Manager
Date:               <time>
Event ID:          7041
Task Category: None
Level:               Error
Keywords:        Classic
User:                N/A
Computer:       <computer>
Description:
The WIEC service was unable to log on as .\WIEC_USER with the currently configured password because of the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: WIEC
Domain and account: .\WIEC_USER
This service account does not have the required user right "Log on as a service."


Cause

This problem can occur if the WIEC_User account doesn't have the Log on as service user right in the local policy.

Resolution

To resolve the problem, assign the Log on as a service user right to the WIEC_User service account on the computer that has the Intune Exchange connector installed. If the computer is a node in a cluster, make sure that the Log on as a service user right is assigned to the cluster service account on all nodes in the cluster.

To assign the Log on as a service user right to the WIEC_User service account on the computer, follow these steps:

  1. Log on to the computer as an administrator or as a member of the Administrators group.
  2. Open the Local Security Policy by running secpol.msc.
  3. Under Security settings, expand Local policies, and then select User Rights Assignment.
  4. In the right pane, double-click Log on as a service.
  5. Select Add User or Group, add WIEC_USER to the policy, and then select OK two times.

Note If the Log on as a service user right was assigned to WIEC_User but was later removed, contact the domain administrator to determine whether a Group Policy setting is overwriting it.

Symptoms

When you try to configure the Microsoft Intune Exchange Connector, you receive the following error message:

The Microsoft Intune Exchange Connector experienced an error:
CertEnroll::CX509PrivateKey::Create: The system cannot find the file specified. 0x80070002 (WIN32: 2
ERROR_FILE_NOT_FOUND
Error code: 0x000000b


Cause

This problem can occur if the account that you used to sign in to Intune is not an Intune Global Administrator account.

Resolution

To resolve this problem, sign in to Intune by using a Global Administrator account, or add the account to the Global Admin group. See Role-based administration control (RBAC) with Microsoft Intune for more information.

Symptoms

When you try to configure the Microsoft Intune Exchange Connector, you receive the following error message:

The Microsoft Intune Exchange Connector experienced an error:
CertEnroll::CX509PrivateKey::Create: The system cannot find the file specified. 0x80070002 (WIN32: 2
ERROR_FILE_NOT_FOUND
Error code: 0x000000b


Cause

This error can occur if either of the following conditions is true:

  • You configured the Intune Exchange Service-to-Service Connector for Exchange Online, and now you’re trying to add a second Intune Exchange connector for Exchange On-Premises.
  • The Intune On-Premises Exchange Connector cannot connect to the Intune web service URL.

Resolution

To resolve this problem, do one of the following, as appropriate:

  • Remove the Intune Exchange Service-to-Service Connector from the Intune portal under Conditional Access > Exchange service connector. In Intune, there can only be one Exchange connector. Remove the connector as shown in the following screenshot.

    Delete Exchange Service to Service connector

  • Check your proxy and firewall configuration to make sure that you were granted access, as documented at
    Intune network configuration requirements and bandwidth.

Symptoms

When you try to configure the Microsoft Intune Exchange Connector, you receive the following error message:

The Microsoft Intune Exchange Connector version is not supported
The Microsoft Intune Exchange Connector Version that you are running is no longer supported. Mobile device management will be disabled until you install the latest version of the Microsoft Intune Exchange Connector.
To download the latest version, in the Microsoft Intune console, go to the Administration workspace, and then click Microsoft Intune Exchange Connector Download
Error code: 0x000000f


Cause

This error can occur when the Exchange Online Connector (the Service-to-Service Connector) is installed. If this is the case, you will see the Service-to-Service Connector enabled under Microsoft Intune > Conditional access > Exchange service Connector, as shown in the following screenshot.

Exchange Service to Service connector

Resolution

To resolve this problem, remove the service-to-service connector.

Symptoms

When you try to configure the Microsoft Intune Exchange Connector, you receive the following error message:

The Microsoft Intune Exchange Connector cannot connect to Microsoft Intune
Verify that you are connected to the Internet, check the Microsoft Intune Service Status, and try to connect again.
Error code: 0x00000006


Cause

This error can occur if a proxy server is used to connect to the Internet and is blocking traffic to Intune Service. To determine whether a proxy is being used, go to Control Panel > Internet Options, select the Connection tab, and then click LAN Settings.

Resolution

To resolve this problem, do one of the following:

Option 1: Remove the proxy settings to allow the computer to connect to the Internet without going through the proxy.

Option 2: Make sure that your proxy server is allowing communication to the Intune service, as documented in the following Microsoft Docs article:

Symptoms

When you try to configure the Microsoft Intune Exchange Connector, you receive the following error message:

An unexpected error has occurred.
An error occurred while processing your request.

After you close the window, you see the following message:

The Microsoft Intune Exchange Connector cannot connect to Microsoft Intune
Verify that you are connected to the Internet, check the Microsoft Intune Service Status, and try to connect again.
Error code: 0x00000006


Cause

This error can occur if the account that’s used does not have a valid Intune license.

Resolution

To resolve this problem, assign a license to the account. For more information, see Assign licenses to users so they can enroll devices in Intune.

Intune Standalone Conditional Access for On-Premises Exchange environments relies on an on-premises component that’s known as the Microsoft Intune Exchange Connector to manage device access to Exchange based on whether those devices are enrolled in Intune and are compliant with Intune compliance policies.

This component is responsible for discovering devices that connect to Exchange, communicating device information to the Intune Service, and allowing or blocking devices based on whether the devices are enrolled and compliant. All communication is made by using the HTTPS protocol.

Overall Intune on-premises Exchange connector workflow

The discovery and allow/block operations are done by using standard Exchange Server 2013 or Exchange Server 2010 PowerShell cmdlets. Operations are done by using the service account that’s provided when the Exchange Connector is initially installed.

Ports

  • Intune Exchange Connector communication with Intune Service: HTTPS port 443
  • Intune Exchange Connector communication with Exchange CAS: WinRM service port 443
  • Intune Exchange Connector communication with Exchange Autodiscover 443
  • Intune Exchange Connector communication with Exchange WebServices (EWS) 443


Notes

  • Make sure that communication between the server that’s hosting the Intune Exchange Connector and the Intune service is allowed by your firewall and proxy servers. See Network communication requirements for more information.
  • The computer that hosts the Intune Exchange Connector and the Exchange CAS should be domain-joined and on same LAN. Make sure that the required permissions are added for the account that’s used by the Intune Exchange connector.
  • The notification account is used to retrieve Autodiscover settings. For more information about Autodisover in Exchange, see Autodiscover service in Exchange Server.
  • The Intune Exchange Connector sends a request to the EWS URL by using the notification account credentials to send the notification email message together with the Get Started link (to enroll in Intune). This is a requirement for Android non-Knox devices. Otherwise, these devices will be blocked by Conditional Access.

Resources

 

Congratulations! Your Intune Exchange Connector is now succesfully configured. If you'd like more information about the Microsoft Intune Exchange Connector, see the following articles:

You can also post a question in the Microsoft Intune forum.

For all the latest news, information and tech tips, visit the following official Intune blogs:

Still searching for a solution? Have additional questions? You can post a question in our Microsoft Intune forum. Many support engineers, MVPs, and members of our development team participate in the forums, so there’s a good chance you’ll find someone who has the information that you’re after.

If the problem persisits and you want to open a support request for the Microsoft Intune product support team, follow the instructions in How to get support for Microsoft Intune.

If you'd like more information about how to set up the Microsoft Intune Exchange Connector, see the following articles:

For all the latest news, information, and tech tips, visit our official Intune blogs:

 
 

For non-Knox Android devices to be supported for conditional access for on-premises mailboxes, Intune enrollment must be started from the “Get Started Now” email message that’s sent by the Intune Exchange Connector. This ensures that the device will have a unique ActiveSyncID across all platforms (Exchange, Azure  AD, Intune).

See Autodiscover service in Exchange Server for more information about the Autodiscover service in Exchange.

Sample notification email message:

Sample of a notification email

There are several reasons why a user may not receive this email message:

  • The notification account is not setup correctly.
  • Autodiscover fails for the notification account.
  • The EWS request to send the email message fails.


Troubleshooting

  1. The notification account is used to retrieve Autodiscover settings. Verify that the account that’s used meets the following requirements:
    • The account has an active mailbox that's hosted by your Exchange on-premises server.
    • The account UPN matches the SMTP address.
  2. The account that’s used to get autodiscover settings is the notification account. For autodiscover to work, your DNS server must have a DNS record for Autodiscover.SMTPdomain.com (for example Autodiscover.contoso.com) that points to your Exchange client access server. To check whether the record is present, do the following:
    1. At a command prompt, type NSLOOKUP, and then press Enter.
    2. Type Autodiscover.SMTPdomain.com, and then press Enter.

      Note Make sure that you substitute your Auto-discovery FQDN. You should receive a response that resembles the following screenshot:

      Autodiscover response

You can also test the Autodiscover service from the Internet at https://testconnectivity.microsoft.com/ or from a local domain by using the Microsoft Connectivity Analyzer Tool. For more information, see Microsoft Connectivity Analyzer Tool.

If Autodiscover fails, try the following steps:

  1. Configure a valid Autodiscover DNS record.
  2. Add a record for Autodiscover in the HOSTS file.
  3. Hard code the EWS URL in the Intune Exchange Connector Configuration file, as follows:
    1. Determine the EWS URL. The default EWS URL for Exchange is https://<mailServerFQDN>/ews/exchange.asmx, although yours may differ. Contact the Exchange administrator to verify the correct URL for your environment.
    2. Edit the OnPremisesExchangeConnectorServiceConfiguration.xml file. By default, the file is located in %ProgramData%\Microsoft\Windows Intune Exchange Connector on the computer that's running the Exchange Connector. Open the file by using a text editor, and then change the following line to reflect the EWS URL for your environment:

      <ExchangeWebServiceURL>https://<YourExchangeHOST>/EWS/Exchange.asmx</ExchangeWebServiceURL>

    3. Save the file, and then restart the computer or restart the Microsoft Intune Exchange Connector Service.

      Note If it’s configured in this manner, the Intune Exchange Connector will stop trying to use Autodiscover and, instead, will connect directly to the EWS URL.

Symptoms

When you try to configure the Microsoft Intune Exchange Connector, you receive the following error message:

The Microsoft Intune Exchange Connector cannot connect to the Microsoft Exchange server.
The following Microsoft Exchange Server address could not be reached <Exchange server Name FQDN>
Verify that the FQDN of the exchange server address and credentials that you entered is correct and the server is running. The Microsoft Intune Exchange Connector does not support Exchange server arrays.
Error code: 0x0000001


Cause

This problem can occur if the Internet proxy settings are misconfigured.

Resolution

To resolve this problem, do the following:

  1. Contact the local network administrator to make sure that the proxy settings are configured correctly. 
  2. Use the Netsh winhttp command to configure the proxy server and add the required exclusion list. For example:

    Netsh winhttp set proxy proxy-server="http=proxy.corp.domain.com" bypass-list"34*.*;134.132.*.*;10.*.*;localhost;*.corp.domain.com;*.staging.domain.com"