Users from a federated organization cannot see the free/busy information of anotherExchange organization

Symptoms
When you configure a federation trust between a local Microsoft Exchange Server organization and a remote Exchange Server organization, users from cannot see the free/busy information of the users in the remote organization.

Additionally, the following errors are logged in the event log on the local Exchange server:

Event Source: MSExchange Availability
Event ID: 4001
Description:
Process Microsoft.Exchange.InfoWorker.Common.Delayed`1[System.String]: <>SMTP:user@domain.com failed. Exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException: Autodiscover failed for e-mail address <>SMTP:user@domain.com with exception System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message.

Event Source: MSExchange Availability
Event ID: 4002
Description
:
ProxyWebRequest FederatedCrossForest from S-1-5-21-3124261755-470644396-3029476549-1139 to https://autodiscover.domain.com/ews/exchange.asmx failed. Caller SIDs: WSSecurity. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message.


Also, HTTP 500 responses returned for Availability requests on the remote forest Exchange server are logged as follows in the W3SVC logs:

POST /autodiscover/autodiscover.svc/WSSecurity - 443 - 10.0.0.20 ASAutoDiscover/CrossForest/EmailDomain/ 500 0 0 15

Cause
This issue occurs because the WSSecurity property of the "EWS" virtual directory or the "Autodiscover" virtual directory is disabled on the Client Access servers in the local Exchange Server 2010 organization.
Resolution
Exchange 2016 or Exchange 2013
To resolve this issue, reset the WSSecurity authentication for the virtual directories on the Exchange Back End site for each server in the remote organization.

  1. Open Windows Powershell and add the Exchange Management snap-in.
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
  2. Disable WSSecurity authentication for the EWS virtual directory using the Set-WebServicesVirtualDirectory cmdlet.
    Set-WebServicesVirtualDirectory "<ServerName>\ews (Exchange Back End)" -WSSecurityAuthentication:$False
  3. Enable WSSecurity authentication for the EWS virtual directory using the Set-WebServicesVirtualDirectory cmdlet.
    Set-WebServicesVirtualDirectory "<ServerName>\ews (Exchange Back End)" -WSSecurityAuthentication:$True
  4. Disable WSSecurity authentication for the Autodiscover virtual directory using the Set-AutodiscoverVirtualDirectory cmdlet.
    Set-AutodiscoverVirtualDirectory "<ServerName>\Autodiscover (Exchange Back End)" -WSSecurityAuthentication:$False
  5. Eable WSSecurity authentication for the Autodiscover virtual directory using the Set-AutodiscoverVirtualDirectory cmdlet.
    Set-AutodiscoverVirtualDirectory "<ServerName>\Autodiscover (Exchange Back End)" -WSSecurityAuthentication:$True
  6. Restart the application pools using the Restart-WebAppPool cmdlet.
    Restart-WebAppPool MSExchangeAutodiscoverAppPoolRestart-WebAppPool MSExchangeServicesAppPool

Exchange 2010
To resolve this issue, reset the WSSecurity authentication for the virtual directories on each Client Access server in the remote organization.

  1. Open the Exchange Management Shell.
  2. Disable WSSecurity authentication for the EWS virtual directory using the Set-WebServicesVirtualDirectory cmdlet.
    Set-WebServicesVirtualDirectory "<ServerName>\ews (Default Web Site)" -WSSecurityAuthentication:$False
  3. Enable WSSecurity authentication for the EWS virtual directory using the Set-WebServicesVirtualDirectory cmdlet.
    Set-WebServicesVirtualDirectory "<ServerName>\ews (Default Web Site)" -WSSecurityAuthentication:$True
  4. Disable WSSecurity authentication for the Autodiscover virtual directory using the Set-AutodiscoverVirtualDirectory cmdlet.
    Set-AutodiscoverVirtualDirectory "<ServerName>\Autodiscover (Default Web Site)" -WSSecurityAuthentication:$False
  5. Enable WSSecurity authentication for the Autodiscover virtual directory using the Set-AutodiscoverVirtualDirectory cmdlet.
    Set-AutodiscoverVirtualDirectory "<ServerName>\Autodiscover (Default Web Site)" -WSSecurityAuthentication:$True
  6. Restart the application pools using the follow syntax:
    appcmd stop appPool /appPool.name:MSExchangeAutodiscoverAppPoolappcmd start appPool /appPool.name:MSExchangeAutodiscoverAppPoolappcmd stop appPool /appPool.name:MSExchangeServicesAppPoolappcmd start appPool /appPool.name:MSExchangeServicesAppPool

Properties

Article ID: 2752387 - Last Review: 09/23/2016 18:09:00 - Revision: 8.1

Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2010 Standard, Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • kbsurveynew kbtshoot kbexpertiseinter KB2752387
Feedback