MVP - Most Valuable Professional
rss

Just can't get enough of IT

This blog is about mostly anything in IT. But the primary focuses are Microsoft technologies like Exchange Server, Microsoft 365, Microsoft Teams, and Cloud Security.

Exchange Server LogoYou are hopefully familiar with the new Exchange Emergency Mitigation Service (EEMS) for Exchange Server 2016 and 2019. That is a new service providing automated emergency configuration of your Exchange servers by Microsoft in the case a security risk has been identified. Such emergency mitigation is a technical workaround until a proper security patch is available.

The service responsible for fetching the current list of published mitigations is MSExchangeMitigation

Exchange Organisation following the official guidance for deploying Exchange Server won't see any specific issues with EEMS. It simply works. 

But Exchange Server runs in many different infrastructures where you might end up in a situation with a non-working EEMS.

 

Findings

EventID 1008 - MSExchangeMitigation service does not start

You see the following event log error:

Exception encountered while fetching mitigations : 
System.AggregateException: One or more errors occurred. 
---> System.Net.Http.HttpRequestException: An error occurred while sending the request. 
---> System.Net.WebException: The underlying connection was closed: 
      Could not establish trust relationship for the SSL/TLS secure channel. 
---> System.Security.Authentication.AuthenticationException: 
      The remote certificate is invalid according to the validation procedure.

In addition, you see the following in the diagnostic logs of the Exchange Server:

S:LogLevel=Information;S:Message=Started MSExchangeMitigation
S:LogLevel=Information;S:Message=Fetching mitigations from https://officeclient.microsoft.com/getexchangemitigations
S:LogLevel=Information;S:Message=Using Proxy http://[IPADDRESS]/ To Fetch Configurations
S:LogLevel=Information;S:Message=No diagnostic data sent. DataCollectionEnabled is false
S:LogLevel=Warning;S:Message=TLS certificate or its chain validation failed
S:LogLevel=Error;S:Message=Exception encountered while fetching mitigations : 
  One or more errors occurred.;S:Source=Microsoft.Exchange.Mitigation.Service.Mitigations.MitigationEngine

File location: V15\Logging\MitigationService

But what is the validation procedure failing? The solution is simple. The certificate revocation check for the certificate chain failed. The EEMS was not able to connect to the CRL-endpoints of each certificate in the certificate chain. CRL-endpoints are accessible by HTTP and not HTTPS for performance reasons. And outbound HTTP is often blocked for Exchange servers. 

The Exchange Server must be able to validate the certificate chain successfully establish a TLS-connection to officeclient.microsoft.com. Certainly, you can disable the CRL check for the server. But this is something I do not recommend. The XML file containing the mitigation configuration is signed by an X509 certificate and your servers should be able to validate and check the CRL. 

 

Solution

Ensure that your Exchange servers can communicate with the Internet to validate the certificate chain.

 

Links

 

Enjoy Exchange Server.

Read More »