When I try and create a new organization relationship with an external domain in exchange 2013 I get an error saying: "Federation information could not be received from the external organization."
I've found that behind the scenes it is running Get-FederationInformation -Domainname externaldomain.com (or something similar). I was not able to run this command and would get the same error. Some event logs (schannel events) led me to believe this was due to TLS handshakes failing. I know the external organization does have incoming TLS 1.0 and 1.1 disabled.
I found that Powershell by default only uses TLS 1.0/SSLv3 for web stuff, but it can be changed in the registry:
# set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
I was even able to create a new organization relationship using just powershell:
Get-FederationInformation -DomainName mydomain.com | New-OrganizationRelationship -name "MyDomain" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails
However, calendar sharing still does not work. My guess is that the Exchange services are not using TLS 1.2 to do the actual sharing since trying to add an organization relationship in the ECP GUI still fails with the old error. It looks like I just managed to use TLS 1.2 for Powershell and not the Exchange services.
Is there a configuration to get Exchange to use TLS 1.2 by default? I don't need or want to turn the old TLS versions off yet.
0 Answers