When setting up a new Organization Relationship between Exchange 2013 CU3 and Exchange 2010 SP3 RU0, I found that the Test-OrganizationRelationship cmdlet was failing on the Autodiscover call. For a reminder, here is the format for the cmdlet:
Test-OrganizationRelationship –UserIdentity email@example.com –Identity “Name of the OrgRel Object”
The key error revealed itself with the Verbose switch enabled.
VERBOSE: [15:40:01.209 GMT] Test-OrganizationRelationship : The Client will call the Microsoft Exchange Autodiscover service using the following URL: https://autodiscover.contoso.com/autodiscover/autodiscover.svc/WSSecurity.
VERBOSE: [15:40:06.333 GMT] Test-OrganizationRelationship : The Microsoft Exchange Autodiscover service failed to be called at ‘https://autodiscover.contoso.com/autodiscover/autodiscover.svc/WSSecurity’ because the following error occurred: SoapException.Code =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd:InvalidSecurity
Exception: System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message.
After some research, I discovered a KB article published that looked similar (http://support.microsoft.com/kb/2752387). Sure enough, I checked the IIS on the targeted Exchange system and found the 500 response to the Autodiscover request from my Exchange server.
The resolution states that the EWS & Autodiscover virtual directories must be configured to allow WSSecurity Authentication. However, my Exchange 2010 server was already defined as True for WSSecurity.
Since everything appeared set correctly, I continued my testing and troubleshooting. I eventually ran out of ideas, so I decided to set the WSSecurity manually and reset IIS (for good measure). The Cmdlets used to set the required authentication:
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $True
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $True
To my surprise, the free/busy exchange of information began working.
Now, for Exchange 2010, the output of the Test-OrganizationRelationship will be blank. No summary of successful completion is presented, but the Verbose option will state that the steps completed successfully.
From Exchange 2013, you receive more information during the test.
Don’t be afraid to set a parameter even though it appears to be configured already. Exchange does some behind the scenes setup to finalize the configuration.