You are hopefully familiar with the new Exchange Emergency Mitigation Service (EEMS) for Exchange Server 2016 and 2019. That is a new service providing automated emergency configuration of your Exchange servers by Microsoft in the case a security risk has been identified. Such emergency mitigation is a technical workaround until a proper security patch is available.
The service responsible for fetching the current list of published mitigations is MSExchangeMitigation.
Exchange Organisation following the official guidance for deploying Exchange Server won’t see any specific issues with EEMS. It simply works.
But Exchange Server runs in many different infrastructures where you might end up in a situation with a non-working EEMS.
Findings
EventID 1008 – MSExchangeMitigation service does not start
You see the following event log error:
Exception encountered while fetching mitigations : System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
In addition, you see the following in the diagnostic logs of the Exchange Server:
S:LogLevel=Information;S:Message=Started MSExchangeMitigationS_LogLevel=Information;S:Message=Fetching mitigations from https://officeclient.microsoft.com/getexchangemitigationsS:LogLevel=Information;S:Message=Using Proxy http://[IPADDRESS]/ To Fetch ConfigurationsS_LogLevel=Information;S:Message=No diagnostic data sent. DataCollectionEnabled is falseS_LogLevel=Warning;S:Message=TLS certificate or its chain validation failedS_LogLevel=Error;S:Message=Exception encountered while fetching mitigations : One or more errors occurred.;S:Source=Microsoft.Exchange.Mitigation.Service.Mitigations.MitigationEngine
File location: V15\Logging\MitigationService
But what is the validation procedure failing? The solution is simple. The certificate revocation check for the certificate chain failed. The EEMS was not able to connect to the CRL-endpoints of each certificate in the certificate chain. CRL-endpoints are accessible by HTTP and not HTTPS for performance reasons. And outbound HTTP is often blocked for Exchange servers.
The Exchange Server must be able to validate the certificate chain successfully establish a TLS-connection to officeclient.microsoft.com. Certainly, you can disable the CRL check for the server. But this is something I do not recommend. The XML file containing the mitigation configuration is signed by an X509 certificate and your servers should be able to validate and check the CRL.
Solution
Ensure that your Exchange servers can communicate with the Internet to validate the certificate chain.
Links
Enjoy Exchange Server.
