This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 95%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hello all,
FetchMitigation,S:LogLevel=Warning;S:Message=TLS certificate or its chain validation failed
and solved this with allow Exchange on our Firewall to config.officeapps.live.com
Exception encountered while fetching mitigations : System.Exception: This XML is not deemed safe to consume since Response xml's signing cert is invalid or not from microsoft
at Microsoft.Exchange.Mitigation.Service.Common.SignatureVerifierUtils.ThrowIfIntegrityChecksFail(SafeXmlDocument xmlDoc)
at Microsoft.Exchange.Mitigation.Service.Common.SignatureVerifierUtils.GetValidatedDocumentWithoutSignature(SafeXmlDocument xmlDoc)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.FetchDataFromXmlStream[T](Stream stream)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.FetchMitigationsFromUrl[T](String url, RemoteCertificateValidationCallback certValidationCallback, X509Certificate clientAuthCert, Boolean isResponseJson)
at Microsoft.Exchange.Mitigation.Service.MitigationCloudServiceV2.FetchMitigations()
at Microsoft.Exchange.Mitigation.Service.Mitigations.MitigationEngine.FetchAndApplyMitigation()
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @Chris
What's your Exchange server and CU version? What changes have been made to your server recently which may lead to this error?
In addition to the Eventlog you get, do you encounter any other problem when using the server?
According to my reaearch, seems to find the similar issue discussed in this official link: Addressing Your Feedback on the Exchange Emergency Mitigation Service
You may check is there some sort of packet / content inspection device at the edge of the network by any chance? Something that could account for the XML arriving not matching the signature (as the XML is signed)
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Chris
I got below information according to my search, getting 1008 (This XML is not deemed safe to consume since Response xml's signing cert is invalid or not from microsoft). That is because your firewall, proxy or webfilter is blocking the requests of your Exchange Emergency Mitigation Service. You need to allow all the IPs and/or URLs (depending on your firewall and/or webfilter) of Microsoft, Google and Akamai that it takes to check the XMLs certificate, certificate revocation list, schema and so on.
You can simulate the behaviour of the EEMS by getting the test page with a browser (https://officeclient.microsoft.com/getexchangemitigations). For those of you not being familiar - look at the schema links in the XML document as well as the certificate of the URL and check all the certificate chaining, revocation lists URLs and so on.
For the IPs compare the blocked IPs with the following networks and allow them:
https://www.microsoft.com/en-us/download/details.aspx?id=53602
https://www.gstatic.com/ipranges/goog.json
https://github.com/SecOps-Institute/Akamai-ASN-and-IPs-List/blob/master/akamai_ip_cidr_blocks.lst
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Exchange 2016.
Last changes. Install CU22 with new Feature Mitigation Service
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 17%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGR%3C/text%3E%3C/svg%3E)
we have the same Problem.
Tried to whiteliste the URL on the WebProxy. But same issue.
any other idee ?