question

Chris-1748 avatar image
0 Votes"
Chris-1748 asked joyceshen-MSFT answered

Mitigation Service, Cert, XML, TLS Error

Hello all,

  1. we became a TLS Error under Mitigation Service Log.

FetchMitigation,S:LogLevel=Warning;S:Message=TLS certificate or its chain validation failed

and solved this with allow Exchange on our Firewall to config.officeapps.live.com

  1. We have an Error under Eventlog



An unexpected exception occurred. Diagnostic information:

Exception encountered while fetching mitigations : System.Exception: This XML is not deemed safe to consume since Response xml's signing cert is invalid or not from microsoft
at Microsoft.Exchange.Mitigation.Service.Common.SignatureVerifierUtils.ThrowIfIntegrityChecksFail(SafeXmlDocument xmlDoc)
at Microsoft.Exchange.Mitigation.Service.Common.SignatureVerifierUtils.GetValidatedDocumentWithoutSignature(SafeXmlDocument xmlDoc)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.FetchDataFromXmlStream[T](Stream stream)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.FetchMitigationsFromUrl[T](String url, RemoteCertificateValidationCallback certValidationCallback, X509Certificate clientAuthCert, Boolean isResponseJson)
at Microsoft.Exchange.Mitigation.Service.MitigationCloudServiceV2.FetchMitigations()
at Microsoft.Exchange.Mitigation.Service.Mitigations.MitigationEngine.FetchAndApplyMitigation()





office-exchange-server-administration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Chris-1748

What's your Exchange server and CU version? What changes have been made to your server recently which may lead to this error?

In addition to the Eventlog you get, do you encounter any other problem when using the server?
According to my reaearch, seems to find the similar issue discussed in this official link: Addressing Your Feedback on the Exchange Emergency Mitigation Service

You may check is there some sort of packet / content inspection device at the edge of the network by any chance? Something that could account for the XML arriving not matching the signature (as the XML is signed)


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered

Hi @Chris-1748

I got below information according to my search, getting 1008 (This XML is not deemed safe to consume since Response xml's signing cert is invalid or not from microsoft). That is because your firewall, proxy or webfilter is blocking the requests of your Exchange Emergency Mitigation Service. You need to allow all the IPs and/or URLs (depending on your firewall and/or webfilter) of Microsoft, Google and Akamai that it takes to check the XMLs certificate, certificate revocation list, schema and so on.

You can simulate the behaviour of the EEMS by getting the test page with a browser (https://officeclient.microsoft.com/getexchangemitigations). For those of you not being familiar - look at the schema links in the XML document as well as the certificate of the URL and check all the certificate chaining, revocation lists URLs and so on.

For the IPs compare the blocked IPs with the following networks and allow them:

https://www.microsoft.com/en-us/download/details.aspx?id=53602
https://www.gstatic.com/ipranges/goog.json
https://github.com/SecOps-Institute/Akamai-ASN-and-IPs-List/blob/master/akamai_ip_cidr_blocks.lst


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chris-1748 avatar image
0 Votes"
Chris-1748 answered

Exchange 2016.

Last changes. Install CU22 with new Feature Mitigation Service

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GerberRaphael-1496 avatar image
0 Votes"
GerberRaphael-1496 answered

we have the same Problem.

Tried to whiteliste the URL on the WebProxy. But same issue.

any other idee ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.