In the age of M365 and Google Apps, not many people still run on prem servers – but we do. Recently we upgraded to Exchange 2019 on prem with Office Online 2016 for document preview in Outlook on the Web (eg, OWA. I’m just going to call it OWA because lets face it, it will always be OWA)
There are a heap of tutorials out there that walk you through how to do it for Exchange 2016. 2019 is effectively the same thing, so most tutorials are interchangeable. That isn’t this blog, though props to Paul over at Practical365. He has some great how tos on this topic and would suggest following those if you need one.
The one key difference between Exchange 2016 and 2019 is that Exchange 2019 uses TLS1.2 ONLY (by default).
Why does this matter? Well as David writes here Exchange and OWA need to be able to talk to each other in both directions as Office Online Server 2016 will call back to Exchange via the OWA URL. Everyone will tell you to use a browser to test this, but in reality it isn’t a browser that’s doing the work. It’s .Net.
Did the penny just drop? It did for me.
.Net uses its own settings for what ciphers and protocols it will use and because Office Online still uses 2016 it doesn’t support TLS1.2 out of the box.
This page, has some nice Regkeys to add (and then reboot) and it should be fixed. (Also at the bottom of this post)
We saw a lot of errors and tried a lot of things to fix this, but ultimately they were all just generic SSL messages, such as:
“Contact the OneNote.ashx web service failed with an exception: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
But when testing them, in a browser or in powershell, they were fine. Again because .Net does its own thing
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001