Exchange Hybrid - OAuth - unable to create New-AuthServer

David Pettitt 51 Reputation points
2020-07-31T04:42:44.55+00:00

I am stuck on Step 1 of the "Configure OAuth authentication between Exchange and Exchange Online organizations" guide (https://learn.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help)

I have some Exchange 2013 servers configured in Hybrid mode with Exchange Online. The Hybrid Configuration Wizard was mostly successful, and in general things are working. However, the wizard did produce a warning:

HCW8064 The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth, you can try running the HCW again or manually configure OAuth using these manual steps.

I've run the Wizard at least three times now, and it produced this warning every time, so I'm trying the manual OAuth instructions. I try the very first step:

New-AuthServer -Name "WindowsAzureACS" -AuthMetadataUrl "https://accounts.accesscontrol.windows.net/unbc.ca/metadata/json/1"

And I receive this error:

Cannot acquire auth metadata document from 'https://accounts.accesscontrol.windows.net/unbc.ca/metadata/json/1'.
Error: An exception occurred during a WebClient request..
+ CategoryInfo : ResourceUnavailable: (:) [New-AuthServer], AuthMetadataClientException

I can manually load that URL in my browser, no problem. I've tried googling, and searching technet and answers.microsoft.com. Nothing helpful so far. Any tips/ideas?

Edit (Solution): This was finally solved by Microsoft, on our third support request. Putting the answer here, in case someone else happens to have the exact same weird issue. The problem was the InternetWebProxy value on our Exchange servers. It was set to an incorrect address, which was somehow not causing any other problems (that we were aware of). The fix was as easy as setting that value to $null on our Exchange servers. 

foreach ($Server in (Get-ExchangeServer)){  
    Set-ExchangeServer -Identity $Server.Name -InternetWebProxy $null  
}

After that, we were able to re-run the HCW and it completed successfully.

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,880 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joyce Shen - MSFT 16,641 Reputation points
    2020-08-03T02:39:06.707+00:00

    First make sure the account you run the command above has been assigned the right role/permission: Organization Client Access

    The official document about the command: New-AuthServer gives the introduction that The AuthMetadataUrl parameter specifies the URL for the Microsoft 365 authorization server for your cloud-based organization.

    Here is also a step-by-step guide configuring the Oauth authentication for your reference as well: Configure OAuth authentication between Exchange on-premises and Exchange Online organizations

  2. Jon Alfred Smith 541 Reputation points
    2020-08-13T19:50:59.527+00:00
  3. Ethan Balzer 1 Reputation point
    2020-09-01T20:33:03.687+00:00

    I ran into the exact same issue, what I ended up doing was enabling TLS 1.0 Access in Regedit (Client). (NOT SERVER)