MS Hybrid Configuration Wizard Full Hybrid stuck on 401 Error when extended protection is active

Daniel Schwechheimer 1 Reputation point
2023-01-31T11:02:08.4733333+00:00

Hi together,

i was searching an reading a lot, but never find until yesterday...

Okay... HCW Moden Full Hybrid won't work when extended Protection on MS Exchange ist active.

So i tried to configure HCW with Classic Full Hybrid... Well, i am getting the same 401 error like above.
Disabling EP in IIS for EWS Front- and Back-End, all will doing fine...

Is there any other solution without reducing the security on MS Exchange?!

IIS001.png

IIS002.png

IIS003.png

Logging HCW Classic Full Hybrid

Thanks an best regards

Daniel

Microsoft Exchange Online
Internet Information Services
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,210 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,901 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,966 Reputation points
    2023-02-02T10:11:25.01+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    The MS Hybrid Configuration Wizard is a tool used to configure a hybrid deployment between on-premises Exchange and Exchange Online. If the hybrid configuration is stuck on a 401 error when extended protection is active, it could be due to a few different issues:

    1. Authentication Method: Ensure that the correct authentication method is being used for the hybrid connection. Extended protection is typically used with NTLM or Kerberos authentication.
    2. Service Principal Names (SPN): Verify that the appropriate SPNs are registered for the Exchange servers involved in the hybrid deployment.
    3. Certificate Trust: Ensure that the certificate used for the hybrid connection is trusted by both the on-premises and Exchange Online environments.
    4. Firewall Configuration: Make sure that the firewall is configured to allow communication between the on-premises Exchange and Exchange Online environments.
    5. Network Load Balancer Configuration: If a load balancer is being used, ensure that it is properly configured to support the hybrid connection.
    6. User Account Control (UAC): If UAC is enabled, run the Hybrid Configuration Wizard as an administrator.

    If these steps do not resolve the issue, you may need to consult the event logs or perform further troubleshooting to determine the root cause of the 401 error.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

  2. Limitless Technology 43,966 Reputation points
    2023-02-02T10:11:44.2766667+00:00

    Double post

    0 comments
  3. Khurram Rahim 1,841 Reputation points
    2023-02-08T19:32:58.2+00:00

    It looks like you're encountering an issue with the Hybrid Configuration Wizard (HCW) while trying to set up a full hybrid deployment with Exchange and trying to keep the Exchange Extended Protection feature enabled.

    Unfortunately, it appears that the Extended Protection feature is causing issues with the HCW. As you mentioned, disabling the feature in IIS can resolve the issue, but this reduces the security of your Exchange deployment.

    To keep the security of your Exchange deployment intact, there are a few alternative solutions that you could try:

    1. Consider using a different method for setting up the hybrid deployment that does not require the HCW, such as using remote PowerShell or manually configuring the necessary settings.
    2. If you're using Exchange 2010, consider upgrading to a newer version of Exchange that has better support for Extended Protection.
    3. Consider using a third-party security solution that provides the protection offered by Extended Protection, but does not interfere with the HCW.

    It's important to keep in mind that security is a critical component of any deployment, and it may be worth considering the trade-off between security and ease of setup when choosing the best solution for your deployment.

    I recommend reaching out to Microsoft Support for additional assistance and guidance with this issue.

    0 comments
  4. Daniel Schwechheimer 1 Reputation point
    2023-02-09T07:24:47.2466667+00:00

    Hello Khurram Rahim,

    You are conditionally right. My first attempt was actually the Modern Full Hybrid. After I found out after numerous hours and log sightings that it is related to the Extended Protection (EP), I switched to the Classic Full Hybrid.

    However, there were also with this the same problems:

    • 401 Error with active EP
    • Calling my local instance via the proxy URL

    Yesterday I started 2 new attempts with new tenants each:

    1st try: Implementation Classic Full Hybrid
    This initially returned a new error screen: 403
    But then: Calling my public domain instead of the proxy URL and it's working like a charm.

    2nd try: Implementing Modern Full Hybrid (because I already started this at the client, but it's not running due to the EP) and reverting to Classic Mode (to make sure the local agent is uninstalled and everything works so I can implement it cleanly at the client).

    After initial known errors and some time between configuration steps, I was able to see in the log that my public domain was being called instead of the proxy URL.

    Quintessence:
    Time is an important factor. Not only with Exchange on prem, but especially with Exchange Online.
    The HCW now ran cleanly and without errors. So now I can test the further migration steps.

    Thank you all for your efforts and answers.
    Best regards

    Daniel

    P.S.: Thread can be closed

    0 comments