Share via

Hybrid Agent Setup failing

Ryan Wilderman 156 Reputation points
2023-04-05T04:31:26.7133333+00:00

It fails at the Validate Hybrid Agent for Exchange Usage. The error I am seeing in the log is: ERROR 10349 The connection to the server 'guid.resource.mailboxmigration.his.msappproxy.net' could not be completed.... unable to connect to the remote server with the credentials provided. The call to 'https://guid.resourec.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm I have disabled and re-enabled MRSProxy, I have enabled basic authentication on the EWS site. Am I using the wrong credentials there? If so, what am I supposed to use there?

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,197 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,999 questions
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aholic Liang-MSFT 13,826 Reputation points Microsoft Vendor
    2023-04-06T07:08:09.3033333+00:00

    Hi @ Ryan Wilderman ,

    The core computer requirements for installing the Hybrid Agent are the same as described in the following list:

    1.Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019

    2..NET Framework 4.7.2 or later.

    3.TLS 1.2 enabled.

    4.Azure Application Proxy

    5.Capable of establishing outbound HTTPS connections to the internet.

    6.Capable of establishing HTTPS connections to the Exchange Server chosen for hybrid configuration.

    We recommend that you check that the following settings are enabled on the computer where the Hybrid Agent is currently installed:

    1.Check whether TLS 1.2 is enabled.

    2.Check that the outbound ports HTTPS (TCP) 443 and 80 are open between the computers where the hybrid agent is installed.

    For more prerequisites, please refer to this link:Microsoft Hybrid Agent | Microsoft Learn

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Amit Singh 4,956 Reputation points
    2023-04-06T10:11:49.7133333+00:00

    According to the error message, we could know this issue is related to MRSProxy. After disabling and enabling it, don’t forget to restart Internet Information Services (IIS) using the iisreset command. https://support.microsoft.com/en-us/help/3063913/the-remote-server-returned-an-error-403-forbidden-error-when-you-try-t  and please enable Basic Authentication on Web Services Virtual Directory: Set-WebServicesVirtualDirectory –identity SERVERNAME\EWS (Default Web Site) -BasicAuthentication $TRUE If the issue persists, please provide the result of Get-WebServicesVirtualDirectory|fl and also can refer to the following article to troubleshoot: https://docs.microsoft.com/zh-cn/archive/blogs/exovoice/troubleshooting-issues-where-the-migration-endpoint-cannot-be-created-in-hybrid-scenarios

    0 comments
  3. Ryan Wilderman 156 Reputation points
    2023-04-07T01:50:51.48+00:00

    Thank you both for you help. Nothing provided has fixed my situation yet. Here is the output from Get-WebServicesVirtualDirectory:

    RunspaceId                      : fa7fa6bd-f32a-49d6-891e-ae753aec86f2
CertificateAuthentication       :
InternalNLBBypassUrl            :
GzipLevel                       : Low
MRSProxyEnabled                 : True
Name                            : EWS (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication   :
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
OAuthAuthentication             : True
AdfsAuthentication              : False
MetabasePath                    : IIS://SEIExchange.XXXXXXX.com/W3SVC/1/ROOT/EWS
Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
AdminDisplayVersion             : Version 15.0 (Build 1497.2)
Server                          : SEIEXCHANGE
InternalUrl                     : https://email.XXXXXXX.com/EWS/Exchange.asmx
ExternalUrl                     : https://email.XXXXXXX.com/EWS/Exchange.asmx
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=SEIEXCHANGE,CN=Servers,CN=Exchange
                                  Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SEI,CN=Microsoft
                                  Exchange,CN=Services,CN=Configuration,DC=XXXXXXX,DC=com
Identity                        : SEIEXCHANGE\EWS (Default Web Site)
Guid                            : b181707f-d9cf-42cd-b120-2110891ad438
ObjectCategory                  : XXXXXXX.com/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged                     : 4/4/2023 10:23:24 PM
WhenCreated                     : 5/17/2015 6:36:34 PM
WhenChangedUTC                  : 4/5/2023 3:23:24 AM
WhenCreatedUTC                  : 5/17/2015 11:36:34 PM
OrganizationId                  :
Id                              : SEIEXCHANGE\EWS (Default Web Site)
OriginatingServer               : SEIDC01.XXXXXXX.com
IsValid                         : True
ObjectState                     : Changed

    Logs:

    The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.
                                      resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'.
    0 comments
  4. Chris Radi 0 Reputation points
    2023-04-09T20:58:44.3066667+00:00

    ..........................................................

    0 comments
  5. Aholic Liang-MSFT 13,826 Reputation points Microsoft Vendor
    2023-04-12T10:12:00.8866667+00:00

    Hi @ Ryan Wilderman ,

    The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.
                                      resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'.

    Based on this error message, the issue may be due to the migration endpoint password in wrong on On-Premises end.  

    I recommend that you refer to the following link to reset the password for the account used to set up the migration endpoint to see if the issue persists:

    Office 365 Mailbox Move Fails – The Remote Server Returned An Error (401) Unauthorized. (cloudiffic.com)

    Mailbox Replication Service was unable to connect to the remote server - Azure365Pro.com  

    -

    Note:Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.