Hybrid Agent Setup failing

Ryan Wilderman 156 Reputation points
2023-04-05T04:31:26.7133333+00:00

It fails at the Validate Hybrid Agent for Exchange Usage. The error I am seeing in the log is: ERROR 10349 The connection to the server 'guid.resource.mailboxmigration.his.msappproxy.net' could not be completed.... unable to connect to the remote server with the credentials provided. The call to 'https://guid.resourec.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm I have disabled and re-enabled MRSProxy, I have enabled basic authentication on the EWS site. Am I using the wrong credentials there? If so, what am I supposed to use there?

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,118 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,923 questions
0 comments No comments
{count} vote

6 answers

Sort by: Most helpful
  1. Aholic Liang-MSFT 13,826 Reputation points Microsoft Vendor
    2023-04-06T07:08:09.3033333+00:00

    Hi @ Ryan Wilderman ,

    The core computer requirements for installing the Hybrid Agent are the same as described in the following list:

    1.Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019

    2..NET Framework 4.7.2 or later.

    3.TLS 1.2 enabled.

    4.Azure Application Proxy

    5.Capable of establishing outbound HTTPS connections to the internet.

    6.Capable of establishing HTTPS connections to the Exchange Server chosen for hybrid configuration.

    We recommend that you check that the following settings are enabled on the computer where the Hybrid Agent is currently installed:

    1.Check whether TLS 1.2 is enabled.

    2.Check that the outbound ports HTTPS (TCP) 443 and 80 are open between the computers where the hybrid agent is installed.

    For more prerequisites, please refer to this link:Microsoft Hybrid Agent | Microsoft Learn

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Amit Singh 4,851 Reputation points
    2023-04-06T10:11:49.7133333+00:00

    According to the error message, we could know this issue is related to MRSProxy. After disabling and enabling it, don’t forget to restart Internet Information Services (IIS) using the iisreset command. https://support.microsoft.com/en-us/help/3063913/the-remote-server-returned-an-error-403-forbidden-error-when-you-try-t  and please enable Basic Authentication on Web Services Virtual Directory: Set-WebServicesVirtualDirectory –identity SERVERNAME\EWS (Default Web Site) -BasicAuthentication $TRUE If the issue persists, please provide the result of Get-WebServicesVirtualDirectory|fl and also can refer to the following article to troubleshoot: https://docs.microsoft.com/zh-cn/archive/blogs/exovoice/troubleshooting-issues-where-the-migration-endpoint-cannot-be-created-in-hybrid-scenarios

    0 comments No comments

  3. Ryan Wilderman 156 Reputation points
    2023-04-07T01:50:51.48+00:00

    Thank you both for you help. Nothing provided has fixed my situation yet. Here is the output from Get-WebServicesVirtualDirectory:

    RunspaceId                      : fa7fa6bd-f32a-49d6-891e-ae753aec86f2
    CertificateAuthentication       :
    InternalNLBBypassUrl            :
    GzipLevel                       : Low
    MRSProxyEnabled                 : True
    Name                            : EWS (Default Web Site)
    InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
    ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
    LiveIdNegotiateAuthentication   :
    WSSecurityAuthentication        : True
    LiveIdBasicAuthentication       : False
    BasicAuthentication             : True
    DigestAuthentication            : False
    WindowsAuthentication           : True
    OAuthAuthentication             : True
    AdfsAuthentication              : False
    MetabasePath                    : IIS://SEIExchange.XXXXXXX.com/W3SVC/1/ROOT/EWS
    Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags         : {}
    ExtendedProtectionSPNList       : {}
    AdminDisplayVersion             : Version 15.0 (Build 1497.2)
    Server                          : SEIEXCHANGE
    InternalUrl                     : https://email.XXXXXXX.com/EWS/Exchange.asmx
    ExternalUrl                     : https://email.XXXXXXX.com/EWS/Exchange.asmx
    AdminDisplayName                :
    ExchangeVersion                 : 0.10 (14.0.100.0)
    DistinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=SEIEXCHANGE,CN=Servers,CN=Exchange
                                      Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SEI,CN=Microsoft
                                      Exchange,CN=Services,CN=Configuration,DC=XXXXXXX,DC=com
    Identity                        : SEIEXCHANGE\EWS (Default Web Site)
    Guid                            : b181707f-d9cf-42cd-b120-2110891ad438
    ObjectCategory                  : XXXXXXX.com/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
    ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
    WhenChanged                     : 4/4/2023 10:23:24 PM
    WhenCreated                     : 5/17/2015 6:36:34 PM
    WhenChangedUTC                  : 4/5/2023 3:23:24 AM
    WhenCreatedUTC                  : 5/17/2015 11:36:34 PM
    OrganizationId                  :
    Id                              : SEIEXCHANGE\EWS (Default Web Site)
    OriginatingServer               : SEIDC01.XXXXXXX.com
    IsValid                         : True
    ObjectState                     : Changed
    
    

    Logs:

    The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.
                                          resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'.
    
    0 comments No comments

  4. Chris Radi 0 Reputation points
    2023-04-09T20:58:44.3066667+00:00

    ..........................................................

    0 comments No comments

  5. Aholic Liang-MSFT 13,826 Reputation points Microsoft Vendor
    2023-04-12T10:12:00.8866667+00:00

    Hi @ Ryan Wilderman ,

    The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.
                                          resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'.
    

    Based on this error message, the issue may be due to the migration endpoint password in wrong on On-Premises end.  

    I recommend that you refer to the following link to reset the password for the account used to set up the migration endpoint to see if the issue persists:

    Office 365 Mailbox Move Fails – The Remote Server Returned An Error (401) Unauthorized. (cloudiffic.com)

    Mailbox Replication Service was unable to connect to the remote server - Azure365Pro.com  

    -

    Note:Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.