Exchange Hybrid configuration wizard

Question

Hi All,

I am in the process of implementing HCW. I am getting the attached error. As per the error, WinRM still requires basic authentication to be enabled on hybrid server. Below article has some info around the WinRM and basic authentication.

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

However, i couldn't find any MS article states HCW requires WinRM basic authentication as a pre-req. Below are my questions

1. Is the basic authentication to be enabled on the hybrid server permanently?
2. Why HCW still requires basic auth to be enabled on the hybrid server?
3. Is the basic authentication to be enabled on all the Exchange servers in the organization?

Kindly help me to get some answers.

Thanks

Answer 1

When you implementing the Hybrid Configuration Wizard (HCW), you may encounter an error stating that WinRM still requires basic authentication to be enabled on the hybrid server. The error suggests that basic authentication is needed for WinRM (Windows Remote Management) on the hybrid server. Here are some clarifications regarding your questions:

Is basic authentication to be enabled on the hybrid server permanently? Enabling basic authentication on the hybrid server is not a permanent requirement. Basic authentication is typically needed during the initial setup of the hybrid configuration, but it can be disabled once the configuration is complete. However, it's important to follow the recommended security practices and consider alternative authentication methods, such as certificate-based authentication, for WinRM.

Why does HCW still require basic authentication to be enabled on the hybrid server? The HCW relies on WinRM to establish communication and perform configuration tasks between the on-premises Exchange server and Exchange Online. By default, WinRM uses Kerberos authentication, but if Kerberos is not available or not properly configured, it falls back to basic authentication. HCW may require basic authentication temporarily to ensure a successful configuration process.

Is basic authentication to be enabled on all Exchange servers in the organization? Enabling basic authentication on all Exchange servers in the organization is not necessary. The specific requirement for basic authentication during the HCW process is related to the hybrid server, which acts as a bridge between on-premises Exchange and Exchange Online. Other Exchange servers within the organization can follow recommended security practices, which may involve disabling or limiting the use of basic authentication.

It's important to note that basic authentication is being phased out by Microsoft, and modern authentication methods, such as OAuth, are encouraged. As you mentioned, the article you referenced discusses the deprecation of basic authentication in Exchange Online. While basic authentication may be needed temporarily for the HCW process, it's advisable to review and implement more secure authentication mechanisms where possible.

For specific guidance and best practices regarding your hybrid configuration and the use of authentication methods, it's recommended to consult Microsoft documentation, reach out to Microsoft support, or engage with a qualified Exchange specialist.

Answer 2

Hi All,

WinRM basic authentication is required for Hybrid configuration wizard. Which is not listed as a pre-requisite.

MS support has confirmed this