question

DavidPettitt-6572 avatar image
0 Votes"
DavidPettitt-6572 asked ChrisWoodard-5793 commented

Exchange Hybrid - OAuth - unable to create New-AuthServer

I am stuck on Step 1 of the "Configure OAuth authentication between Exchange and Exchange Online organizations" guide (https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help)

I have some Exchange 2013 servers configured in Hybrid mode with Exchange Online. The Hybrid Configuration Wizard was mostly successful, and in general things are working. However, the wizard did produce a warning:

HCW8064 The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth, you can try running the HCW again or manually configure OAuth using these manual steps.

I've run the Wizard at least three times now, and it produced this warning every time, so I'm trying the manual OAuth instructions. I try the very first step:

New-AuthServer -Name "WindowsAzureACS" -AuthMetadataUrl "https://accounts.accesscontrol.windows.net/unbc.ca/metadata/json/1"

And I receive this error:

Cannot acquire auth metadata document from 'https://accounts.accesscontrol.windows.net/unbc.ca/metadata/json/1'.
Error: An exception occurred during a WebClient request..
+ CategoryInfo : ResourceUnavailable: (:) [New-AuthServer], AuthMetadataClientException

I can manually load that URL in my browser, no problem. I've tried googling, and searching technet and answers.microsoft.com. Nothing helpful so far. Any tips/ideas?

Edit (Solution): This was finally solved by Microsoft, on our third support request. Putting the answer here, in case someone else happens to have the exact same weird issue. The problem was the InternetWebProxy value on our Exchange servers. It was set to an incorrect address, which was somehow not causing any other problems (that we were aware of). The fix was as easy as setting that value to $null on our Exchange servers.

 foreach ($Server in (Get-ExchangeServer)){
     Set-ExchangeServer -Identity $Server.Name -InternetWebProxy $null
 }


After that, we were able to re-run the HCW and it completed successfully.


office-exchange-hybrid-itpro
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for sharing your solution! You are a lifesaver. I've been beating my head against a wall for weeks trying to figure this out.

0 Votes 0 ·
joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered DavidPettitt-6572 commented

First make sure the account you run the command above has been assigned the right role/permission: Organization Client Access

The official document about the command: New-AuthServer gives the introduction that The AuthMetadataUrl parameter specifies the URL for the Microsoft 365 authorization server for your cloud-based organization.

Here is also a step-by-step guide configuring the Oauth authentication for your reference as well: Configure OAuth authentication between Exchange on-premises and Exchange Online organizations


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The account I am using to run the command has the Organization Management admin role, which includes the Organization Client Access role.

The step-by-step guide you linked looks very similar to the official Microsoft instructions. I am unable to complete step 1 of the instructions.

0 Votes 0 ·

Can you successfully access the url 1 from your server?

I tried the command in my environment, it can run properly

15772-snipaste-2020-08-05-14-59-17.png


0 Votes 0 ·

By "access the url 1 from your server", do you mean can I load it via a web browser? Yes, I can (as I stated in my original post).

0 Votes 0 ·
Show more comments
JonAlfredSmith-5004 avatar image
0 Votes"
JonAlfredSmith-5004 answered DavidPettitt-6572 commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am on Exchange 2013 CU 23, which is the most recent available CU for Exchange 2013

0 Votes 0 ·
EthanBalzer-1074 avatar image
0 Votes"
EthanBalzer-1074 answered DavidPettitt-6572 commented

I ran into the exact same issue, what I ended up doing was enabling TLS 1.0 Access in Regedit (Client). (NOT SERVER)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you please provide more info about exactly what you did? Which registry key(s) and settings?

0 Votes 0 ·