Share via

The HTTP request is unauthorized with client authentication scheme 'Negotiate'.

nettech 176 Reputation points
2026-02-06T12:14:58.6033333+00:00

Hi,

We are currently in a hybrid configuration E2019CU15 with O365, trying to migrate mailboxes to O365 we are seeing the error below on all mailboxes we are trying to migrate.

Error: CommunicationErrorTransientException: The call to https://owa.xyz.com/EWS/mrsproxy.svc failed. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM'. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM'.

Get-WebServicesVirtualDirectory | FL Identity,InternalAuthenticationMethods,ExternalAuthenticationMethods,MRSProxyEnabled

Identity : EXCH01\EWS (Default Web Site)

InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}

ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}

MRSProxyEnabled : True

Get-WebServicesVirtualDirectory | FL Identity, MRSProxyEnabled Identity : EXCH01\EWS (Default Web Site) MRSProxyEnabled : True

Get-HybridConfiguration | FL Features

Features : {FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection, OnlineArchive, SecureMail, Photos}

Thank you!

Exchange | Hybrid management
Exchange | Hybrid management

The administration of a hybrid deployment that connects on-premises Exchange Server with Exchange Online, enabling seamless integration and centralized control.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. nettech 176 Reputation points
    2026-02-06T17:31:32.9466667+00:00

    here is my current config
    User's image

    0 comments
  2. Kudos-Ng 14,430 Reputation points Microsoft External Staff Moderator
    2026-02-06T13:48:44.4033333+00:00

    Hi nettech,

    Thank you for posting your question in the Microsoft Q&A forum.

    From your description, you’ve already reviewed the relevant MRS settings suggested by Q&A Assist and they look correct so the migration should work, but the error persists. Based on this older but still relevant thread: https://stackoverflow.com/questions/15570108/the-http-request-is-unauthorized-with-client-authentication-scheme-negotiate, the issue may be tied to the EWS authentication configuration in IIS.

    Important: This link will take you to Stackoverflow, which is outside Microsoft’s domain. Please note that Microsoft is not responsible for the accuracy, security, or advertising on external sites.

    Please open IIS Windows authentication > Providers… and verify that both Negotiate and NTLM are present. Then adjust the provider order (place NTLM at the top), restart IIS (iisreset), and test the migration again.

    If the issue persists or you run into any difficulty with these settings, please update this thread and we can help you troubleshoot further.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Q&A Assist
    2026-02-06T12:15:13.08+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error message you are encountering, "The HTTP request is unauthorized with client authentication scheme 'Negotiate'", typically indicates an issue with the authentication settings for the Exchange Web Services (EWS) in your hybrid environment. Here are some steps you can take to troubleshoot and potentially resolve this issue:

    1. Check MRSProxy Settings: Ensure that MRSProxy is enabled on all Client Access Servers (CAS) in your on-premises environment. You can verify this by running the following command: 
         Get-WebServicesVirtualDirectory | FL Identity, MRSProxyEnabled
      Make sure the MRSProxyEnabled parameter is set to True.
    2. Authentication Methods: Review the authentication methods configured for the EWS virtual directory. You may need to adjust the ExternalAuthenticationMethods to ensure that they include methods that are compatible with your setup. You can set the authentication methods using: 
         Set-WebServicesVirtualDirectory -Identity "EXCH01\EWS (Default Web Site)" -ExternalAuthenticationMethods Ntlm, WSSecurity, OAuth
    3. Firewall and IDS Configuration: Ensure that your firewall and any Intrusion Detection Systems (IDS) are properly configured to allow EWS traffic without requiring pre-authentication. This is crucial for migration requests to go through successfully.
    4. Hybrid Configuration: Verify that your hybrid configuration is set up correctly and that all necessary features are enabled. You can check this with: 
         Get-HybridConfiguration | FL Features
      Ensure that the MoveMailbox feature is listed.
    5. ServiceModelReg Command: If the issue persists, you might want to run the ServiceModelReg.exe -r command to reinstall the handler mappings in IIS, which can sometimes resolve authentication issues.

    If you continue to experience problems after these steps, consider consulting the Microsoft Community or Exchange TechNet Forums for further assistance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.