Exchange Online mailbox migration not possible because EWS virtual directory only works with NTLM in the frontend.

Question

Hello ,

We run an OnPrem Exchange 2016 server with CU22.

We use two Exchange 2016 servers because we already run some meeting rooms in Exchange Online.

The second should be the Hybrid Exchange Server to connect to Exchange Online.

Now I wanted to perform a mailbox migration from Exchange onPrem to Exchange Online, which is not possible.

I can't get a connection to my MRS proxy because I had to remove the "negotiate" provider on the front end of our Exchange 2016 server for the EWS, Autodiscover and MAPI virtual website, otherwise this would lead to the problem that Outlook brings up a logon window when it starts. The user's e-mail address is now incorrectly displayed there. If a user tries to enter his password with it, the window appears again and again. Entering the username in the format domain\username works.

It was probably introduced by Microsoft with CU18 that only NTLM and oAuth are permitted.

Even if I put NTLM first in the EWS virtual directory in IIS and negotiate as the second, the login window appears.

Only if I completely remove the negotiate provider from the virtual directories Autodiscover, EWS and MAPI does no logon window appear when Outlook starts.

But now I can't do a mailbox migration to Exchange Online again because EWS is missing negotiate .

Can someone help me with the problem?

Michael

Answer 1

Im running CU22 and no issues here.

Your auth should look like this on the webservices vitual directory

Get-WebServicesVirtualDirectory

InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False