Exchange Online mailbox migration not possible because EWS virtual directory only works with NTLM in the frontend.

ChesterRush 1 Reputation point

Hello ,

We run an OnPrem Exchange 2016 server with CU22.

We use two Exchange 2016 servers because we already run some meeting rooms in Exchange Online.

The second should be the Hybrid Exchange Server to connect to Exchange Online.

Now I wanted to perform a mailbox migration from Exchange onPrem to Exchange Online, which is not possible.

I can't get a connection to my MRS proxy because I had to remove the "negotiate" provider on the front end of our Exchange 2016 server for the EWS, Autodiscover and MAPI virtual website, otherwise this would lead to the problem that Outlook brings up a logon window when it starts. The user's e-mail address is now incorrectly displayed there. If a user tries to enter his password with it, the window appears again and again. Entering the username in the format domain\username works.

It was probably introduced by Microsoft with CU18 that only NTLM and oAuth are permitted.

Even if I put NTLM first in the EWS virtual directory in IIS and negotiate as the second, the login window appears.

Only if I completely remove the negotiate provider from the virtual directories Autodiscover, EWS and MAPI does no logon window appear when Outlook starts.

But now I can't do a mailbox migration to Exchange Online again because EWS is missing negotiate .

Can someone help me with the problem?


Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,483 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 120.5K Reputation points MVP

    Im running CU22 and no issues here.

    Your auth should look like this on the webservices vitual directory


    InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
    ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
    LiveIdNegotiateAuthentication :
    WSSecurityAuthentication : True
    LiveIdBasicAuthentication : False
    BasicAuthentication : False
    DigestAuthentication : False
    WindowsAuthentication : True
    OAuthAuthentication : True
    AdfsAuthentication : False

    0 comments No comments