Hybrid Agent Setup failing

Ryan Wilderman 156 Reputation points
2023-04-05T04:31:26.7133333+00:00

It fails at the Validate Hybrid Agent for Exchange Usage. The error I am seeing in the log is: ERROR 10349 The connection to the server 'guid.resource.mailboxmigration.his.msappproxy.net' could not be completed.... unable to connect to the remote server with the credentials provided. The call to 'https://guid.resourec.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm I have disabled and re-enabled MRSProxy, I have enabled basic authentication on the EWS site. Am I using the wrong credentials there? If so, what am I supposed to use there?

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,337 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,136 questions
0 comments No comments
{count} vote

6 answers

Sort by: Most helpful
  1. philip van Klink 10 Reputation points
    2024-04-03T20:15:29.2133333+00:00

    We had the same error. As we were using Exchange 2019 CU14, Exchange Server Extended Protection was turned on. I had to turn Extended Protection OFF in IIS (EWS). It can be done via script also. More info here: https://practical365.com/exchange-server-extended-protection/

    I had to set up the Migration End point again by re-running the HCW choosing Modern Hybrid Topology

    User's image

    1 person found this answer helpful.

  2. Aholic Liang-MSFT 13,856 Reputation points Microsoft Vendor
    2023-04-06T07:08:09.3033333+00:00

    Hi @ Ryan Wilderman ,

    The core computer requirements for installing the Hybrid Agent are the same as described in the following list:

    1.Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019

    2..NET Framework 4.7.2 or later.

    3.TLS 1.2 enabled.

    4.Azure Application Proxy

    5.Capable of establishing outbound HTTPS connections to the internet.

    6.Capable of establishing HTTPS connections to the Exchange Server chosen for hybrid configuration.

    We recommend that you check that the following settings are enabled on the computer where the Hybrid Agent is currently installed:

    1.Check whether TLS 1.2 is enabled.

    2.Check that the outbound ports HTTPS (TCP) 443 and 80 are open between the computers where the hybrid agent is installed.

    For more prerequisites, please refer to this link:Microsoft Hybrid Agent | Microsoft Learn

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Amit Singh 4,901 Reputation points
    2023-04-06T10:11:49.7133333+00:00

    According to the error message, we could know this issue is related to MRSProxy. After disabling and enabling it, don’t forget to restart Internet Information Services (IIS) using the iisreset command. https://support.microsoft.com/en-us/help/3063913/the-remote-server-returned-an-error-403-forbidden-error-when-you-try-t  and please enable Basic Authentication on Web Services Virtual Directory: Set-WebServicesVirtualDirectory –identity SERVERNAME\EWS (Default Web Site) -BasicAuthentication $TRUE If the issue persists, please provide the result of Get-WebServicesVirtualDirectory|fl and also can refer to the following article to troubleshoot: https://docs.microsoft.com/zh-cn/archive/blogs/exovoice/troubleshooting-issues-where-the-migration-endpoint-cannot-be-created-in-hybrid-scenarios

    0 comments No comments

  4. Ryan Wilderman 156 Reputation points
    2023-04-07T01:50:51.48+00:00

    Thank you both for you help. Nothing provided has fixed my situation yet. Here is the output from Get-WebServicesVirtualDirectory:

    RunspaceId                      : fa7fa6bd-f32a-49d6-891e-ae753aec86f2
    CertificateAuthentication       :
    InternalNLBBypassUrl            :
    GzipLevel                       : Low
    MRSProxyEnabled                 : True
    Name                            : EWS (Default Web Site)
    InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
    ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
    LiveIdNegotiateAuthentication   :
    WSSecurityAuthentication        : True
    LiveIdBasicAuthentication       : False
    BasicAuthentication             : True
    DigestAuthentication            : False
    WindowsAuthentication           : True
    OAuthAuthentication             : True
    AdfsAuthentication              : False
    MetabasePath                    : IIS://SEIExchange.XXXXXXX.com/W3SVC/1/ROOT/EWS
    Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags         : {}
    ExtendedProtectionSPNList       : {}
    AdminDisplayVersion             : Version 15.0 (Build 1497.2)
    Server                          : SEIEXCHANGE
    InternalUrl                     : https://email.XXXXXXX.com/EWS/Exchange.asmx
    ExternalUrl                     : https://email.XXXXXXX.com/EWS/Exchange.asmx
    AdminDisplayName                :
    ExchangeVersion                 : 0.10 (14.0.100.0)
    DistinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=SEIEXCHANGE,CN=Servers,CN=Exchange
                                      Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SEI,CN=Microsoft
                                      Exchange,CN=Services,CN=Configuration,DC=XXXXXXX,DC=com
    Identity                        : SEIEXCHANGE\EWS (Default Web Site)
    Guid                            : b181707f-d9cf-42cd-b120-2110891ad438
    ObjectCategory                  : XXXXXXX.com/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
    ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
    WhenChanged                     : 4/4/2023 10:23:24 PM
    WhenCreated                     : 5/17/2015 6:36:34 PM
    WhenChangedUTC                  : 4/5/2023 3:23:24 AM
    WhenCreatedUTC                  : 5/17/2015 11:36:34 PM
    OrganizationId                  :
    Id                              : SEIEXCHANGE\EWS (Default Web Site)
    OriginatingServer               : SEIDC01.XXXXXXX.com
    IsValid                         : True
    ObjectState                     : Changed
    
    

    Logs:

    The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.
                                          resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'.
    
    0 comments No comments

  5. Chris Radi 0 Reputation points
    2023-04-09T20:58:44.3066667+00:00

    ..........................................................

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.