Share via

Hybrid Agent Setup failing

Ryan Wilderman 156 Reputation points
2023-04-05T04:31:26.7133333+00:00

It fails at the Validate Hybrid Agent for Exchange Usage. The error I am seeing in the log is: ERROR 10349 The connection to the server 'guid.resource.mailboxmigration.his.msappproxy.net' could not be completed.... unable to connect to the remote server with the credentials provided. The call to 'https://guid.resourec.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm I have disabled and re-enabled MRSProxy, I have enabled basic authentication on the EWS site. Am I using the wrong credentials there? If so, what am I supposed to use there?

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,356 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,146 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. philip van Klink 10 Reputation points
    2024-04-03T20:15:29.2133333+00:00

    We had the same error. As we were using Exchange 2019 CU14, Exchange Server Extended Protection was turned on. I had to turn Extended Protection OFF in IIS (EWS). It can be done via script also. More info here: https://practical365.com/exchange-server-extended-protection/

    I had to set up the Migration End point again by re-running the HCW choosing Modern Hybrid Topology

    User's image

    1 person found this answer helpful.
  2. Aholic Liang-MSFT 13,856 Reputation points Microsoft Vendor
    2023-04-06T07:08:09.3033333+00:00

    Hi @ Ryan Wilderman ,

    The core computer requirements for installing the Hybrid Agent are the same as described in the following list:

    1.Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019

    2..NET Framework 4.7.2 or later.

    3.TLS 1.2 enabled.

    4.Azure Application Proxy

    5.Capable of establishing outbound HTTPS connections to the internet.

    6.Capable of establishing HTTPS connections to the Exchange Server chosen for hybrid configuration.

    We recommend that you check that the following settings are enabled on the computer where the Hybrid Agent is currently installed:

    1.Check whether TLS 1.2 is enabled.

    2.Check that the outbound ports HTTPS (TCP) 443 and 80 are open between the computers where the hybrid agent is installed.

    For more prerequisites, please refer to this link:Microsoft Hybrid Agent | Microsoft Learn

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Amit Singh 4,986 Reputation points
    2023-04-06T10:11:49.7133333+00:00

    According to the error message, we could know this issue is related to MRSProxy. After disabling and enabling it, don’t forget to restart Internet Information Services (IIS) using the iisreset command. https://support.microsoft.com/en-us/help/3063913/the-remote-server-returned-an-error-403-forbidden-error-when-you-try-t  and please enable Basic Authentication on Web Services Virtual Directory: Set-WebServicesVirtualDirectory –identity SERVERNAME\EWS (Default Web Site) -BasicAuthentication $TRUE If the issue persists, please provide the result of Get-WebServicesVirtualDirectory|fl and also can refer to the following article to troubleshoot: https://docs.microsoft.com/zh-cn/archive/blogs/exovoice/troubleshooting-issues-where-the-migration-endpoint-cannot-be-created-in-hybrid-scenarios

    0 comments
  4. Ryan Wilderman 156 Reputation points
    2023-04-07T01:50:51.48+00:00

    Thank you both for you help. Nothing provided has fixed my situation yet. Here is the output from Get-WebServicesVirtualDirectory:

    RunspaceId                      : fa7fa6bd-f32a-49d6-891e-ae753aec86f2
CertificateAuthentication       :
InternalNLBBypassUrl            :
GzipLevel                       : Low
MRSProxyEnabled                 : True
Name                            : EWS (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication   :
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
OAuthAuthentication             : True
AdfsAuthentication              : False
MetabasePath                    : IIS://SEIExchange.XXXXXXX.com/W3SVC/1/ROOT/EWS
Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
AdminDisplayVersion             : Version 15.0 (Build 1497.2)
Server                          : SEIEXCHANGE
InternalUrl                     : https://email.XXXXXXX.com/EWS/Exchange.asmx
ExternalUrl                     : https://email.XXXXXXX.com/EWS/Exchange.asmx
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=SEIEXCHANGE,CN=Servers,CN=Exchange
                                  Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SEI,CN=Microsoft
                                  Exchange,CN=Services,CN=Configuration,DC=XXXXXXX,DC=com
Identity                        : SEIEXCHANGE\EWS (Default Web Site)
Guid                            : b181707f-d9cf-42cd-b120-2110891ad438
ObjectCategory                  : XXXXXXX.com/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged                     : 4/4/2023 10:23:24 PM
WhenCreated                     : 5/17/2015 6:36:34 PM
WhenChangedUTC                  : 4/5/2023 3:23:24 AM
WhenCreatedUTC                  : 5/17/2015 11:36:34 PM
OrganizationId                  :
Id                              : SEIEXCHANGE\EWS (Default Web Site)
OriginatingServer               : SEIDC01.XXXXXXX.com
IsValid                         : True
ObjectState                     : Changed

    Logs:

    The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Basic realm="6fbbfcd9-9983-4bc7-8c9f-d44e461f6d24.
                                      resource.mailboxmigration.his.msappproxy.net",Negotiate,NTLM'.
    0 comments
  5. Chris Radi 0 Reputation points
    2023-04-09T20:58:44.3066667+00:00

    ..........................................................

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.