Thursday, November 8, 2018

How to Fix Microsoft Exchange 2013 to Office 365 Error ews/mrsproxy.svc' failed.The HTTP request was forbidden with client authentication scheme ‎’Negotiate‎’

1. The first part of the denial is that the Exchange 2013 server has to be set to "0" instead of "1" in their attributes.

2. Login to your DC and then search for ADSI Edit (Windows 2012/2016/2019 Server):

Change the "adminCount" setting to "1" and then reboot the server (NOTE: I saw that even on reboot, this flag remained. So I doubt it has anything to do with the http authentication.) This is when I then ran the following commands on the Exchange 2013 Server itself in EMS. This is the Microsoft article: https://support.microsoft.com/en-us/help/2975731/access-is-denied-error-when-you-try-to-move-mailboxes-to-exchange-onli but it had no impact at all on the error even after rebooting. It just came back.


3. Login to the CAS or Exchange Server and Open the Exchange Management Shell

4. Run the following command in the EMS:
[PS] c:\Windows\system32\Get-WebServicesVirtualDirectory | select *auth*

5. Look at the output for BasicAuthentication. You will see it set to false:



6. Run the command: Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory –BasicAuthentication $TRUE

NOTE: if it times out in CAS you can also run it on the Exchange Server or do it in the Exchange Admin Center under Servers >> Virtual Directories >> OWA (etc)

7. After this fix. Run the Microsoft Office 365 Hybrid Connection Wizard (You will need your O365 Administrator account and an AD account that is an Exchange organization administrator so that you can complete the wizard.


8. You will need to install the application on the CAS server itself (NOTE: Do not install it on Exchange or your local machine. It will just fail).

9. Run the Data Migration from the Exchange Admin Center after you verify that you have successfully configured the Hybrid tool (also make sure you have already assigned licenses to users and you have the Azure AD Connect tool already configured on your local domain controller.

(NOTE: You have to have a subscription active in Microsoft Azure or if you purchase from Rackspace then your account will have a Tenant account and you will be able to configure the tool).

10. ADFS Configuration using AD Directory Sync:
https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Configuring-AD-FS-for-user-sign-in-with-Azure-AD-Connect
https://www.youtube.com/watch?v=C4wbyAo2-sA


Lifesaver Credit (Thanks Guys!!!): 
http://bit.ly/2zCiuP0 (Jaap Wesselius)
http://bit.ly/2RLGvuv (Dan Djurasovic)
https://deansuzuki.net/2015/05/20/exchange-online-fixing-an-perplexing-exchange-migration-issue-part-1/

Helpful (Not Used, but relevant and may help others):
http://www.azure365pro.com/the-http-request-was-forbidden-with-client-authentication-scheme-negotiate/
http://blog.djurasovic.com/migrating-to-office-365-exchange-online-tips-and-tricks-from-the-field/
https://www.techieshelp.com/exchange-2013-change-owa-log-on-options/
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signin
Share: