Hello office 365 Admins,
In one of the projects we worked on, we had an exchange 2013 servers and we tried to set up the hybrid configuration wizard (HCW) in order to migrate mailboxes to office 365, as usual we installed AD Connect and synced users to Azure active directory.
All HCW prerequisites was met such as verifying the domain, Public Certificate … etc. we started the hybrid configuration wizard but unfortunately the wizard completed with a warning as below:
HCW8078: Migration Endpoint could not be created.
“The connection to the server mail.mydomain.edu.jo could not be completed.”
The Call to ‘https://mail.mydomain.edu.jo/EWS/MRSProxy.svc’ failed. Error Details:
The Http Request was forbidden with client authentication schema ‘Negotiate’. –>
The remote server returned an error :(403) forbidden.
First of all, let’s start our troubleshooting by access the URL mentioned in the error details which is in red color to see if we can access the URL using the browser, so if I try to access the URL it will ask me for credential, once I entered any domain user I receive the below response:
before we fix the error let’s demonstrate why HCW trying to access this URL while configuring the Hybrid deployment !
MRS Proxy stands for mailbox replication service proxy which is used for cross forest mailbox move and remote move migration between on premise exchange and exchange online (Office 365), which means that this service is using while exchange requested to initiate the Migration process, In exchange 2013 this service is included in the mailbox servers and during the cross forest and remote migration the client access server act as a proxy for incoming move request for the mailbox server, the ability for client access server to accept the move request is disabled by default to reduce the attack surface, to allow it to accept the incoming move request you should enable the MRS proxy endpoint.
So even the wizard show a warning not failure, if you decide not to fix the warning the Migration request will be failed when you try to move a mailbox to office 365 ( Exchange online).
So to enable the MRS proxy in exchange 2013, login to the ECP page, go to servers -> Virtual directories and double click in EWS virtual directories as below:
Once you open the virtual directory, check the enable MRS proxy Endpoint option then click save:
If you have more than one client access server, be sure to enable the MRS proxy in all servers.
if you need to use exchange PowerShell to enable it execute the below command (replace the server name with your CAS server):
Set-WebServicesVirtualDirectory -Identity “MyCASSErver\EWS (Default Web Site)” -MRSProxyEnabled $true
For Exchange 2010, you can enable it using below command (replace the server name with your CAS server):
Set-WebServicesVirtualDirectory -Identity “MYCASSErver\EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50
Once you enable it, I prefer to reset the iis by execute below command using CMD:
Once you finish the Migration it’s highly recommended to disable MRS to reduce the attack surface of your organization.
After that you can run the hybrid configuration wizard, In My case it was a strange story since when I checked the MRS Proxy it was enabled, so to solve my problem I disabled it and re-enabled it Again, once I did this I tried to access the URL again and I got something similar to below result:
Finally, I ran the hybrid configuration wizard and it was completed successfully and the Migration of mailboxes went smoothly.
About Blogger …
Ahmad is currently working in Specialized Technical Services Company (STS).