The call to mrsproxy.svc failed. The HTTP request was forbidden

Recently I was doing a project with Exchange 2013 on-premises and Exchange Online in a hybrid configuration (with ADFS etc.). Exchange 2013 was connected to the Internet using a (Juniper) firewall, so no TMG involved. Exchange 2013 was functioning properly.

When I wanted to move the first Mailbox from on-premises to Exchange Online (using Remote PowerShell) it failed almost immediately with an error message “the call to https://exchangeserver/EWS/mrsproxy.svc failed. Error details: The HTTP request was forbidden with client authentication scheme ‘Negotiate’.


This is the exact error message:

PS C:\Users\Jaap> New-MoveRequest -Identity -Remote -RemoteHostName -RemoteCredential $RemoteCredential -TargetDeliveryDomain -BadItemLimit 10

WARNING: When an item can’t be read from the source database or it can’t be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting Exchange not copy such items to the destination mailbox. At move completion, these corrupted items will not be available at the destination mailbox.

The call to ‘’ failed. Error details: The HTTP request was forbidden with client authentication scheme ‘Negotiate’. –> The remote server returned an error: (403) Forbidden..

+ CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemoteTransientException

+ FullyQualifiedErrorId : [Server=AM2PR01MB0658,RequestId=c96a4db4-897d-47b0-97d1-0439d83903cb,TimeStamp=4-9-201412:15:46] [FailureCategory=Cmdlet-RemoteTransientException] 6ED5CB5,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

+ PSComputerName :

PS C:\Users\Jaap>

This is obviously an authentication issue on the on-premises Exchange 2013 server where the Exchange Online server cannot authenticate (the credentials supplied in the New-MoveRequest was ok though).

If you run the command Get-WebServicesVirtualDirectory | select *auth* you’ll find that (most likely) Basic Authentication is set to $FALSE. To set this to $TRUE and thus enable Basic Authentication you can use the following command:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory –BasicAuthentication $TRUE

After running this command the New-MoveRequest can be executed successfully:


5 thoughts on “The call to mrsproxy.svc failed. The HTTP request was forbidden”

    1. Hoi,
      dat is de naam van de server waar de MRS proxy op draait, en waar Exchange Online in het algemeen tegenaan praat. In een normale omgeving zal dat iets zijn van ‘’ ofzo. Dit is dezelfde waarde die je gebruikt in de GUI als je mailboxen gaat migreren naar Exchange Online.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s