Recently I was doing a project with Exchange 2013 on-premises and Exchange Online in a hybrid configuration (with ADFS etc.). Exchange 2013 was connected to the Internet using a (Juniper) firewall, so no TMG involved. Exchange 2013 was functioning properly.
When I wanted to move the first Mailbox from on-premises to Exchange Online (using Remote PowerShell) it failed almost immediately with an error message “the call to https://exchangeserver/EWS/mrsproxy.svc failed. Error details: The HTTP request was forbidden with client authentication scheme ‘Negotiate’.
This is the exact error message:
PS C:\Users\Jaap> New-MoveRequest -Identity email@example.com -Remote -RemoteHostName webmail.contoso.com -RemoteCredential $RemoteCredential -TargetDeliveryDomain contosonl.mail.onmicrosoft.com -BadItemLimit 10
WARNING: When an item can’t be read from the source database or it can’t be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting Exchange not copy such items to the destination mailbox. At move completion, these corrupted items will not be available at the destination mailbox.
The call to ‘https://webmail.contoso.com/EWS/mrsproxy.svc’ failed. Error details: The HTTP request was forbidden with client authentication scheme ‘Negotiate’. –> The remote server returned an error: (403) Forbidden..
+ CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : [Server=AM2PR01MB0658,RequestId=c96a4db4-897d-47b0-97d1-0439d83903cb,TimeStamp=4-9-201412:15:46] [FailureCategory=Cmdlet-RemoteTransientException] 6ED5CB5,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
+ PSComputerName : pod51036psh.outlook.com
This is obviously an authentication issue on the on-premises Exchange 2013 server where the Exchange Online server cannot authenticate (the credentials supplied in the New-MoveRequest was ok though).
If you run the command Get-WebServicesVirtualDirectory | select *auth* you’ll find that (most likely) Basic Authentication is set to $FALSE. To set this to $TRUE and thus enable Basic Authentication you can use the following command:
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory –BasicAuthentication $TRUE
After running this command the New-MoveRequest can be executed successfully: