Exchange Function to Test MRSProxy Endpoint Authentication

5/5 - (1 vote)

This week, I was helping someone troubleshoot authentication issues when hybrid migration mailboxes to Exchange Online.

In order to migrate a mailbox successfully, the EWS endpoint virtual directory should have NTLM/Negotiate authentication method available.

You can quickly see what the endpoint is showing available by using this function:

Function Test-MigrationEndpointAuthentication($Url)
{
  # Build URL
  $Url = $Url.TrimEnd('.').TrimEnd('/').TrimEnd('.')
  If ($Url -inotmatch "^https\:\/\/") { $Url = "https://$($Url)" }
  If ($Url -inotmatch "\/EWS/MRSProxy.svc$") { $Url = "$($Url)/EWS/MRSProxy.svc" }
  $req = [System.Net.HttpWebRequest]::Create("$($Url)")
  $req.UseDefaultCredentials = $false 
  try { $req.GetResponse() }
  catch { [system.exception] | out-null }
  $ex = $error[0].Exception 
  $resp = $ex.InnerException.Response 
  Write-Host -NoNewLine "Response/authentication headers: "
  Write-Host -ForegroundColor Cyan $resp.Headers["WWW-Authenticate"]
  Write-Host -NoNewLine "Exception message: "
  Write-Host -ForegroundColor Cyan "$($ex)"
}

To use it, execute the function with your Outlook Web Access URL as the -Url value.  For example:

Test-MigrationEndpointAuthentication -Url owa.undocumented-features.com

The expected authentication header response is: Negotiage,NTLM,Basic

The expected exception response is: Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (401) Unauthorized." ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.

author avatar
Aaron Guilmette
Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.