This week, I was helping someone troubleshoot authentication issues when hybrid migration mailboxes to Exchange Online.
In order to migrate a mailbox successfully, the EWS endpoint virtual directory should have NTLM/Negotiate authentication method available.
You can quickly see what the endpoint is showing available by using this function:
Function Test-MigrationEndpointAuthentication($Url) { # Build URL $Url = $Url.TrimEnd('.').TrimEnd('/').TrimEnd('.') If ($Url -inotmatch "^https\:\/\/") { $Url = "https://$($Url)" } If ($Url -inotmatch "\/EWS/MRSProxy.svc$") { $Url = "$($Url)/EWS/MRSProxy.svc" } $req = [System.Net.HttpWebRequest]::Create("$($Url)") $req.UseDefaultCredentials = $false try { $req.GetResponse() } catch { [system.exception] | out-null } $ex = $error[0].Exception $resp = $ex.InnerException.Response Write-Host -NoNewLine "Response/authentication headers: " Write-Host -ForegroundColor Cyan $resp.Headers["WWW-Authenticate"] Write-Host -NoNewLine "Exception message: " Write-Host -ForegroundColor Cyan "$($ex)" }
To use it, execute the function with your Outlook Web Access URL as the -Url
value. For example:
Test-MigrationEndpointAuthentication -Url owa.undocumented-features.com
The expected authentication header response is: Negotiage,NTLM,Basic
The expected exception response is: Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (401) Unauthorized." ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.