A few weeks ago, while helping a customer configure Exchange Hybrid for Teams, we ran into this interesting error:

As I’ve stated previously, interesting in the context of both technology troubleshooting and doctor’s visits is rarely something you want to hear.

Background

Connectivity to Exchange Online requires WinRM basic authentication. That’s it. That’s the requirement.

We have some notes and articles about what’s necessary (for example, WinRM Basic Authentication is still required for the EXO v2 Module) from a WinRM perspective.  WinRM Basic Authentication is enabled by default, so there’s a few reasons it might not be working and what you can do to fix it (either permanently or temporarily to complete the HCW).

WinRM Basic Authentication is necessary because we need the basic authentication header to send the session’s OAuth token.  We’re not submitting the credentials themselves (though, the connection to Office 365 is TLS, so you’re still not submitting in the clear).

You can run the following command to check the status of your WinRM client configuration:

winrm get winrm/config/client/auth

What’s cool is that nowadays, the output will tell you not only what the client configuration settings are, but potentially why.

As you can see from the screenshot, WinRM has basic authentication disabled, and it’s disabled because someone (namely me, for purposes of this post) configured it that way.

Resolution

If you watched a lot of Magic School Bus, you’ll remember Wanda worriedly asking Ms. Frizzle whenever they got into a sticky situation:

Fortunately, there are a few things we can try.

Updating with WinRM

The easiest way to fix it is to try running WinRM with the set modifier to try to update it.  It can be updated through either an elevated DOS-style command prompt or elevated PowerShell session:

Command Prompt:

winrm set winrm/config/client/auth @{Basic="true"}

PowerShell

winrm set winrm/config/client/auth '@{Basic="true"}'

You can run the get command previously to verify that it’s been updated.

However, if your configuration is like mine (as shown above), you’ll see this error:

This confirms the [Source="GPO"] text we saw earlier. The WinRM setting can’t be modified from the command prompt because it’s been overridden by a Group Policy Object.

Updating or Configuring a GPO

If you’ve got it configured via GPO, you need to either find the offending GPO and modify it, filter it from applying to the machine where you’re running the Exchange Hybrid Configuration Wizard, or create one closer to your computer object to override the inherited setting.  The Allow Basic authentication WinRM configuration setting is located under Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client:

Update/edit this setting for your environment.  As I said previously, you can use security filtering to prevent it from applying to your computer, update the original setting, or create a new GPO closer to your computer to override the inherited setting.  Choose the one that works best for your organizational management processes.

Of course, if that’s not an option, you can still try…

Manually Editing the Registry

Yes, this is why you come to this blog (that and the great GIFs).

To update the setting to apply only to the computer you’re working on without modifying any GPOs, you can modify the corresponding value under the Policies key in the registry:

If it’s been set via GPO and you’re unable (or unwilling) to modify the setting through the Group Policy interface, you can change the setting at HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client.  The value is AllowBasic.  If it’s set to 0, that means it’s disabled.  Flip this setting to 1 and re-run the HCW.  The setting will revert automatically at the next policy refresh cycle.

So, no blood, no foul.

Cheers!