Exchange Hybrid Configuration Wizard: WinRM client cannot process the request

Exchange Hybrid Configuration Wizard: WinRM client cannot process the request

  •  
  •  
  • 1
  •  
  • 1
  •  
    2
    Shares

A few weeks ago, while helping a customer configure Exchange Hybrid for Teams, we ran into this interesting error:

Connecting to remote server failed with the following error message: Connecting to remote server outlook.office365.com failed with the following error message : The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again. For more information, see the about_Remote_Troubleshooting Help topic.
Connecting to remote server failed with the following error message: Connecting to remote server outlook.office365.com failed with the following error message : The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again. For more information, see the about_Remote_Troubleshooting Help topic.

As I’ve stated previously, interesting in the context of both technology troubleshooting and doctor’s visits is rarely something you want to hear.

Background

Connectivity to Exchange Online requires WinRM basic authentication. That’s it. That’s the requirement.

We have some notes and articles about what’s necessary (for example, WinRM Basic Authentication is still required for the EXO v2 Module) from a WinRM perspective.  WinRM Basic Authentication is enabled by default, so there’s a few reasons it might not be working and what you can do to fix it (either permanently or temporarily to complete the HCW).

WinRM Basic Authentication is necessary because we need the basic authentication header to send the session’s OAuth token.  We’re not submitting the credentials themselves (though, the connection to Office 365 is TLS, so you’re still not submitting in the clear).

You can run the following command to check the status of your WinRM client configuration:

winrm get winrm/config/client/auth

What’s cool is that nowadays, the output will tell you not only what the client configuration settings are, but potentially why.

Exchange Hybrid Configuration Wizard: WinRM client cannot process the request

As you can see from the screenshot, WinRM has basic authentication disabled, and it’s disabled because someone (namely me, for purposes of this post) configured it that way.

Resolution

If you watched a lot of Magic School Bus, you’ll remember Wanda worriedly asking Ms. Frizzle whenever they got into a sticky situation:
Exchange Hybrid Configuration Wizard: WinRM client cannot process the request

Fortunately, there are a few things we can try.

Updating with WinRM

The easiest way to fix it is to try running WinRM with the set modifier to try to update it.  It can be updated through either an elevated DOS-style command prompt or elevated PowerShell session:

Command Prompt:

winrm set winrm/config/client/auth @{Basic="true"}

PowerShell

winrm set winrm/config/client/auth '@{Basic="true"}'

You can run the get command previously to verify that it’s been updated.

However, if your configuration is like mine (as shown above), you’ll see this error:

The config setting Basic cannot be changed because is controlled by policies. The policy would need to be set to "Not Configured" in order to change the config setting.  Error number:  -2144108406 0x8033808A Cannot change GPO controlled setting.
The config setting Basic cannot be changed because is controlled by policies. The policy would need to be set to “Not Configured” in order to change the config setting. Error number: -2144108406 0x8033808A Cannot change GPO controlled setting.

This confirms the [Source="GPO"] text we saw earlier. The WinRM setting can’t be modified from the command prompt because it’s been overridden by a Group Policy Object.

Updating or Configuring a GPO

If you’ve got it configured via GPO, you need to either find the offending GPO and modify it, filter it from applying to the machine where you’re running the Exchange Hybrid Configuration Wizard, or create one closer to your computer object to override the inherited setting.  The Allow Basic authentication WinRM configuration setting is located under Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client:

Exchange Hybrid Configuration Wizard: WinRM client cannot process the request

Update/edit this setting for your environment.  As I said previously, you can use security filtering to prevent it from applying to your computer, update the original setting, or create a new GPO closer to your computer to override the inherited setting.  Choose the one that works best for your organizational management processes.

Of course, if that’s not an option, you can still try…

Manually Editing the Registry

Yes, this is why you come to this blog (that and the great GIFs).

To update the setting to apply only to the computer you’re working on without modifying any GPOs, you can modify the corresponding value under the Policies key in the registry:

Exchange Hybrid Configuration Wizard: WinRM client cannot process the request

If it’s been set via GPO and you’re unable (or unwilling) to modify the setting through the Group Policy interface, you can change the setting at HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client.  The value is AllowBasic.  If it’s set to 0, that means it’s disabled.  Flip this setting to 1 and re-run the HCW.  The setting will revert automatically at the next policy refresh cycle.

So, no blood, no foul.

Cheers!

 

 

 

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.