This week, I was helping someone troubleshoot authentication issues when hybrid migration mailboxes to Exchange Online.
In order to migrate a mailbox successfully, the EWS endpoint virtual directory should have NTLM/Negotiate authentication method available.
You can quickly see what the endpoint is showing available by using this function:
Function Test-MigrationEndpointAuthentication($Url)
{
# Build URL
$Url = $Url.TrimEnd('.').TrimEnd('/').TrimEnd('.')
If ($Url -inotmatch "^https\:\/\/") { $Url = "https://$($Url)" }
If ($Url -inotmatch "\/EWS/MRSProxy.svc$") { $Url = "$($Url)/EWS/MRSProxy.svc" }
$req = [System.Net.HttpWebRequest]::Create("$($Url)")
$req.UseDefaultCredentials = $false
try { $req.GetResponse() }
catch { [system.exception] | out-null }
$ex = $error[0].Exception
$resp = $ex.InnerException.Response
Write-Host -NoNewLine "Response/authentication headers: "
Write-Host -ForegroundColor Cyan $resp.Headers["WWW-Authenticate"]
Write-Host -NoNewLine "Exception message: "
Write-Host -ForegroundColor Cyan "$($ex)"
}
To use it, execute the function with your Outlook Web Access URL as the -Url value. For example:
Test-MigrationEndpointAuthentication -Url owa.undocumented-features.com
The expected authentication header response is: Negotiage,NTLM,Basic
The expected exception response is: Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (401) Unauthorized." ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.