O365 Hybrid Wizard – Hybrid Agent Fails to Validate

When running the Hybrid Configuration Wizard (HCW), at the point where the Hybrid Agent installs, it installs and registers fine, but then fails the verification step.

The HCW logs (found in %AppData%\Microsoft\Exchange Hybrid Configuration) show the following error:

*ERROR* 10349
2019.10.21 13:09:24.552 *ERROR* 10349 [Client=UX, Page=HybridConnectorInstall, Thread=20] The connection to the server ‘3e6c87b2-dcc8-4e4d-a51e-63dc1ae42acf.resource.mailboxmigration.his.msappproxy.net’ could not be completed., The call to ‘https://3e6c87b2-dcc8-4e4d-a51e-63dc1ae42acf.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc’ failed. Error details: The HTTP request was forbidden with client authentication scheme ‘Negotiate’. –> The remote server returned an error: (403) Forbidden.., The HTTP request was forbidden with client authentication scheme ‘Negotiate’., The remote server returned an error: (403) Forbidden


And the Windows application log might show the following:

EventId 3002

Log Name: Application
Source: MsExchange BackEndRehydration
Date:
Event ID: 3002
Task Category: Requests
Level: Error
Keywords: Classic
User: N/A
Computer: <Computer Name>
Description:
Protocol /OAB failed to process request from identity NT AUTHORITY\SYSTEM. Exception: Microsoft.Exchange.Security.Authentication.BackendRehydrationException: Rehydration failed. Reason: Source server ‘NT AUTHORITY\SYSTEM’ does not have token serialization permission.
at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule. TryGetCommonAccessToken(HttpContext httpContext, Stopwatch stopwatch, CommonAccessToken& token)
at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule. ProcessRequest(HttpContext httpContext)
at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule. OnAuthenticateRequest(Object source, EventArgs args).


It points to an issue with EWS so check your EWS URLs are set correctly:

Get-WebServicesVirtualDirectory | fl InternalUrl, ExternalURL

It also seems serialization permissions are missing. Running the following commands in the Exchange Mgmt Shell to add the required permissions:


Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "<domain>\Exchange Servers"​​

Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Impersonation" -User "<domain>\Exchange Servers"​​

Get-MailboxServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "<domain>\Exchange Servers"​​

Get-MailboxServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Impersonation" -User "<domain>\Exchange Servers"

Lastly run an iisreset in an administrative cmd box and rerun the wizard. The agent should now verify correctly.

With thanks to David Robinson of Kick ICT who provided me with this information

3 comments

  1. David says:

    Thank you! Worked for me.

  2. Stephan says:

    This worked, thank you

  3. Lars Juhl says:

    Thank you ! Worked for me too, just ran the commands and iisreset

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.