我们使用的是混合设置(Exchange 2013 本地),MRSproxy 已启用并正常运行。我们希望在用户离开公司时存档他们的邮箱。因此,我们希望将这些邮箱从 Office 365 迁移回我们的本地服务器。我一直在尝试创建一个离开脚本,但 cmdletNew-MoveRequest一直出现以下错误:
The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' failed.
Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error:
(401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an
error: (401) Unauthorized.
+ CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemotePermanentException
+9,Microsoft.Exchange.Man
agement.Migration.MailboxReplication.MoveRequest.NewMoveRequest
+ PSComputerName : outlook.office365.com
因此我使用Test-MigrationServerAvailability -ExchangeRemoteMove -RemoteServer webmail.blah.com -Credentials $UserName<#>以下 3 种类型的 PSCredentials 进行了测试:
UserName1 : <domain>\<SamAccountName>
UserName2 : <SamAccountName>
UserName3 : <SamAccountName>@<domain> (UPN)
使用UserName1,UserName2我得到
RunspaceId : 3966b356-0f49-46c3-9373-e914827fc6ed
Result : Success
Message :
ConnectionSettings : <ExchangeConnectionSettings HasAdminPrivilege="True" HasAutodiscovery="False" HasMrsProxy="True" AutodiscoverUrl="" IncomingEmailAddress="" IncomingRPCProxyServer="webmail.blah.ccom"
IncomingExchangeServer="webmail.blah.com" IncomingNSPIServer="" IncomingDomain="" IncomingUserName="UserName<#>" EncryptedIncomingPassword="something"
IncomingAuthentication="Basic" ServerVersion="" TargetDomainName="" SourceMailboxLegDn="" PublicFolderDatabaseServerLegacyDN="" IsPublicFolderMailboxesMigrationSource="False" />
SupportsCutover : False
ErrorDetail :
IsValid : True
Identity :
ObjectState : New
但UserName3我得到:
RunspaceId : 3966b356-0f49-46c3-9373-e914827fc6ed
Result : Failed
Message : The connection to the server 'webmail.blah.com' could not be completed.
ConnectionSettings :
SupportsCutover : False
ErrorDetail : Microsoft.Exchange.Migration.MigrationServerConnectionFailedException: The connection to the server 'webmail.blah.com' could not be completed. --->
Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check
the credentials and try again. The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The
authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client
authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized. --->
Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client
authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --->
Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from
the server was 'Negotiate,NTLM'. ---> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The remote server returned an error: (401) Unauthorized.
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Microsoft.Exchange.MailboxReplicationService.MailboxReplicationServiceFault.<>c__DisplayClass97_0.<ReconstructAndThrow>b__0()
at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(Action operation)
at Microsoft.Exchange.MailboxReplicationService.MailboxReplicationServiceFault.ReconstructAndThrow(String serverName, VersionInformation serverVersion)
at Microsoft.Exchange.MailboxReplicationService.WcfClientWithFaultHandling`2.<>c__DisplayClass7_0.<CallService>b__0()
at Microsoft.Exchange.Net.WcfClientBase`1.CallService(Action serviceCall, String context)
at Microsoft.Exchange.MailboxReplicationService.WcfClientWithFaultHandling`2.CallService(Action serviceCall, String context)
at Microsoft.Exchange.Migration.MigrationExchangeProxyRpcClient.CanConnectToMrsProxy(Fqdn serverName, Guid mbxGuid, NetworkCredential credentials, LocalizedException& error)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Migration.DataAccessLayer.ExchangeRemoteMoveEndpoint.VerifyConnectivity()
at Microsoft.Exchange.Management.Migration.MigrationService.Endpoint.TestMigrationServerAvailability.InternalProcessEndpoint(Boolean fromAutoDiscover)
IsValid : True
Identity :
ObjectState : New
查看两者的 TechNet 文章New-MoveRequest,Test-MigrationServer参数Credentials/RemoteCredential应该接受 UPN 用户名。
这是 Exchange 2013 的限制吗?我可以使用 UPN 用户名通过 Remote-PSSession 连接到本地 Exchange 服务器,并导入 CMDlet,所以我不明白为什么它不能与 Office 365 一起使用New-MoveRequest并Test-MigrationServer从 Office 365 加载?
答案1
这可能只是 CMDLET 的实现以及它如何协商连接。您的端点配置了协商,因此客户端和服务器应该决定您使用的是 kerberos 还是 NTLM。在您失败的尝试中,它没有正确检测到任何一个,并尝试回退到基本身份验证 - 您的服务器未配置为支持该身份验证。
NTLM 不支持 UPN 格式,而且您没有 kerberos 票证,所以这可能是原因。您通常不会在 Windows 客户端/服务器上遇到这种情况,因为大多数应用程序似乎都会重新格式化用户名请求。但是,如果您的 samAccountName 和 UPN 前缀不同,则凭据将不匹配。
我会确保您的 samAccountName 和 UPN 前缀在帐户上匹配。如果不匹配,或者仍然失败,您应该能够在 EWS 上启用基本身份验证。这应该允许它回退到客户端并在服务器端被接受。由于这是一个 O365 连接,我认为我们可以安全地假设您已经使用 HTTPS - 如果您使用基本身份验证,这当然是至关重要的,因为凭据是在计划文本中发送的。