我们正在进行混合设置(Exchange 2013 on-prem),并且MRSproxy已启用并正常运行.我们想要在用户离开公司时归档用户的邮箱.因此,我们希望将这些邮箱从Office 365迁移回我们的内部部署服务器.我一直在尝试创建一个离开脚本,New-MoveRequest cmdlet继续发出以下错误:
The MailBox Replication Service was unable to connect to the Remote Server using the credentials provided. Please check the credentials and try again. The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' Failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The Remote Server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The Remote Server returned an error: (401) Unauthorized. + CategoryInfo : NotSpecified: (:) [New-MoveRequest],RemotePermanentException +9,Microsoft.Exchange.Man agement.Migration.MailBoxReplication.MoveRequest.NewMoveRequest + PSComputerName : outlook.office365.com
所以我测试了Test-MigrationServerAvailability -ExchangeRemoteMove -RemoteServer webmail.blah.com -Credentials $UserName<#>使用以下3种类型的PSCredentials:
UserName1 : <domain>\<SamAccountName> UserName2 : <SamAccountName> UserName3 : <SamAccountName>@<domain> (UPN)
使用UserName1和UserName2,我得到
RunspaceId : 3966b356-0f49-46c3-9373-e914827fc6ed Result : Success Message : ConnectionSettings : <ExchangeConnectionSettings HasAdminPrivilege="True" HasAutodiscovery="False" HasMrsProxy="True" AutodiscoverUrl="" IncomingEmailAddress="" IncomingRPCProxyServer="webmail.blah.ccom" IncomingExchangeServer="webmail.blah.com" IncomingNSPIServer="" IncomingDomain="" IncomingUserName="UserName<#>" EncryptedIncomingPassword="something" IncomingAuthentication="Basic" ServerVersion="" TargetDomainName="" SourceMailBoxLegDn="" PublicFolderDatabaseServerLegacyDN="" IsPublicFolderMailBoxesMigrationSource="False" /> SupportsCutover : False ErrorDetail : IsValid : True Identity : ObjectState : New
但是使用UserName3我得到:
RunspaceId : 3966b356-0f49-46c3-9373-e914827fc6ed Result : Failed Message : The connection to the server 'webmail.blah.com' Could not be completed. ConnectionSettings : SupportsCutover : False ErrorDetail : Microsoft.Exchange.Migration.MigrationServerConnectionFailedException: The connection to the server 'webmail.blah.com' Could not be completed. ---> Microsoft.Exchange.MailBoxReplicationService.RemotePermanentException: The MailBox Replication Service was unable to connect to the Remote Server using the credentials provided. Please check the credentials and try again. The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' Failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The Remote Server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The Remote Server returned an error: (401) Unauthorized. ---> Microsoft.Exchange.MailBoxReplicationService.RemotePermanentException: The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' Failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The Remote Server returned an error: (401) Unauthorized.. ---> Microsoft.Exchange.MailBoxReplicationService.RemotePermanentException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. ---> Microsoft.Exchange.MailBoxReplicationService.RemotePermanentException: The Remote Server returned an error: (401) Unauthorized. --- End of inner exception stack trace --- --- End of inner exception stack trace --- --- End of inner exception stack trace --- at Microsoft.Exchange.MailBoxReplicationService.MailBoxReplicationServiceFault.<>c__displayClass97_0.<ReconstructAndThrow>b__0() at Microsoft.Exchange.MailBoxReplicationService.ExecutionContext.Execute(Action operation) at Microsoft.Exchange.MailBoxReplicationService.MailBoxReplicationServiceFault.ReconstructAndThrow(String serverName,Versioninformation serverVersion) at Microsoft.Exchange.MailBoxReplicationService.WcfClientWithFaultHandling`2.<>c__displayClass7_0.<CallService>b__0() at Microsoft.Exchange.Net.WcfClientBase`1.CallService(Action serviceCall,String context) at Microsoft.Exchange.MailBoxReplicationService.WcfClientWithFaultHandling`2.CallService(Action serviceCall,String context) at Microsoft.Exchange.Migration.MigrationExchangeProxyRpcclient.CanConnectTomrsProxy(Fqdn serverName,Guid mbxGuid,NetworkCredential credentials,LocalizedException& error) --- End of inner exception stack trace --- at Microsoft.Exchange.Migration.DataAccessLayer.ExchangeRemoteMoveEndpoint.VerifyConnectivity() at Microsoft.Exchange.Management.Migration.MigrationService.Endpoint.TestMigrationServerAvailability.InternalProcessEndpoint(Boolean fromAutodiscover) IsValid : True Identity : ObjectState : New
查看New-MoveRequest和Test-MigrationServer的TechNet文章,Credentials / RemoteCredential参数应接受UPN用户名.
这是Exchange 2013的限制吗?我可以使用UPN用户名远程PSSession到内部部署Exchange服务器,并导入CMDlet,所以我很遗憾为什么它不适用于从Office 365加载的New-MoveRequest和Test-MigrationServer?
它可能只是CMDLET的实现以及它如何协商连接.您的端点配置了Negotiate,因此客户端和服务器应决定您使用的是kerberos还是NTLM.在您失败的尝试中,它没有正确检测到,并试图回退到基本身份验证 – 您的服务器未配置为支持.
NTLM不支持UPN格式,并且您没有kerberos票证,因此这可能是原因.您通常不会在Windows客户端/服务器上遇到此问题,因为大多数应用程序似乎都会重新格式化用户名reqeust.但是,如果您的samAccountName和UPN预修复不同,则凭据将不匹配.
我确定你的samAccountName和UPN前缀匹配帐户.如果没有,或者它们仍然失败,您应该能够在EWS上启用基本身份验证.这应该允许它回退到客户端并在服务器端被接受.由于这是O365连接,我认为我们可以安全地假设您已经使用HTTPS – 如果您使用Basic Auth作为凭据在计划文本中发送,这当然是至关重要的.
