Share via

Hybrid Configuration Error: CommunicationErrorTransientException - Unauthorized with 'Negotiate' Scheme

Atharva Swamy 20 Reputation points
2025-05-06T23:21:46.5166667+00:00

Hi Team,

We are experiencing an issue during our hybrid Exchange configuration. User is syncing in the EntraId from OnPrem to Entra, however when we start doing the mailbox migration this error is coming.

Error: CommunicationErrorTransientException: The call to 'https://***/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM, Basic realm="****"'.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM, Basic realm=""'.

We’ve verified that:

  • MRS Proxy is enabled on the on-prem Exchange EWS virtual directory.
  • Hybrid server is internet-accessible and certificate-bound correctly.
  • Credentials used have the required permissions.

Has anyone encountered a similar issue or have guidance on resolving this authentication problem?

Any help is appreciated. Thanks in advance!

Exchange | Hybrid management
Exchange | Hybrid management
The administration of a hybrid deployment that connects on-premises Exchange Server with Exchange Online, enabling seamless integration and centralized control.
0 comments
Answer accepted by question author
  1. Anonymous
    2025-05-07T02:29:58.6366667+00:00

    Hi Atharva Swamy,

    Thank you for posting your question in the Microsoft Q&A forum.

    Please understand that our forum is a public platform, and we will modify your question to cover your organization domain name in the description. Please notice to hide these personal or organization information next time you post error or some information to protect personal data.

    For your issue, here are some suggestions for your:

    1. Do you have multiple Exchange servers?

    If you also use any load balance, please make sure that all Exchange servers under load balance have no network limitation to communicate with M365 services.

    You can check this article and confirm that requests from all Exchange Online IP range and domain name will not be blocked from on-prem side:

    Microsoft 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn

    1. Use the following command to check and confirm Integrated Windows authentication and MRSProxy is enabled for EWS virtual directory on all Exchange servers, and all urls are set properly:

    Get-WebServicesVirtualDirectory |fl Identity,auth, MRSProxyEnabled,url

    1. Do you install and use Exchange 2019 CU14 or later versions?

    Starting with Exchange 2019 CU14, Windows Extended Protection (EP) feature on the Exchange server will be enabled by default. There are some prerequisites and unsupported scenario for EP.

    We could disable EP manually if you are using Exchange 2019 CU14 or CU15.

    .\ExchangeExtendedProtectionManagement.ps1 -DisableExtendedProtection

    Then try to reset IIS on all your Exchange servers.

    iisreset

    For more information about Extended protection and the script to disable EP, please check:

    Exchange Server support for Windows Extended Protection | Microsoft LearnExchangeExtendedProtectionManagement - Microsoft - CSS-Exchange

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Atharva Swamy 20 Reputation points
    2025-05-07T02:36:29.0266667+00:00

    We are running Exchange 2016, and have 2 servers

    0 comments
  2. Denis Ceriolo 5 Reputation points
    2025-10-30T14:24:22.8766667+00:00

    I have the same issue.

    1 server standalone Exchange 2016 CU23 15.1.2507.61. Credentials rights of global admin and domain admin (and all other rights for exchange ofc).

    Errore: CommunicationErrorTransientException: The call to https://outlook.xxxxxx.com/EWS/mrsproxy.svc failed. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM'. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM'.

    and I find the same issue on a different enviroment to onother exchange 2019.

    From August about.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.