不能在New-MoveRequest中使用UPN凭据?

我们正在进行混合设置(Exchange 2013 on-prem),并且MRSproxy已启用并正在运行。 我们希望在离开公司时将用户的邮箱归档。 所以我们希望将这些邮箱从Office 365迁移回我们的内部服务器。 我一直在试图创build一个离开的脚本,并且New-MoveRequest cmdlet不断给出以下错误:

 The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized. + CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemotePermanentException +9,Microsoft.Exchange.Man agement.Migration.MailboxReplication.MoveRequest.NewMoveRequest + PSComputerName : outlook.office365.com 

因此,我使用以下3种PSCredentialstesting了Test-MigrationServerAvailability -ExchangeRemoteMove -RemoteServer webmail.blah.com -Credentials $UserName<#>

 UserName1 : <domain>\<SamAccountName> UserName2 : <SamAccountName> UserName3 : <SamAccountName>@<domain> (UPN) 

UserName1UserName2我得到

 RunspaceId : 3966b356-0f49-46c3-9373-e914827fc6ed Result : Success Message : ConnectionSettings : <ExchangeConnectionSettings HasAdminPrivilege="True" HasAutodiscovery="False" HasMrsProxy="True" AutodiscoverUrl="" IncomingEmailAddress="" IncomingRPCProxyServer="webmail.blah.ccom" IncomingExchangeServer="webmail.blah.com" IncomingNSPIServer="" IncomingDomain="" IncomingUserName="UserName<#>" EncryptedIncomingPassword="something" IncomingAuthentication="Basic" ServerVersion="" TargetDomainName="" SourceMailboxLegDn="" PublicFolderDatabaseServerLegacyDN="" IsPublicFolderMailboxesMigrationSource="False" /> SupportsCutover : False ErrorDetail : IsValid : True Identity : ObjectState : New 

但与UserName3我得到:

 RunspaceId : 3966b356-0f49-46c3-9373-e914827fc6ed Result : Failed Message : The connection to the server 'webmail.blah.com' could not be completed. ConnectionSettings : SupportsCutover : False ErrorDetail : Microsoft.Exchange.Migration.MigrationServerConnectionFailedException: The connection to the server 'webmail.blah.com' could not be completed. ---> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized. ---> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The call to 'https://webmail.blah.com/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. ---> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. ---> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The remote server returned an error: (401) Unauthorized. --- End of inner exception stack trace --- --- End of inner exception stack trace --- --- End of inner exception stack trace --- at Microsoft.Exchange.MailboxReplicationService.MailboxReplicationServiceFault.<>c__DisplayClass97_0.<ReconstructAndThrow>b__0() at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(Action operation) at Microsoft.Exchange.MailboxReplicationService.MailboxReplicationServiceFault.ReconstructAndThrow(String serverName, VersionInformation serverVersion) at Microsoft.Exchange.MailboxReplicationService.WcfClientWithFaultHandling`2.<>c__DisplayClass7_0.<CallService>b__0() at Microsoft.Exchange.Net.WcfClientBase`1.CallService(Action serviceCall, String context) at Microsoft.Exchange.MailboxReplicationService.WcfClientWithFaultHandling`2.CallService(Action serviceCall, String context) at Microsoft.Exchange.Migration.MigrationExchangeProxyRpcClient.CanConnectToMrsProxy(Fqdn serverName, Guid mbxGuid, NetworkCredential credentials, LocalizedException& error) --- End of inner exception stack trace --- at Microsoft.Exchange.Migration.DataAccessLayer.ExchangeRemoteMoveEndpoint.VerifyConnectivity() at Microsoft.Exchange.Management.Migration.MigrationService.Endpoint.TestMigrationServerAvailability.InternalProcessEndpoint(Boolean fromAutoDiscover) IsValid : True Identity : ObjectState : New 

查看TechNet文章中的New-MoveRequestTest-MigrationServerCredentials/RemoteCredential参数应接受UPN用户名。

这是Exchange 2013的限制吗? 我可以使用UPN用户名将Remote-PSSession传送到内部Exchange服务器,并导入CMDlet,因此我迷失了它为什么不能与从Office 365加载的New-MoveRequestTest-MigrationServer一起工作?

它可能只是CMDLET的实现以及它如何协商连接。 您的端点configuration了协商,因此客户端和服务器应该决定是否使用Kerberos或NTLM。 在失败的尝试中,它没有正确检测到,并尝试回退到基本身份validation – 您的服务器未configuration为支持。

NTLM不支持UPN格式,并且你没有kerberos票据,所以这可能是原因。 您通常不会经常使用Windows客户端/服务器,因为大多数应用程序似乎都会重新设置用户名reqeust的格式。 但是,如果您的samAccountName和UPN预修复不同,那么凭据将不匹配。

我会确保你的samAccountName和UPN前缀在帐户上匹配。 如果没有,或者仍然失败,您应该能够在EWS上启用基本身份validation。 这应该允许它在客户端回落并在服务器端被接受。 由于这是一个O365连接,我认为我们可以安全地假设你已经在使用HTTPS了 – 如果你使用基本authentication作为凭证在计划文本中发送,这当然是至关重要的。