Troubleshooting the "403 Forbidden" Error During Exchange Hybrid Mailbox Migrations

Managing a hybrid Exchange environment comes with its challenges, and one common hurdle is encountering the "Remote Server Returned an Error (403) Forbidden" message when moving mailboxes to Exchange Online. This error typically stems from issues with the Mailbox Replication Proxy (MRS Proxy) service. Below, we’ll explore the symptoms, root causes, and step-by-step solutions to resolve this migration roadblock.

Symptoms of the Issue

When attempting to migrate mailboxes from on-premises Exchange Server to Exchange Online, you may encounter one of these errors:

  • In the Exchange Admin Center (EAC):

"The connection to the server 'mail.<DomainName>.com' could not be completed."

  • In Exchange Online PowerShell:

"The call to 'https://mail.<DomainName>.com/EWS/mrsproxy.svc' failed. Error details: The HTTP request was forbidden with client authentication scheme 'Negotiate'. The remote server returned an error: (403) Forbidden."

Understanding the Cause

The primary reason for this error is typically that the MRS Proxy service, located within the EWS (Exchange Web Services) virtual directory on your on-premises Exchange server, is not enabled. This can manifest in two ways:

  1. Explicitly Disabled: The Get-WebServicesVirtualDirectory cmdlet shows the MRSProxyEnabled property as False.
  2. Functionally Disabled: Although the cmdlet output shows MRSProxyEnabled : True, the Application log in the Event Viewer contains Event ID 1309, with a message indicating "MRS proxy service is disabled."

Resolving the Error

Here are two methods to address the disabled MRS Proxy service:

Method 1: Enable MRSProxy

This is the most direct approach if the service is explicitly disabled.

  1. Open the Exchange Management Shell on your on-premises Exchange server.
  2. Execute the following command to enable the MRS Proxy:
    Set-WebServicesVirtualDirectory "<ServerName>\EWS (Default Web Site)" -MRSProxyEnabled $true
    (Replace <ServerName> with the actual name of your Exchange server.)
  3. Restart Internet Information Services (IIS) to apply the change by running the command:
    iisreset

Method 2: Disable and Re-enable MRSProxy

This method can be helpful if the MRS Proxy appears enabled in the configuration but is not functioning correctly.

  1. Open the Exchange Management Shell.
  2. Run the following command to disable the MRS Proxy:
    Set-WebServicesVirtualDirectory "<ServerName>\EWS (Default Web Site)" -MRSProxyEnabled $false
  3. Wait for a few minutes.
  4. Now, re-enable the MRS Proxy using the command:
    Set-WebServicesVirtualDirectory "<ServerName>\EWS (Default Web Site)" -MRSProxyEnabled $true
    (Again, replace <ServerName> with your server name.)
  5. Restart Internet Information Services (IIS) by running:
    iisreset

In Conclusion

The 403 Forbidden error during mailbox migrations is typically a quick fix—just ensure MRS Proxy is enabled and IIS is restarted to apply changes. If you’ve encountered this issue and found alternative solutions, share your experience in the comments to help others!

For more details: Enable the MRS Proxy Endpoint for Remote Moves

  

Comments

Post a Comment

Popular posts from this blog

Unveiling Primary Mailbox Statistics

Keep your Microsoft Exchange environment running smoothly with these simple PowerShell commands. Primary Mailbox Insights Want to know how much space primary mailboxes are using? This single command gives you a clear picture of storage status, item count, and total size: PowerShell Command Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics | Select DisplayName, StorageLimitStatus , @{ Name = " TotalItemSize (MB) "; Expression = { [math]::Round(($_.TotalItemSize.ToString().Split("(")[1].Split(" ")[0].Replace(",", "") / 1MB), 2) }}, ItemCount | Sort " TotalItemSize (MB) " -Descending | Export-CSV " C:\temp\All Mailboxes.csv " -NoTypeInformation This command does all the heavy lifting: It fetches all user mailboxes fast. It gathers essential stats like size and item count. It converts sizes to MB for easy reading. It sorts mailboxes from largest to sma...
Read more

Manage DL Members in OWA Without Allowing DL Creation – A Practical Solution

Today, I'd like to share a real-world workaround that solves a common issue in Microsoft 365: giving users the ability to manage Distribution List (DL) members through Outlook on the Web (OWA) without giving them permission to create or delete DLs. This is a frequent request for organizations focused on strict governance and efficient delegation. The Challenge A client recently encountered a problem where a user was unable to manage Distribution Group (DG) members via OWA. After some investigation, we discovered that the MyDistributionGroups role was not included in their role assignment policy. While enabling this role would solve the immediate issue, it comes with a significant drawback: it also grants the user the ability to create and delete DLs. For organizations with strict governance policies or those that prefer centralized DL creation, this isn't an ideal scenario. The Goal Our objective was clear: Allow users to manage existing Dist...
Read more

PowerShell Basics for Office 365 Administration (Episode 3)

At its core, PowerShell is designed around the concept of objects. Unlike traditional command-line interfaces that often work with text streams, PowerShell processes structured data in the form of objects. Understanding how objects, properties, and methods function, how variables store and manage this data, and how the pipeline enables seamless command chaining is fundamental to effective Office 365 administration. Understanding Objects, Properties, and Methods In the world of PowerShell, virtually everything you interact with is an object. An object is a structured data entity representing specific items, whether it's a user account, a mailbox, a group, or a system service. These objects possess two primary characteristics: Properties: These are the attributes or characteristics that describe the object. For example, a mailbox object might have properties like DisplayName , EmailAddresses , or RecipientTypeDetails . Methods: These represent the actions or functions that the ob...
Read more