I recently had a customer contact me with an issue while running the hybrid configuration wizard (HCW) in their Exchange on-premises environment. When the HCW completed, it completed with the following error:
I don’t know about you, but I don’t enjoy it when something states that it has completed but with an error.
The “learn more” link from above will send you to this link here:
If you try the first step from the above article, rerunning HCW to see if that enables Oauth, and it does not work, you’ll be directed to the next link to manually configure OAuth, which is found in the link below:
If you do encounter the HCW8064 error, I would recommend reviewing the steps from the article to resolve it, as the article is pretty thorough in providing the steps for resolution.
OAUTH vs DAUTH
Let’s understand what OAuth is as well as the legacy DAuth mentioned in the title of this blog.
- OAuth – Open Authorization – a protocol that enables delegation to a user’s data. OAuth does not require shared user logins
- DAuth – Microsoft defines DAuth as follows:
“Delegated authentication occurs when a network service accepts a request from a user and can obtain a token to act on behalf of that user to initiate a new connection to a second network service.”
A Brief History
Starting with Exchange 2010, Microsoft equipped Exchange with the Azure Auth Service. Simply put, the Azure Auth Service is a service that allows your Exchange on-premises organization to establish a federation trust with Exchange Online. When running the HCW, it uses the Azure Auth Service to establish federation between Exchange Online and Exchange on-premises. Azure Auth Service uses token signing to verify each connection.
When configuring your firewall to allow for the Exchange federation to work, you’ll need to make sure that TCP443 is open and that the Autodiscover and EWS endpoints are accessible from Exchange Online to Exchange on-premises as this is how Microsoft communicates back to your Exchange on-premises environment, for example, when trying to complete a free/busy request.
However, Microsoft admits that the original method of establishing the connection via delegated authentication was highly customized and that because Windows Communication Foundation WCF was losing favor, it was time for them to go to a more open standard. Enter OAuth.
Microsoft decided to use OAuth for Exchange federation, but only when federating with Exchange Online. If you have Exchange-to-Exchange federation with another organization, that is actually using DAuth.
Up Next
In the next installment of our Exchange hybrid series, we will delve into the IntraOrganization Connector and OAuth 2.0. Need help planning and deploying your hybrid environment? Contact Insentra today for expert assistance
