Hybrid Configuration Wizard

%3CLINGO-SUB%20id%3D%22lingo-sub-1405215%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Configuration%20Wizard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405215%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F673943%22%20target%3D%22_blank%22%3E%40JonahIJ%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20as%20per%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fhybrid-deployment%2Fdeploy-hybrid%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fhybrid-deployment%2Fdeploy-hybrid%3C%2FA%3E%2C%20your%20on-premises%20account%20needs%20to%20have%20Enterprise%20Admin%20permissions%20assigned%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405225%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Configuration%20Wizard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405225%22%20slang%3D%22en-US%22%3ESorry%2C%20yes%20the%20account%20is%20also%20a%20member%20of%20the%20Enterprise%20Admins%20-%20I'll%20edit%20the%20OP%20accordingly.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405150%22%20slang%3D%22en-US%22%3EHybrid%20Configuration%20Wizard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405150%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDesperately%20hoping%20someone%20can%20help%20as%20I'm%20tearing%20my%20hear%20out%20with%20this!%20We%20have%20a%20seemingly%20very%20odd%20issue%20when%20trying%20to%20run%20the%20Office%20365%20Hybrid%20Configuration%20Wizard...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20fires%20up%20fine%2C%20finds%20the%20appropriate%20Exchange%20server%20and%20then%20gets%20to%20the%20credential%20page%20for%20the%20Exchange%20box%20and%20Office%20365%2C%20and%20this%20is%20where%20the%20fun%20starts.%26nbsp%3B%20Office%20365%20credentials%20work%20and%20connect%20fine%2C%20no%20problem.%26nbsp%3B%20But%20regardless%20of%20what%20we%20put%20in%20for%20the%20%22on-premises%20Exchange%20administrator%22%20account%2C%20it%20throws%20an%20%22Invalid%20Username%20or%20Password%22%20error.%20This%20is%20regardless%20of%20using%20the%20current%20Windows%20identity%20checkbox%2C%20or%20typing%20the%20credentials%20in%20manually.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20interesting%2C%20is%20that%20no%20errors%20are%20logged%20in%20the%20log%20file%2C%20and%20check%20of%20the%20security%20log%20on%20the%20Exchange%20box%20shows%20a%20successful%20logon%20from%20the%20.exe%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EAn%20account%20was%20successfully%20logged%20on.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ESubject%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ESecurity%20ID%3A%20%3CSNIP%3E%3C%2FSNIP%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAccount%20Name%3A%20%3CSNIP%3E%3C%2FSNIP%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAccount%20Domain%3A%20%3CSNIP%3E%3C%2FSNIP%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ELogon%20ID%3A%200x4C41A02%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ELogon%20Information%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ELogon%20Type%3A%202%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERestricted%20Admin%20Mode%3A%20-%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EVirtual%20Account%3A%20No%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EElevated%20Token%3A%20Yes%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EImpersonation%20Level%3A%20Impersonation%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3ENew%20Logon%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ESecurity%20ID%3A%20%3CSNIP%3E%3C%2FSNIP%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAccount%20Name%3A%20%3CSNIP%3E%3C%2FSNIP%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAccount%20Domain%3A%20%3CSNIP%3E%3C%2FSNIP%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ELogon%20ID%3A%200x4E548FB%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ELinked%20Logon%20ID%3A%200x4E549B7%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ENetwork%20Account%20Name%3A%20-%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ENetwork%20Account%20Domain%3A%20-%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EProcess%20Information%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EProcess%20ID%3A%200x3190%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EProcess%20Name%3A%20C%3A%5CUsers%5C%3CSNIP%3E%5CAppData%5CLocal%5CApps%5C2.0%5CP740GNBT.DPA%5CJK4MHM40.9KB%5Cmicr..tion_5329ec537c0b4b5c_0011.0000_72ec5a2eed6c5911%5CMicrosoft.Online.CSE.Hybrid.App.exe%3C%2FSNIP%3E%3C%2FEM%3E%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EIf%20I%20then%20*purposefully*%20put%20a%20wrong%20username%2Fpassword%20combo%20in%20then%20I%20get%20the%20expected%20audit%20failure%20in%20the%20security%20log%20AND%20also%20an%20expected%20entry%20in%20the%20HCW%20log%20file%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E10393%20%5BClient%3DUX%2C%20Page%3DCredentials%2C%20Thread%3D1%5D%20Windows%20Auth%20Failure%3A%20%5BErrorCode%3D0x80004005%5D%20%5BNativeErrorCode%3D0x52E%5D%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20this%20indicates%20it's%20not%20a%20credential%20error%2C%20but%20I%20have%20absolutely%20no%20idea%20what%20it%20could%20be!!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20account%20we're%20using%20is%20a%20member%20of%20Domain%20Admins%2C%20Enterprise%20Admins%20and%20Exchange%20Organization%20Management.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20running%20Exchange%202016%20Standard%2C%20CU%2015.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20assistance%20would%20be%20unimaginably%20appreciated%20as%20this%20is%20now%20driving%20me%20mad!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFurther%20edit%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EJust%20to%20follow%20further%20on%20from%20this%2C%20I've%20ran%20TCPView%20to%20see%20what%20the%20HCW%20is%20doing%20when%20I%20hit%20OK%20at%20the%20credential%20prompt%2C%20and%20it's%20(unsurprisingly)%20opening%20an%20LDAP%20connection%20to%20one%20of%20our%20DCs.%20So%20I%20checked%20the%20security%20log%20on%20said%20DC%2C%20and%20it's%20showing%20a%20successful%20logon%20-%20so%20what%20the%20is%20the%20HCW%20complaining%20about%3F!%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1405150%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1671315%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Configuration%20Wizard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1671315%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F673943%22%20target%3D%22_blank%22%3E%40JonahIJ%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWere%20you%20able%20to%20figure%20out%20what%20the%20cause%20of%20the%20invalid%20username%20and%20password%20was%3F%20I%20am%20trying%20to%20prep%20for%20a%20migration%20and%20ran%20into%20the%20same%20issue!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%3C%2FP%3E%3CP%3EI%20found%20your%20post%20in%20another%20forum%20talking%20about%20redirecting%20the%20computers%20container%20for%20new%20domain%20joined%20PCs%20and%20have%20a%20%2F%20in%20it.%20We%20do%20not%20redirect%20the%20computers%20nor%20do%20any%20containers%20have%20a%20%2F%20in%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all,

 

Desperately hoping someone can help as I'm tearing my hear out with this! We have a seemingly very odd issue when trying to run the Office 365 Hybrid Configuration Wizard...

 

It fires up fine, finds the appropriate Exchange server and then gets to the credential page for the Exchange box and Office 365, and this is where the fun starts.  Office 365 credentials work and connect fine, no problem.  But regardless of what we put in for the "on-premises Exchange administrator" account, it throws an "Invalid Username or Password" error. This is regardless of using the current Windows identity checkbox, or typing the credentials in manually.

 

What's interesting, is that no errors are logged in the log file, and check of the security log on the Exchange box shows a successful logon from the .exe:

 

An account was successfully logged on.
Subject:
Security ID: <snip>
Account Name: <snip>
Account Domain: <snip>
 
Logon ID: 0x4C41A02
Logon Information:
Logon Type: 2
 
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation

New Logon:
Security ID: <snip>
Account Name: <snip>
Account Domain: <snip>
Logon ID: 0x4E548FB
Linked Logon ID: 0x4E549B7
Network Account Name: -
Network Account Domain: -

Process Information:
Process ID: 0x3190
Process Name: C:\Users\<snip>\AppData\Local\Apps\2.0\P740GNBT.DPA\JK4MHM40.9KB\micr..tion_5329ec537c0b4b5c_0011.0000_72ec5a2eed6c5911\Microsoft.Online.CSE.Hybrid.App.exe
 
If I then *purposefully* put a wrong username/password combo in then I get the expected audit failure in the security log AND also an expected entry in the HCW log file:

 

10393 [Client=UX, Page=Credentials, Thread=1] Windows Auth Failure: [ErrorCode=0x80004005] [NativeErrorCode=0x52E]

 

So this indicates it's not a credential error, but I have absolutely no idea what it could be!!!

 

The account we're using is a member of Domain Admins, Enterprise Admins and Exchange Organization Management.

 

We're running Exchange 2016 Standard, CU 15.

 

Any assistance would be unimaginably appreciated as this is now driving me mad!

 

Cheers

 

Further edit:

Just to follow further on from this, I've ran TCPView to see what the HCW is doing when I hit OK at the credential prompt, and it's (unsurprisingly) opening an LDAP connection to one of our DCs. So I checked the security log on said DC, and it's showing a successful logon - so what the is the HCW complaining about?! 

2 Replies

@JonahIJ 

 

Hi, as per https://docs.microsoft.com/en-us/exchange/hybrid-deployment/deploy-hybrid, your on-premises account needs to have Enterprise Admin permissions assigned,

Sorry, yes the account is also a member of the Enterprise Admins - I'll edit the OP accordingly.