Troubleshooting the Exchange Hybrid Configuration Wizard (HCW) Error HCW8064

When it comes to migration from Exchange Server to Exchange Online (Office 365), one of the smoothest native methods is the hybrid migration method. However, it is also the longest method. In the hybrid setup, both the local Exchange Server and the Exchange Online act as one. To set up and configure hybrid deployment between the local server and the Exchange Online, you need to install the Hybrid Configuration Wizard (HCW) on the Exchange Server. During the installation, the send and the receive connectors are created on both Exchange Servers. However, when the Hybrid Configuration Wizard (HCW) ends, you may get the following error message.

Read more about Testing a New Exchange Hybrid Configuration with Office 365.

The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth https://technet.microsoft.com/library/dn497703(v=exchg.150).aspx, you can try running the HCW again or manually configure OAuth using these manual steps https://technet.microsoft.com/library/dn594521(v=exchg.150).aspx.

From the message, it seems there is an issue with the Open Authorization (OAuth) configuration for the hybrid setup. The Open Authorization (OAuth) is required to migrate some of the local Exchange Server components to Exchange Online.

Although the Open Authorization (OAuth) will not stop migration of mailboxes, it might cause other errors while running the migration of mailboxes to Exchange Online. If you have a few mailboxes, there is no need to troubleshoot the issue since all the mailboxes will be on the cloud. However, if you have several mailboxes or you need to keep the local hybrid setup, then you need to investigate and fix the error. Let’s see how to resolve this issue.

Possible Solutions to Resolve the HCW8064 Error

If Open Authorization (OAuth) is not configured on the Exchange Servers, then you need to configure it. It is important that the configuration must be enabled on all the nodes in the Database Availability Group (DAG). You cannot have the Open Authorization (OAuth) configured only on one local Exchange Server. This must be set up on all the servers.

As per the Microsoft guide, you can try to restart the Exchange Servers and re-run the Hybrid Configuration Wizard (HCW). This might help in resolving the error message.

If this doesn’t work, then you need to manually set the Open Authorization (OAuth). Here’s the procedure:

• On the local Exchange Servers, open the Exchange Management Shell (EMS) and run the following command.

New-AuthServer -Name "WindowsAzureACS" -AuthMetadataUrl "https://accounts.accesscontrol.windows.net/<your tenant coexistence domain>/metadata/json/1"

New-AuthServer -Name "evoSTS" -Type AzureAD -AuthMetadataUrl "https://login.windows.net/<your tenant coexistence domain>/federationmetadata/2007-06/federationmetadata.xml"

• Enable the partner application on your Exchange Server for Exchange Online.

Get-PartnerApplication |  ?{$_.ApplicationIdentifier -eq "00000002-0000-0ff1-ce00-000000000000" -and $_.Realm -eq ""} | Set-PartnerApplication -Enabled $true

• Next, you need to export the on-premises authorization certificate by saving the following code as ExportAuthCert.ps1.

$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint
if((test-path $env:SYSTEMDRIVE\OAuthConfig) -eq $false)
{md $env:SYSTEMDRIVE\OAuthConfig}
cd $env:SYSTEMDRIVE\OAuthConfig
$oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint}
$certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
$certBytes = $oAuthCert.Export($certType)
$CertFile = "$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer"
[System.IO.File]::WriteAllBytes($CertFile, $certBytes)

• Then, run the below script.

.\ExportAuthCert.ps1

• Next, you need to upload the certificate to Microsoft Entra Access Control Service (ACS). You must have the MSOnline module installed. If not, you can use the following command to install it.

Install-Module -Name MSOnline

• To upload the certificates, you need to save the below code as UploadAuthCert.ps1.

Connect-MsolService
$CertFile = "$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer"
$objFSO = New-Object -ComObject Scripting.FileSystemObject
$CertFile = $objFSO.GetAbsolutePathName($CertFile)
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($CertFile)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
$ServiceName = "00000002-0000-0ff1-ce00-000000000000"
$p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName
New-MsolServicePrincipalCredential -AppPrincipalId $p.AppPrincipalId -Type asymmetric -Usage Verify -Value $credValue

• Next, run the below script.

.\UploadAuthCert.ps1

• Enter the credentials of your Exchange Online.
• Then, you need to register the endpoints. To get the local Exchange Server endpoints, you can use the following commands.

Get-MapiVirtualDirectory | FL server,*url*
Get-WebServicesVirtualDirectory | FL server,*url*
Get-OABVirtualDirectory | FL server,*url*

• With the above results, you need to populate a new script, called RegisterEndpoints.ps1, while filling the local URLs.

$ServiceName = "00000002-0000-0ff1-ce00-000000000000";
$x = Get-MsolServicePrincipal -AppPrincipalId $ServiceName;
$x.ServicePrincipalnames.Add("https://mail.mycompany.lan/");
$x.ServicePrincipalnames.Add("https://autodiscover.mycompany.lan/");
Set-MSOLServicePrincipal -AppPrincipalId $ServiceName -ServicePrincipalNames $x.ServicePrincipalNames;

• Then, run the below script.

.\RegisterEndPoints.ps1

• Now, you need to create an IntraOrganizationConnector from the local organization to Microsoft 365.

$ServiceDomain = Get-AcceptedDomain | where {$_.DomainName -like "*.mail.onmicrosoft.com"} | select -ExpandProperty Name

New-IntraOrganizationConnector -name ExchangeHybridOnPremisesToOnline -DiscoveryEndpoint https://outlook.office365.com/autodiscover/autodiscover.svc -TargetAddressDomains $ServiceDomain

• Now, you need to create connection between the online and the local server by running the following command in the Exchange Online PowerShell.

New-IntraOrganizationConnector -name ExchangeHybridOnlineToOnPremises -DiscoveryEndpoint <your on-premises Autodiscover endpoint> -TargetAddressDomains <your on-premises SMTP domain>

After this, you need to confirm that the changes are successful. For this, you can run the following command from the local Exchange Servers.

Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Premises Mailbox> -Verbose | Format-List

Then, you need to run the below command on Exchange Online.

Test-OAuthConnectivity -Service EWS -TargetUri <external hostname authority of your Exchange On-Premises deployment>/metadata/json/1 -Mailbox <Exchange Online Mailbox> -Verbose | Format-List

If all goes well, the result should be like:

ResultType: Success Identity: Microsoft.Exchange.Security.OAuth.ValidationResultNodeId IsValid: True ObjectState: New

To Conclude

Above, we have discussed the error message “The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration” that occurs when the installation of Hybrid Configuration Wizard (HCW) completes. It looks the issue is related to Open Authorization (OAuth). We have provided the step-by-step procedure to manually configure the OAuth.

As the hybrid approach for on-premises Exchange to Office/Microsoft 365 migration is the longest approach and requires extensive configuration, you can explore a simpler solution to migrate data to Office 365. Stellar Converter for EDB is one such specialized EDB to PST Converter software that can simplify the migration process. It offers an easy-to-use interface and is compatible with any version of Exchange Server database. This tool helps to export all the data from on-premises Exchange Server database directly to Microsoft 365 tenant or another live Exchange Server database. It can also export EDB data to PST and various other formats. The tool can export all the data from Exchange database, including user mailboxes, user archives, disabled mailboxes, shared mailboxes, and public folders.

Was this article helpful?

YES0

NO

About The Author

Shelly Bhardwaj

I am a Product Consultant and is associated with Stellar Data Recovery from last 8 years. I write about the latest technology tips and provide custom solutions related to Exchange Server, Office 365, MS Outlook, and many other Email Clients & different flavors of OS Servers. Read More