Troubleshooting the Exchange Hybrid Configuration Wizard (HCW) Error HCW8064

Summary: After installation of Hybrid Configuration Wizard (HCW), you may get the error HCW8064 with the message, “The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration.” In this post, we will see how to troubleshoot the HCW8064 error. We will also mention an EDB converter tool that can help you to easily and quickly migrate data from on-premises Exchange database to Office 365 (Exchange Online).

When it comes to migration from Exchange Server to Exchange Online (Office 365), one of the smoothest native methods is the hybrid migration method. However, it is also the longest method. In the hybrid setup, both the local Exchange Server and the Exchange Online act as one. To set up and configure hybrid deployment between the local server and the Exchange Online, you need to install the Hybrid Configuration Wizard (HCW) on the Exchange Server. During the installation, the send and the receive connectors are created on both Exchange Servers. However, when the Hybrid Configuration Wizard (HCW) ends, you may get the following error message.

Read more about Testing a New Exchange Hybrid Configuration with Office 365.

The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth https://technet.microsoft.com/library/dn497703(v=exchg.150).aspx, you can try running the HCW again or manually configure OAuth using these manual steps https://technet.microsoft.com/library/dn594521(v=exchg.150).aspx.

From the message, it seems there is an issue with the Open Authorization (OAuth) configuration for the hybrid setup. The Open Authorization (OAuth) is required to migrate some of the local Exchange Server components to Exchange Online.

Although the Open Authorization (OAuth) will not stop migration of mailboxes, it might cause other errors while running the migration of mailboxes to Exchange Online. If you have a few mailboxes, there is no need to troubleshoot the issue since all the mailboxes will be on the cloud. However, if you have several mailboxes or you need to keep the local hybrid setup, then you need to investigate and fix the error. Let’s see how to resolve this issue.

Possible Solutions to Resolve the HCW8064 Error

If Open Authorization (OAuth) is not configured on the Exchange Servers, then you need to configure it. It is important that the configuration must be enabled on all the nodes in the Database Availability Group (DAG). You cannot have the Open Authorization (OAuth) configured only on one local Exchange Server. This must be set up on all the servers.

As per the Microsoft guide, you can try to restart the Exchange Servers and re-run the Hybrid Configuration Wizard (HCW). This might help in resolving the error message.

If this doesn’t work, then you need to manually set the Open Authorization (OAuth). Here’s the procedure:

New-AuthServer -Name "WindowsAzureACS" -AuthMetadataUrl "https://accounts.accesscontrol.windows.net/<your tenant coexistence domain>/metadata/json/1"

New-AuthServer -Name "evoSTS" -Type AzureAD -AuthMetadataUrl "https://login.windows.net/<your tenant coexistence domain>/federationmetadata/2007-06/federationmetadata.xml"

Get-PartnerApplication |  ?{$_.ApplicationIdentifier -eq "00000002-0000-0ff1-ce00-000000000000" -and $_.Realm -eq ""} | Set-PartnerApplication -Enabled $true

$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint
if((test-path $env:SYSTEMDRIVE\OAuthConfig) -eq $false)
{md $env:SYSTEMDRIVE\OAuthConfig}
cd $env:SYSTEMDRIVE\OAuthConfig
$oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint}
$certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
$certBytes = $oAuthCert.Export($certType)
$CertFile = "$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer"
[System.IO.File]::WriteAllBytes($CertFile, $certBytes)

.\ExportAuthCert.ps1

Install-Module -Name MSOnline

Connect-MsolService
$CertFile = "$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer"
$objFSO = New-Object -ComObject Scripting.FileSystemObject
$CertFile = $objFSO.GetAbsolutePathName($CertFile)
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($CertFile)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
$ServiceName = "00000002-0000-0ff1-ce00-000000000000"
$p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName
New-MsolServicePrincipalCredential -AppPrincipalId $p.AppPrincipalId -Type asymmetric -Usage Verify -Value $credValue

.\UploadAuthCert.ps1

Get-MapiVirtualDirectory | FL server,*url*
Get-WebServicesVirtualDirectory | FL server,*url*
Get-OABVirtualDirectory | FL server,*url*

$ServiceName = "00000002-0000-0ff1-ce00-000000000000";
$x = Get-MsolServicePrincipal -AppPrincipalId $ServiceName;
$x.ServicePrincipalnames.Add("https://mail.mycompany.lan/");
$x.ServicePrincipalnames.Add("https://autodiscover.mycompany.lan/");
Set-MSOLServicePrincipal -AppPrincipalId $ServiceName -ServicePrincipalNames $x.ServicePrincipalNames;

.\RegisterEndPoints.ps1

$ServiceDomain = Get-AcceptedDomain | where {$_.DomainName -like "*.mail.onmicrosoft.com"} | select -ExpandProperty Name

New-IntraOrganizationConnector -name ExchangeHybridOnPremisesToOnline -DiscoveryEndpoint https://outlook.office365.com/autodiscover/autodiscover.svc -TargetAddressDomains $ServiceDomain

New-IntraOrganizationConnector -name ExchangeHybridOnlineToOnPremises -DiscoveryEndpoint <your on-premises Autodiscover endpoint> -TargetAddressDomains <your on-premises SMTP domain>

After this, you need to confirm that the changes are successful. For this, you can run the following command from the local Exchange Servers.

Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Premises Mailbox> -Verbose | Format-List

Then, you need to run the below command on Exchange Online.

Test-OAuthConnectivity -Service EWS -TargetUri <external hostname authority of your Exchange On-Premises deployment>/metadata/json/1 -Mailbox <Exchange Online Mailbox> -Verbose | Format-List

If all goes well, the result should be like:

ResultType: Success Identity: Microsoft.Exchange.Security.OAuth.ValidationResultNodeId IsValid: True ObjectState: New

To Conclude

Above, we have discussed the error message “The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration” that occurs when the installation of Hybrid Configuration Wizard (HCW) completes. It looks the issue is related to Open Authorization (OAuth). We have provided the step-by-step procedure to manually configure the OAuth.

As the hybrid approach for on-premises Exchange to Office/Microsoft 365 migration is the longest approach and requires extensive configuration, you can explore a simpler solution to migrate data to Office 365. Stellar Converter for EDB is one such specialized EDB to PST Converter software that can simplify the migration process. It offers an easy-to-use interface and is compatible with any version of Exchange Server database. This tool helps to export all the data from on-premises Exchange Server database directly to Microsoft 365 tenant or another live Exchange Server database. It can also export EDB data to PST and various other formats. The tool can export all the data from Exchange database, including user mailboxes, user archives, disabled mailboxes, shared mailboxes, and public folders.

Related Post

Stellar Data Recovery

Trial Download is for Desktop or Laptop. Put your email id to receive the download link




Exit mobile version