Had an issue with a HCW wouldn't validate the hybrid agent, dropping the following in the logs:
*ERROR* 10349 [Client=UX, Page=HybridConnectorInstall, Thread=19]
The connection to the server 'e41c4b5d-5f38-41c4-93e9-04cd1df84ff5.resource.mailboxmigration.his.msappproxy.net' could not be completed., The call to 'https://e41c4b5d-5f38-41c4-93e9-04cd1df84ff5.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM'.., The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM'.
OriginalFailureType: MessageSecurityException, WellKnownException: MRSRemote None MRSRemote
Turns out this is a known issue when Extended Protection is enabled on the EWS (Exchange Web Services) virtual directory of your on-prem Exchange server. This interferes with the Hybrid Agent's ability to authenticate properly.
To resolve it I went and grabbed the ExchangeExtendedProtectionManagement.ps1 from Github and run the following to confirm Extended protection is enabled:
.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection
VirtualDirectoryName ExtendedProtection
--------------------- ------------------
EWS (Default Web Site) Required
OAB (Default Web Site) None
Autodiscover (Default Web Site) None
Then we run it again to turn extended protection off:
# Example for a single Exchange server
C:\scripts\.\ExchangeExtendedProtectionManagement.ps1 -ExchangeServerNames "<Exchange Server Name>" -ExcludeVirtualDirectories "EWSFrontEnd" -Confirm:$false
Re-run the Hybrid Wizard and the Agent validates fine and you can move on.