Recently I had a client who needed to change the password of their DirSync service account due to another employee leaving the organization. We changed the password updated DirSync and went on our way.
A week later we got a report that they were unable to migrate mailboxes to the cloud. When they attempted to they got popup that said "The connection to the server "mail.xxxxx.org" could not be completed. We re-ran the hybrid configuration wizard and it passed without issue. I then tried to move a mailbox via PowerShell and got the following error:
The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please check the credentials and try again. The call to 'https://mail.xxx.com/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized. + CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemotePermanentException + FullyQualifiedErrorId : [Server=AMSPR01MB134,RequestId=ac5193f2-0d87-437a-85f1-01da5b8208b6,TimeStamp=5/4/2017 8:23:44] [FailureCategory=Cmdlet-RemotePermanentException] 8C76D656,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest + PSComputerName : outlook.office365.com
I verified I could reach the EWS MRSProxy.svc page without issue. It then dawned on me that the DirSync account was probably also used to configure the Exchange Hybrid MRS endpoint as well. Browsing to the settings via the O365 Exchange Control Panel sure enough it was:
Sure enough after updating the credentials we were able to migrate mailboxes once again.