Error: 440 Failed to establish Powershell session logged by mail agent

Mail agents are unable to connect to Powershell and fail with the following error:

Error: 440 Failed to establish Powershell session 

WinRM and Powershell may be selecting Negotiate as the Default authentication method instead of Kerberos in an environment where only Kerberos is allowable.

Run this connection test from the agent host that generated the error, using the same credentials that the agent is using:

 $cred = Get-Credential
 Enter-PSSession -ConnectionUri http://EXCHANGESERVER/powershell?serializationLevel=Full -ConfigurationName Microsoft.Exchange -Credential $cred

This is the Powershell command used by agents to connect to Powershell, so when running the above test pay attention to the authentication method returned in any error messages.

If Negotiate is being used the error will be as follows:

Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The WinRM client tried to use Negotiate authentication mechanism, but the destination computer (EXCHANGESERVER) returned an 'access denied' error. Change the configuration to allow Negotiate authentication mechanism to be used or specify one of the authentication mechanisms supported by the server. To use Kerberos, specify the local computer name as the remote destination. Also verify that the client computer and the destination computer are joined to a domain. To use Basic, specify the local computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by server: For more information, see the about_Remote_Troubleshooting Help topic."

If Negotiate authentication fails, perform the same test using Kerberos authentication:

 $cred = Get-Credential
 Enter-PSSession -ConnectionUri http://EXCHANGESERVER/powershell?serializationLevel=Full -ConfigurationName Microsoft.Exchange -Credential $cred -Authentication Kerberos

If Kerberos authentication succeeds, the agent can be forced to use Kerberos authentication as follows:

1. Locate the agents CONFIG.INI file

2. Add the following line to the INI file and save the file:

PSForceUseKerberos=1

3. Restart the agent.  You should see the parameter picked up in the log and Powershell connections should now succeed.

If this parameter is added directly to Config.ini file, it can become overwritten by the updates coming from the console, therefore the suggested way is as follows: Note: In order to see Additional parameters for agent configuration files you need to enable it via the Windows Registry. Please open Regedit and navigate to: HKLM\SOFTWARE\Aelita\Migration Manager\CurrentVersion\Exchange Data and create new DWORD key called ShowAdditionalParameters and set its value to 1, then restart Migration Manager. If the console is on a 64-bit system then the registry would be HKLM\SOFTWARE\WOW6432Node\Aelita\Migration Manager\CurrentVersion\Exchange Data 1. In Project Manager, select Tools | Options and select the Additional parameters for agent configuration files node. 2. Click Add, to add the following parameter: Name: PSForceUseKerberos, Value: 1 3. Under Apply to, Select Agent Configuration and All Agents or select a specific agent such as Mail Target Agent and click OK.