Error message in EMS, EAC, ECP, OWA, or Outlook on the Web in Exchange Server 2013 or Exchange Server 2016

Applies to: Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard EditionExchange Server 2013 Standard Edition


You may experience one or more of the following issues in Microsoft Exchange Server 2013 or Microsoft Exchange Server 2016:
  • When you try to start the Exchange Management Shell (EMS), you receive an error message that resembles the following:

    VERBOSE: Connecting to
    New-PSSession : [] Connecting to remote server failed with the following error
    message : [Server=CAS1,RequestId=1694d4e1-3f45-4ff3-bfca-7ded20aaa838,TimeStamp=10/4/2013 2:15:34 PM] Access is

    For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
        + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed
  • When you try to log on to Exchange Admin Center (EAC) or Exchange Control Panel (ECP), you receive an error message that resembles the following:

    403 Access denied error message

    Additionally, the following event is logged in the Application log:

    Log Name:      Application
    Source:        MSExchange Control Panel
    Event ID:      4
    Task Category: General
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Current user: 'FAB\CAS1$'
    Request for URL '' failed with the following error:
    Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "" isn't assigned to any management roles.
  • When users try to log on to Outlook Web App (OWA) or Outlook on the Web, they receive an error message that resembles the following:

    OWA logon error message


This issue occurs if the "deny" permission is effective on the ms-Exch-EPI-Token-Serialization user right on a computer object that has an Exchange Server 2013 or Exchange Server 2016 role assigned. 

Note Typically, this issue occurs if a computer object is added to a group that is denied the ms-Exch-EPI-Token-Serialization user right. By default, the following groups are denied the ms-Exch-EPI-Token-Serialization user right:
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Organization Management


To resolve this issue, remove the computer object from the restricted group.

Note To resolve this issue, you may have to restart the computer that has the Exchange Server role assigned.

More Information

To determine the group memberships for the computer that is running Exchange Server 2013 or Exchange Server 2016, open a command prompt, type the following command, and then press Enter: 
gpresult /scope computer /r

In this example, the computer that is running Exchange Server 2013 has the following default group memberships:

Output of gpresult cmdlet

In the following example, the computer was added to the "Exchange Trusted Subsystem" group. The "Exchange Trusted Subsystem" group was then added to the "Domain Admins" group:

Output of gpresult cmdlet when groups are nested

To view all the users and groups that are denied permissions on the Exchange computer object, run the following cmdlet:
Get-ADPermission -Identity <ExchangeComputerObject> | where {($_.ExtendedRights -like "ms-Exch-EPI-Token-Serialization") -and ($_.Deny -like "True")} | ft -autosize User,ExtendedRights