Error message in EMS, EAC, ECP, OWA, or Outlook on the Web in Exchange Server 2013 or Exchange Server 2016

Symptoms
You may experience one or more of the following issues in Microsoft Exchange Server 2013 or Microsoft Exchange Server 2016:
  • When you try to start the Exchange Management Shell (EMS), you receive an error message that resembles the following:

    VERBOSE: Connecting to Cas1.Fabrikam.com.
    New-PSSession : [cas1.fabrikam.com] Connecting to remote server cas1.fabrikam.com failed with the following error
    message : [Server=CAS1,RequestId=1694d4e1-3f45-4ff3-bfca-7ded20aaa838,TimeStamp=10/4/2013 2:15:34 PM] Access is
    denied.

    For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
       gTransportException
        + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed
  • When you try to log on to Exchange Admin Center (EAC) or Exchange Control Panel (ECP), you receive an error message that resembles the following:

    403 Access denied error message

    Additionally, the following event is logged in the Application log:

    Log Name:      Application
    Source:        MSExchange Control Panel
    Event ID:      4
    Task Category: General
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      MBX1.Fabrikam.com
    Description:
    Current user: 'FAB\CAS1$'
    Request for URL 'https://mbx1.fabrikam.com:444/ecp/default.aspx(https://cas1.fabrikam.com/ecp/)' failed with the following error:
    Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "Fabrikam.com/Computers/CAS1" isn't assigned to any management roles.
  • When users try to log on to Outlook Web App (OWA) or Outlook on the Web, they receive an error message that resembles the following:

    OWA logon error message
Cause
This issue occurs if the "deny" permission is effective on the ms-Exch-EPI-Token-Serialization user right on a computer object that has an Exchange Server 2013 or Exchange Server 2016 role assigned. 

Note Typically, this issue occurs if a computer object is added to a group that is denied the ms-Exch-EPI-Token-Serialization user right. By default, the following groups are denied the ms-Exch-EPI-Token-Serialization user right:
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Organization Management

Resolution
To resolve this issue, remove the computer object from the restricted group.

Note To resolve this issue, you may have to restart the computer that has the Exchange Server role assigned.
More information
To determine the group memberships for the computer that is running Exchange Server 2013 or Exchange Server 2016, open a command prompt, type the following command, and then press Enter: 
gpresult /scope computer /r

In this example, the computer that is running Exchange Server 2013 has the following default group memberships:

Output of gpresult cmdlet

In the following example, the computer was added to the "Exchange Trusted Subsystem" group. The "Exchange Trusted Subsystem" group was then added to the "Domain Admins" group:

Output of gpresult cmdlet when groups are nested

To view all the users and groups that are denied permissions on the Exchange computer object, run the following cmdlet:
Get-ADPermission -Identity <ExchangeComputerObject> | where {($_.ExtendedRights -like "ms-Exch-EPI-Token-Serialization") -and ($_.Deny -like "True")} | ft -autosize User,ExtendedRights

Properties

Article ID: 2898571 - Last Review: 10/01/2015 07:16:00 - Revision: 3.0

Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition, Microsoft Exchange Server 2013 Standard, Microsoft Exchange Server 2013 Enterprise

  • kbsurveynew kbprb kberrmsg kbtshoot KB2898571
Feedback