This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 43%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hi,
We using Exchange 2016 on premise from few years.
For these years we had only one Exchange server but few days ago we decided to install another one and create DAG.
I added second Exchange server to our infrastructure (but not yet form DAG). When I tried logon to ECP i receive 403 error (Forbidden: Access is denied) after type my credentials.
I tried:
I can logon to OWA without problems. I can logon to our firs server with the same credentials.
First server build is 15.1.2242.4 (CU20), new one build is 15.1.2375.7 (CU22).
Event log not show any errors after I receive 403 error.
Where to next?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Does Exchange Management Shell work fine on the new server?
And have you tried moving your mailbox to the new server? Would it help with these issue?
Yes EMS works fine on new server.
After moving my mailbox to new server I can logon to ECP but when I move the mailbox back issue occurs again.
I don't understand why I must have mailbox on server to access ECP. Could anyone explain this correlation?
It is not difficult to imagine situation when server with my mailbox fail. In this case will I lose access to ECP on another server?
Hi,
Are the two Exchange servers in the same AD site?
If creating a new admin account for test, would the same issue persists?
I am writing here to confirm with you how thing going now?
Please let us know if you would like further assistance.
After moving my mailbox to new server I can logon to ECP but when I move the mailbox back issue occurs again.
I don't understand why I must have mailbox on server to access ECP. Could anyone explain this correlation?
It is not difficult to imagine situation when server with my mailbox fail. In this case will I lose access to ECP on another server?
Does the problem continue after you upgrade the older server to CU22 as well and apply the latest Nov 2021 Security Patch?
These issues occur if the "deny" permission is effective on the ms-Exch-EPI-Token-Serialization user right on a computer object that has an Exchange Server 2013 or Exchange Server 2016 role assigned.
To resolve this issue, remove the computer object from the restricted group.
You can check out the detailed article from here - https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/error-occur-ems-eac-owa
-------------------
Please mark as "Accept the answer" if the above steps helps you. Your suggestion will help others also !
Hi @Amit Singh
Thanks for answer and link.
I check this before and my exchange server isn't in any group with ms-Exch-EPI-Token-Serialization set as Deny.
Pease see screen below:
In my organization denied the ms-Exch-EPI-Token-Serialization groups are only: Domain Admins, Schema Admins, Enterprise Admins, Organization Management.
Make sure the auth set for the ECP directory matches the OWA one.
In other words:
If OWA is set for Forms BAsed, ensure ECP is as well. etc...
Compare the ECP vir dir settings with the working server and see if there is something different.
After upgrading oldest server to CU22 and Nov 2021 SP the problem stopped occur.
Thanks for help.