question

MariuszGora-6641 avatar image
0 Votes"
MariuszGora-6641 asked MariuszGora-6641 answered

Exchange 2016 ECP error 403 after login

Hi,

We using Exchange 2016 on premise from few years.
For these years we had only one Exchange server but few days ago we decided to install another one and create DAG.
I added second Exchange server to our infrastructure (but not yet form DAG). When I tried logon to ECP i receive 403 error (Forbidden: Access is denied) after type my credentials.

I tried:
- logon locally from server
- recreate ECP and OWA virtual directories and run iisreset
- Double check Get-CASMailbox for my user return ECPEnabled: True
- reboot server
- HealthChecker not show any serious errors

I can logon to OWA without problems. I can logon to our firs server with the same credentials.
First server build is 15.1.2242.4 (CU20), new one build is 15.1.2375.7 (CU22).

Event log not show any errors after I receive 403 error.

Where to next?



office-exchange-server-administrationoffice-exchange-server-deployment
· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KaelYao-MSFT avatar image KaelYao-MSFT ·

Hi @MariuszGora-6641

Does Exchange Management Shell work fine on the new server?
And have you tried moving your mailbox to the new server? Would it help with these issue?

0 Votes 0 ·
Show more comments

4 Answers

AndyDavid avatar image
0 Votes"
AndyDavid answered

After moving my mailbox to new server I can logon to ECP but when I move the mailbox back issue occurs again.
I don't understand why I must have mailbox on server to access ECP. Could anyone explain this correlation?
It is not difficult to imagine situation when server with my mailbox fail. In this case will I lose access to ECP on another server?


Does the problem continue after you upgrade the older server to CU22 as well and apply the latest Nov 2021 Security Patch?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

imamitsingh avatar image
1 Vote"
imamitsingh answered MariuszGora-6641 commented

These issues occur if the "deny" permission is effective on the ms-Exch-EPI-Token-Serialization user right on a computer object that has an Exchange Server 2013 or Exchange Server 2016 role assigned.

To resolve this issue, remove the computer object from the restricted group.

You can check out the detailed article from here - https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/error-occur-ems-eac-owa


Please mark as "Accept the answer" if the above steps helps you. Your suggestion will help others also !

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MariuszGora-6641 avatar image MariuszGora-6641 ·

Hi @imamitsingh
Thanks for answer and link.
I check this before and my exchange server isn't in any group with ms-Exch-EPI-Token-Serialization set as Deny.
Pease see screen below:
154786-exchange01.png

In my organization denied the ms-Exch-EPI-Token-Serialization groups are only: Domain Admins, Schema Admins, Enterprise Admins, Organization Management.


0 Votes 0 ·
exchange01.png (19.4 KiB)
AndyDavid avatar image
0 Votes"
AndyDavid answered

Make sure the auth set for the ECP directory matches the OWA one.
In other words:

If OWA is set for Forms BAsed, ensure ECP is as well. etc...

Compare the ECP vir dir settings with the working server and see if there is something different.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MariuszGora-6641 avatar image
0 Votes"
MariuszGora-6641 answered

After upgrading oldest server to CU22 and Nov 2021 SP the problem stopped occur.

Thanks for help.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.