Exchange 2013: HTTP 500 error on https://xxx/ews (Network Steve Forum)

Exchange 2013: HTTP 500 error on https://xxx/ews

We are running an Exchange 2013 server with CU9. When I access https://xxx/ews, it returns a HTTP 500. https://xxx/ews/services.wsdl returns the WSDL.

In the eventvwr I find at the same time as the HTTP 500 errors such as (Event ID 3003):

Protocol /EWS failed to perform token rehydration because source identity DOMAINNAME\USERNAME does not have token serialization permission.

and Event ID 3002:

Protocol /EWS failed to process request from identity DOMAINNAME\USERNAME. Exception: Microsoft.Exchange.Security.Authentication.BackendRehydrationException: Rehydration failed. Reason: Source server 'DOMAINNAME\USERNAME' does not have token serialization permission.
at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule.TryGetCommonAccessToken(HttpContext httpContext, Stopwatch stopwatch, CommonAccessToken& token)
at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule.ProcessRequest(HttpContext httpContext)
at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule.OnAuthenticateRequest(Object source, EventArgs args).

Depending on the user previously authorised in /owa, you will get different usernames. The users are not a member direct or indirect of a group like Domain Admins.

OWA works fine. But the following returns a failure:

[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2013>Test-WebServicesConnectivity -clientaccessserver ws131

Source ServiceEndpoint Scenario Result Latency
(MS)
------ --------------- -------- ------ -------
ws131.IVE.LOCAL ws131.ive.local Autodiscover: SOAP Provider Failure 49
ws131.IVE.LOCAL ws131.ive.local EWS: GetFolder Failure 2

How can I analyse / solve this problem? We would like to use /ews to develop Office Add-ins, but that is not possible now.

Edited by Guido Leenders Wednesday, August 19, 2015 5:56 PM Added text

August 19th, 2015 5:55pm

Hi,

Please run the following command to check your EWS configuration:
Get-WebServicesVirtualDirectory | FL Identity,*AUTH*,*url*

Please make sure the Internal URL and External URL are configured properly. If you are using ws131.IVE.LOCAL namespace in your URL, please make sure your Exchange certificate which is assigned with IIS service has included this namespace.

Regards,

Free Windows Admin Tool Kit Click here and download it now

August 20th, 2015 3:59am

Hi Winnie,

thanks. I get this:

[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2013>Get-WebServicesVirtualDirectory | FL Identity,*AUTH*,*url*


Identity                      : WSxxx\EWS (Default Web Site)
CertificateAuthentication     :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : False
DigestAuthentication          : False
WindowsAuthentication         : True
OAuthAuthentication           : True
AdfsAuthentication            : False
InternalNLBBypassUrl          :
InternalUrl                   : https://www.xxx.com/ews/exchange.asmx
ExternalUrl                   : https://www.xxx.com/ews/exchange.asmx

Please note that we use SSL offloading everywhere. Exchange runs behinds the SSL proxy. The internal URL works fine internally and the external also externally (different DNS resolving with short TTL).

Internal result:

You have created a service.

To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:

svcutil.exe https://ws131.ive.local:444/EWS/Services.wsdl

That does not seem to raise an error.

Do you happen to know whether solely /ews in the path should work also?

August 20th, 2015 9:07am

This topic is archived. No further replies will be accepted.