We are running an Exchange 2013 server with CU9. When I access https://xxx/ews, it returns a HTTP 500. https://xxx/ews/services.wsdl returns the WSDL.

In the eventvwr I find at the same time as the HTTP 500 errors such as (Event ID 3003):

Protocol /EWS failed to perform token rehydration because source identity DOMAINNAME\USERNAME does not have token serialization permission.

and Event ID 3002:

Protocol /EWS failed to process request from identity DOMAINNAME\USERNAME. Exception: Microsoft.Exchange.Security.Authentication.BackendRehydrationException: Rehydration failed. Reason: Source server 'DOMAINNAME\USERNAME' does not have token serialization permission. 
   at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule.TryGetCommonAccessToken(HttpContext httpContext, Stopwatch stopwatch, CommonAccessToken& token)
   at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule.ProcessRequest(HttpContext httpContext)
   at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule.OnAuthenticateRequest(Object source, EventArgs args).

Depending on the user previously authorised in /owa, you will get different usernames. The users are not a member direct or indirect of a group like Domain Admins.

OWA works fine. But the following returns a failure:

[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2013>Test-WebServicesConnectivity -clientaccessserver ws131

Source                              ServiceEndpoint                     Scenario                       Result  Latency
                                                                                                                  (MS)
------                              ---------------                     --------                       ------  -------
ws131.IVE.LOCAL                     ws131.ive.local                     Autodiscover: SOAP Provider    Failure      49
ws131.IVE.LOCAL                     ws131.ive.local                     EWS: GetFolder                 Failure       2

How can I analyse / solve this problem? We would like to use /ews to develop Office Add-ins, but that is not possible now.

• Edited by Guido Leenders Wednesday, August 19, 2015 5:56 PM Added text

Hi,

I noticed that both your InternalURL and ExternalURL for EWS service are configured to https://www.xxx.com/ews/exchange.asmx. Please make sure the hostname www.xxx.com is pointed to your Exchange 2013 internally and externally.

Additionally, please run the following command to check your certificate settings:

Get-ExchangeCertificate | fl

Regards,

Hi Winnie,

thx. We have the DNS split for internal and external, each one rsolving to the then correct IP address. There is a short TTL so when roaming between LAN and WAN, you get the correct IP address after a few minutes.

In a lab we have set up a new Exchange 2013 environment. Even out of the box installation, this BackendRehydrationException occurs on /ews. So although the .NET code crashes, it seems to be intended behaviour.

Our Outlook issues across many places seem to have another cause. We will try switching to a different mail platform with which Outlook 2010/2013 works more reliably as next step.