Hi team,

I had issue in My Exchange system.

I had two Exchange 2013 muli role with CAS and MBX

Server A had no problem connection when client access OWA directly (https://servernamefqdn/owa)

but, theres issue when I pointing to server B OWA (https://serverBfqdn/owa). its same when outlook connect (using OA ),and Aysnc connection.

when I failed to connect OWA, theres event id 3002 MsExchange BackEndRehydration event id 3002.

the error show at Server A ( server at a good condition )

heres the error

Thanks

Hi,

From the error message, it seems that the server B is not allowed token serialization permissions. I recommend you check whether the extended rights "ms-Exch-EPI-Token-Serialization" and "ms-Exch-EPI-Impersonation" have been enabled.

If not, you can apply these permissions using the following command.

Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization", "ms-Exch-EPI-Impersonation" -User xxx

Best regards,
B

Hello Team,

I have a similar issue with Event ID 3002 filling up the App log on both Mailbox servers.  Here is a snippet of the error.  Any help is greatly appreciated.  Thank you.

"Protocol /EWS failed to process request from identity DOMAIN\CASServer. Exception: Microsoft.Exchange.Security.OAuth.InvalidOAuthTokenException: The user specified by the user-context in the token is ambiguous.
   at Microsoft.Exchange.Security.OAuth.OAuthActAsUser.InternalCreateFromAttributes(OrganizationId organizationId, Boolean calledAtFrontEnd, Dictionary`2 rawAttributes, Dictionary`2 verifiedAttributes)
   at Microsoft.Exchange.Security.Authentication.BackendAuthenticator.OAuthAuthenticator.ExtractActAsUser(OrganizationId organizationId, CommonAccessToken token)
   at Microsoft.Exchange.Security.Authentication.BackendAuthenticator.OAuthAuthenticator.InternalRehydrate(CommonAccessToken token, Boolean wantAuthIdentifier, String& authIdentifier, IPrincipal& principal)
   at Microsoft.Exchange.Security.Authentication.BackendAuthenticator.Rehydrate(CommonAccessToken token, BackendAuthenticator& authenticator, Boolean wantAuthIdentifier, String& authIdentifier, IPrincipal& principal, IAccountValidationContext& accountValidationContext)
   at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule.ProcessRequest(HttpContext httpContext)
   at Microsoft.Exchange.Security.Authentication.BackendRehydrationModule.OnAuthenticateRequest(Object source, EventArgs args).

I am having this problem as well. We have a split DAG and we are getting this error when attempting to proxy from SiteB to SiteA.  In your fix are you suggesting the following would working.  Get-clientaccessserver -server siteaCAS | add-adpermission -user domain\SiteBCAS$ ?