I recently installed Exchange 2013 with SP1 on three new Exchange servers (Server 2012r2). They are all multi-role servers and when I open the ECP on two of them, I am prompted for credentials. On one of the new servers, I see the following:

From Chrome on my PC (https://servername/ecp), I am redirected to https://servername/owa/auth/errorFE.aspx?httpCode=500 and get a message that says

The webpage at https://servername/owa/auth/errorFE.aspx?httpCode=500 has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

Error code: Err_TOO_MANY_REDIRECTS

From the server (https://localhost/ecp/?ExchClientVer=15) I get 

Server Error in '/owa' Application.

Access is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:
[SecurityAccessDeniedException: Access is denied.]
System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +14483202 System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +622

Microsoft.Exchange.Data.Directory.TopologyDiscovery.ITopologyClient.GetServersForRole(String partitionFqdn, List`1 currentlyUsedServers, ADServerRole role, Int32 serversRequested) +0 Microsoft.Exchange.Data.Directory.<>c__DisplayClass10.<internalserviceprovidergetserversforrole>b__f(IPooledServiceProxy`1 proxy) +145 Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception) +274

...</internalserviceprovidergetserversforrole>

Other symptoms include:

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 3/17/2015 8:28:54 AM
Event time (UTC): 3/17/2015 2:28:54 PM
Event ID: 713290da2ff34773bae129f8953e4305
Event sequence: 2
Event occurrence: 1
Event detail code: 0


Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-29-130710761250745972
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
Machine name: servername

Event 3002: Protocol /owa failed to process request from identity NT AUTHORITY\SYSTEM. Exception: Microsoft.Exchange.Data.Directory.ADTopologyUnexpectedException: Unexpected error when calling the Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)'. Error details: Access is denied.. ---> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

Event 4027: Process w3wp.exe (OWA) (PID=17208). WCF request (Get Servers for domain.local) to the Microsoft Exchange Active Directory Topology service on server (TopologyClientTcpEndpoint (localhost)) failed. Make sure that the service is running. In addition, make sure that the network ports that are used by Microsoft Exchange Active Directory Topology service are not blocked by a firewall. The WCF call was retried 1 time(s). Error Details System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

Event 1003 [Owa] An internal server error occurred. The unhandled exception was: Microsoft.Exchange.Data.Directory.ADTopologyUnexpectedException: Unexpected error when calling the Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)'. Error details: Access is denied.. ---> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

Here is what I've tried

1. Remove-WebApplication -Site "Exchange Back End" -Name owa (with "New-WebApplication -Site "Exchange Back End" -Name owa -PhysicalPath "C:\Program Files\Microsoft\Exchange Serve...")
   • I did the same for ECP
2. Remove-OwaVirtualDirectory "servername\owa (Default Web Site)" / Remove-OwaVirtualDirectory "servername\owa (exchange back end)" (with New-OwaVirtualDirectory -InternalUrl "https://url/owa" -ExternalUrl "https://... for both sites)
   • I did the same for ECP
3. Verified that KB2898571 is not applicable (the results of Get-ADPermission -Identity <exchangecomputerobject>| where {($_.ExtendedRights -like "ms-Exch-EPI-Token-Serialization") -and ($_.Deny -like "True")} | ft -autosize User,ExtendedRights are the same on the servers that work and the one that doesn't.
   • Just to be sure, I verified that there are no groups as members of Domain Admins
4. Verified that KB317471 is not applicable (wrong OS)
5. Verified that the ECP and OWA virtual directories on all servers are set to FormsAuth==True & WindowsAuth==False
6. Verified that Default Web Site, ecp, and owa virtual directories are all set to require SSL
7. Rebooted

This seems like an AD issue, but the broken server is on the same network (and in the same datacenter) as the servers that let me load ECP. Maybe I should un-join, then re-join the domain?

Thoughts? Thanks.

• Edited by mhashemi Tuesday, March 17, 2015 4:06 PM fixed lists

Hi mhashemi,

Base on my search, all MSExchangeApplicationpool Identity set incorrectly may cause the issue,

I recommend you try the following method and check if any helps:

1.Open IIS Manager.

2.In the Connections pane, expand the server node and click Application Pools.

3. Right click on the application pool and select Advanced Settings

4.Select the Built-in account button, and then selected the identity type from "ApplicationPoolidentity" to "Local System"

5.Changed all MSExchangeApplicationPools Identity from "ApplicationPoolidentity" to "Local System"

6.Did IISReset

Best regards,

I followed your steps and gained access to the login page (the OWAAppPool had "ApplicationPoolIdentity") for a moment. However, it didn't last long.

I am going to re-install Exchange on this server.