This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 67%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
We have a 16 server DAG balanced over two data centers that is running the latest Exchange 2019 version on Windows Server 2022.
I wish to be able to access ECP on a single server in both data centers. Both these servers are not available for the public, they are just hosting databases.
Both servers are deployed with the same deployment script, so they should be identical. Both servers have AdminEnabled:$true on the EcpVirtualDirectory settings and the settings are identical on both servers.
On one server, I can access the ECP without any problems, with the servers internal IP from a management server: https://10.10.10.1/ecp/
On the other server, I am NOT able to access ECP, even though it's the exact same user. I just get a:
403
Sorry! Access denied :(
You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.
You're still signed in. If you want to sign out, use the link below.
I also have an old Exchange 2016 server in the domain, not hosting any databases or client connections. Here the ECP works fine as well, when connecting to the servers internal IP. I want to make sure that I have more than one server where I can reach ECP before I decommission this 2016 server.
What could cause this and what could a solution be?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 94%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
Hi @Kenny M ,
Welcome to our forum.
Typically, this issue occurs if a computer object is added to a group that is denied the ms-Exch-EPI-Token-Serialization user right.
To resolve this issue, please remove the computer object from the restricted group.
For more details, please refer to: error-occur-ems-eac-owa
If the above suggestions do not work, the following similar threads hope to help you.
exchange-2013-unable-to-access-ecp-403-sorry-access-denied
exchange-2016-ecp-error-403-after-login.html
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your reply. I looked through the articles you linked and did the following checks:
Domain Admins
Schema Admins
Enterprise Admins
Exchange Organization Administrators
Organization Management
Both servers are members of the same groups, and none of them are the above mentioned groups. Not nested groups either. Looked through all of them.
Still no luck. Still works on one server. Doesn't work on another server that should have identical configuration.
I'm puzzled.. ECP access has always been a bit of a mystery to me.
Hi @Kenny M ,
Are there any errors in the Application log?
Do your test users have mailboxes? Has a Role Assignment Policy been added for the affected user mailboxes?
1.Please run the following command to view the RoleAssignmentPolicy property:
Get-Mailbox <identity> | Name,RoleAssignmentPolicy
2.Run the following command to find all users with an empty msExchRBACPolicyLink attribute:
Get-Mailbox -ResultSize Unlimited | Where { $_.RoleAssignmentPolicy -like $null}
3.Assign the ‘Default Role Assignment Policy’ to all the mailboxes in the list:
Get-Mailbox -ResultSize Unlimited | Where { $_.RoleAssignmentPolicy -like $null} | Set-Mailbox –RoleAssignmentPolicy “Default Role Assignment Policy”
Hi,
Is there any update on this case?
Please feel free to drop us a note if there is any update.
Have a nice day!
Open exchange management shell with run as administrator
Run the following command
Set-CASMailbox -id USERemail -ECPEnabled $True
Try to log in again, and it should have been resolved.
Thanks for your reply. The users I have tested with doesn't have a mailbox.
I have enabled a mailbox for my Domain Admin user now, and ECPEnabled is set to $true as default.
I can still logon to ECP on the one server. On the other server, where I previously got the 403 error, I now get the mailbox user ECP and not the admin ECP.
One step forward and one step back again. :)