SharePoint 2016, New Features?

With SharePoint 2016 right around the corner, I will try to post when I find relevant information and updates. I have been working with the RC1 for a while, and with RC2 out, it’s like a better party…

Some of my person favorites so far are… while I don’t see anything extreme, I like where things are going with SharePoint. It’s no surprise that Microsoft is pushing cloud, and some of these new features play into that imitative. However, those wanting and/or needing to stay on premises can appreciate the need for new features, otherwise, what is the point to upgrade?

Durable links
Encrypted Connections
Hybrid in SharePoint 2016
Information Rights Management
SharePoint business intelligence
SharePoint Search

New and improved features in SharePoint Server 2016 Release Candidate

eature Description More information
Access Services New Access features are available when you deploy Access Services in SharePoint Server 2016 Release Candidate . For more information, see Access Services.
Compliance features New compliance features for SharePoint Server 2016 Release Candidate include the document deletion and in-place hold policies. For more information, see Compliance features.
Customized web parts The compile time for customized XSLT files used for Content Query, Summary Links, and Table of Contents Web Parts is improved. NA
Document Library accessibility SharePoint Server 2016 Release Candidate includes new document library accessibility features. For more information, see Document Library accessibility.
Durable links Resource-based URLs now retain links when documents are renamed or moved in SharePoint. NA
Encrypted Connections SharePoint Server 2016 Release Candidate supports TLS 1.2 connection encryption by default. For more information, see Encrypted Connections.
Fast Site Collection Creation The Fast Site Collection Creation feature is a rapid method to create site collections and sites in SharePoint. For more information, see Fast Site Collection Creation.
Filenames – expanded support for special characters SharePoint Server 2016 Release Candidate now supports using some special characters in file names that were previously blocked. For more information, see Filenames.
Hybrid in SharePoint 2016 Hybrid in SharePoint Server 2016 Release Candidate enables you to integrate your on-premises farm with Office 365 productivity experiences, allowing you to adopt the cloud at your own pace. For more information, see Hybrid in SharePoint 2016.
Identify and Search for sensitive content SharePoint Server 2016 Release Candidate now provides the same data loss prevention capabilities as Office 365. For more information, see Identify and search for sensitive content in both SharePoint 2016 and OneDrive documents.
Image and Video previews You can now preview images and videos in SharePoint Server 2016 Release Candidate document libraries. For more information, see Image and Video previews.
Information Rights Management SharePoint Server 2016 Release Candidate provides Information Rights Management (IRM) capabilities to secure information by encrypting and securing information on SharePoint libraries with OneDrive for Business. For more information, see Information Rights Management.
Large file support SharePoint Server 2016 Release Candidate now supports uploading and downloading files larger than 2,047 MB. For more information, see Large file support.
MinRole MinRole is a new feature in SharePoint Server 2016 Release Candidate that allows a SharePoint farm administrator to define each server’s role in a farm topology. For more information, see MinRole farm topology.
Mobile experience SharePoint Server 2016 Release Candidate offers an improved mobile navigation experience. For more information, see Mobile experience.
New controls for working with OneDrive for Business SharePoint Server 2016 Release Candidate provides controls at the top of your personal document folders that make common tasks in OneDrive for Business more accessible. For more information, see New controls for working with OneDrive for Business.
New Recycle Bin in OneDrive and Team sites SharePoint Server 2016 Release Candidate adds a link for the Recycle Bin in the left navigation area of the OneDrive and Team sites. NA
Open Document Format (ODF) SharePoint Server 2016 Release Candidate adds support for Open Document Format (ODF) files to use in document library templates. For more information, see Open Document Format (ODF) available for document libraries.
Project Server New Project Server features are available in SharePoint Server 2016 Release Candidate. For more information, see Project Server.
ReFS file system support SharePoint Server 2016 Release Candidate now supports drives that are formatted with the ReFS file system. For more information about the ReFS file system, see Resilient File System Overview andResilient file system.
SharePoint business intelligence SharePoint Server 2016 Release Candidate now supports SQL Server 2016 CTP 3.1 and the Power Pivot add-in and Power View. For more information about SharePoint business intelligence, see Power Pivot add-in and Power View are now available to use with SharePoint Server 2016 Beta 2.
SharePoint Search SharePoint Search Server Application has significant changes to its deployment. For more information, see SharePoint Search Server Application.
Sharing improvements SharePoint Server 2016 Release Candidate has many new sharing improvements available. For more information, see Sharing improvements.
Site Folders view SharePoint Server 2016 Release Candidate provides a new Site Folders view that lets you access the document libraries in sites that you’re following. For more information, see Site Folders view.
Sites page pinning This new feature helps you see and follow sites. For more information, see Sites page pinning.
SMTP Connection Encryption SharePoint Server 2016 Release Candidate supports sending email to SMTP servers that use STARTTLS connection encryption. For more information, see SMTP Connection Encryption.
SMTP ports (non-default) SharePoint Server 2016 Release Candidate adds support for SMTP servers that use TCP ports other than the default port (25). For more information, see Use SMTP ports other than the default (25).
Web Application Open Platform Interface Protocol (WOPI) You can now rename files, create new files, and share files from within the WOPI iframe on the browser page. NA

UniFi Enterprise Wireless

It’s been a while, hello blog…

Wireless… god send or pitfall into invisible death… you get to decide. Either way, my iPhone doesn’t come with a gigabit ethernet port so wireless it is.

While my 2 wireless routers / access points were doing the job, I wanted a single SSID and enough power for more than 6-10 devices without drop outs. Configuring multile SSID’s wasn’t painful, it was the absence of UPnP or other media services on the access point in which “things were slow”, that’s networking terms for you not-IT foks.

With a little help from Go(ogle)d I found UniFI, Ubiquiti Networks, and it appeared to meet my needs.

  • Multiple WAP’s capable of distributing my SSID
  • Central management, i.e. software
  • Support more than the standard 10 device limit on residential units
  • Give me more power on configuration

My first time around with this, being a novice to this system was not as easy as my second round.

First time for everything…

A year ago I installed and configured this for a small business. I removed the 3 wireless routers they had, installed the management software on a tablet that was stuck in the office and behold… happiness for the masses. In an office of 3-8 the wireless kept ticking with approximately 3-8 mobile phones, 3-5 laptops, Apple TV, Wireless Printers and a Guest wireless for their clients. No issues, drop outs, just happiness.

On the configuration site, I ran into an issue with the Java requirement as it wasn’t installed in a specific directory and the AP decided to fail to connect to the management controller so some manual putty and a little help from support (Who were awesome) I was back up an running in an hour.

In lieu of the setup the first time, it appeared the build I downloaded was pre-production or just not tested. Either way, it may have put some people off which is a big no-no in the consumer world. In all, it was a 3 out of 5 experience.

All Good Things Come To Those Who Wait…

Yes, a movie reference, and one of my favorites.

My second time around, was me, at home, deciding to spend more than $19.99 on a wireless router/AP. I decided I had enough and with the potential of at least 10 wireless devices without company over meant.. Mo money, Mo money, Mo money.. (See, I did it again)

Once the management software was downloaded and installed, way easy the second time, I was off an running. I had already plugged in the AP into an ethernet port and power outlet. The included adapter does not require a PoE ethernet switch. It found it, configured it and within 15 minutes wireless was online and ready to go. The software and install this time around was much cleaner, prettier and wizard like which made everything a breeze. Plus now I can plug in another AP and get further coverage. I won’t need to however as I am now getting wireless out in the street and down the block where as before it was minimal past the front door. I was happy, my family was happy.

In the end, would I recommend this to the average person, meh… still on the fence with that decision. Anyone with an engineering brain or a free Saturday night could get this up and configured on their own. And with support a phone call away I wouldn’t be scared even if I was a monkey, no offense to the monkey’s of course. The question for me is, who really needs this? Hotels? Businesses? Those who don’t want to spend tons of money on Cisco products? Yes to all. With security a big issue and wireless a constant reminder of how un-secure our technology is, the question becomes to Ubiquiti, Cisco and others, how secure can you make it and how easy will it be. Being that Ubiquiti is a newcomer to this world, security experts may be quick to brush off a non-Cisco product. Yet, keep your eyes and ears open for this company as based on a cost vs. ROI variable, they are looking like the Costco of the wireless world.

SharePoint Saturday Twin Cities

Yeah, I spoke in front of people. I was asked if I would speak at SharePoint Saturday Twin Cities, discuss options and recommendations on Cloud vs. On-Premises, what works, what doesn’t, blah.. blah… blah. I did my research, made some awesome visio diagrams, charts and graphs. In the end I felt even though I spoke for 30 minutes, it was a success and wasn’t nerve racking in the end. I have always felt comfortable speaking to people, it’s in my nature. And honestly, people get nervous, screw up, say the wrong thing and I am sure I did the same. However, I did enjoy my time at SPSTC.

As always, I got to work with an awesome team of peers. Without them, I don’t think I would have succeeded. As a whole, I feel we got the information everyone was looking for with success.


SharePoint 2016 RTM Install

While I am generally excited about SharePoint 2016, going through an RTM build of any Microsoft product is not without issues. Going through the install, I will list out any issues that I find to mitigate troubleshooting for the next lost soul or any major differences.

In lieu of the Windows Server, active directory and SQL (Maybe?) install, just focusing on SharePoint for this one. Think single server… maybe because I am lazy, also due to the fact this won’t be anything but a playground for a few months.


Prerequisite Install
Error: Update for Microsoft .NET Framework to disable RC4 in Transport Layer Security (KB2898850): Installation error

2015-10-06 12:38:36 – Check whether the following prerequisite is installed:
2015-10-06 12:38:36 – Update for Microsoft .NET Framework to disable RC4 in Transport Layer Security (KB2898850)
2015-10-06 12:38:36 – The following file does not exist:
2015-10-06 12:38:36 – C:\Windows\servicing\Packages\

Result: Missing file. Download (Link). Installed manually. Ran the prerequisite installer, completed successfully.


Default folder is 16.0

C:\Program Files\Microsoft Office Servers\16.0\Data


Still have the 14, 15 and 16 folder



Database Access Account.. previously the account executing psconfig.exe was used to access the server and create databases and apply access. Now the account is specified inside the wizard.

And yes, using SQL Alias here, SQL is pointing to the local machine.



MinRole Options


I choose custom, mostly because I want to see what I get from it. Without listing what MinRole provides for the other options.

As I suspected, there were no additional options in the PSConfig wizard. Most of you should be selecting custom to get the most out of server infrastructure. However, for you medium to large organizations that may have dedicated Search or DistCache servers, my hats off to you.


Same old story… Microsoft, please let us name our databases. You let us for some, not all, if inconsistency is what your looking for, you win. DBA Fail.



After install, admin DB needs an upgrade. Ran PSConfig, no change. Look into this later…


Yup, needs upgrade.

Needs Upgrade


Role conversation, back to the initial install, choose wisely.

Central Admin > System Settings > Servers (Section) > Convert Server Role in this Farm



They added port specification and SSL to outgoing SMTP



Servers in compliance. Whew!



No default content sources.



I am not seeing any major changes in the UI. I have more investigation to do on the backend services which will likely be a separate post.

PFSense 2.2 and Watchguard X550e X-Core-E Series Firewall VPN Load Balancer

Update 2/13/2017: I have continual problems attempting to auto update. Maybe it’s because I am on “unsupported” hardware. Generally the update sits there for 30+ minutes or fails all together, i.e. after boot (See below). And it depends on the update, the most recent version 2.3.2_1, meh.

Considering the cost, another $11 CF card is worth it at this point. The one benefit, covering my house in dust after opening the case which makes me break out the vacuum.

Btw, if you “swear” via command line when failed… it will respond 🙂 …can I get an f… and a “u” too..

/etc/rc: uname: not found
() (Patch )
Bootup complete
/etc/rc: /usr/local/bin/ not found
/etc/rc: /bin/rm: not found
Feb 10 10:36:56 init: can’t exec getty ‘/usr/libexec/getty’ for port /dev/ttyu0: No such file or directory


Update 5/19/2016: Do NOT update to 2.3 if you want to keep your LCD screen fanciness. The LCDProc Dev package is no longer available in 2.3. Here is a manual way to deploy,


I recently came across a Watchguard Firebox X550e, for free, I had been a pfsense user for sometime and heard about the ability to flash and utilize these devices for pfsense. After a quick order to amazon, I was off and running…

I will reference the helpful posts those of you had, without them I likely wouldn’t have the time to do this!

Tools and Devices
Watchguard X-Core (X550e, X750e or 1250e)
Compact Flash Media Card Reader USB (Link)
Null Modem Serial Cable (Link)
Serial Port or USB to Serial Converter (Link)
64MB to 256MB or less Compact Flash Card for Bios Flash

Putty [Emulator] (Link)
CoolTerm [Emulator] (Link)
Win32 Disk Imager for Windows [Image Writing] (Link)
Image for Flashing BIOS [Bootable Image] (Link)
BIOS Image [New BIOS Image] (Link)
PFSense 1GB, 2GB or 4GB i386 Non-VGA version (Download)

PFSense Download
With 2.2.4, I tried NYI, ESF and BluegrassNet download sites. Only BluegrassNet produced an error free image.

Ensure you disconnect power before opening the chassis

Is it Broken?
Check to ensure ports, LCD and power, you don’t want to get through all of this and find out you had a bad port in the beginning.

The Guts


All  X-Core-e models are 1U rack mountable chassis, specs provided

  • 1.3GHz Celeron processor, i386 x86
  • 512mb of DDR2 RAM (Upgradable to 2GB of memory)
  • 4x Marvell 88e8001 gigabit NICs
  • Front-mounted HD47780 based character LCD
  • Channel well power supply

The x750e and x1250e add another set of four Marvell 88e8053 gigabit NICs, 8 total.

The firebox has two RAM slots for additional memory, type is DDR2 PC2-4200 533MHz. I currently have 2GB in my box, that is the MAX. It uses standard DDR2 DIMMs, so DDR2-400 and DDR2-533 will work.

Removing Compact Flash
Ensure your EXTREMELY CAREFUL when removing and installing compact flash. Bending pins is no good! It’s in a difficult to reach spot.

Compact Flash
The one single issue I had was attempting to boot the watchguard from a 128MB Cisco Compact Flash that I had laying around. I had to use the existing compact flash card already installed in the device, a 64MB Cisco Compact Flash. Without it I had no serial response unless I held the up arrow at boot, even then I received “Bad Signature” and wasn’t able to do anything else.

Some Fireboxes come with pre-installed 512MB CF cards whereas most come with 256MB cards. If you’re unlucky enough to get a box with a 512MB card, you’ll need to purchase a 256MB card for flashing the BIOS. The 512MB card will not work for this purpose.

Remember to backup your original compact flash before flashing. This enables you to go back to your original configuration.

If your planning to purchase a new ultra fast (30MB/s+) compact flash, read this (Link)

I opted for the 4GB compact flash, at $11 it was an easy choice.

Another issue I had was the need to switch between putty and CoolTerm. Initially I had read putty had potential issues, which led me to switch to CoolTerm. However, once the BIOS was flashed I had to switch back to Putty since the emulator did not display the BIOS screen after. Most of what I read, people used putty, stick with that when possible.


Write the Image for BIOS Flash
Install Win32 Disk Imager
Connect the Compact Flash Media Reader
Insert the original compact flash from the watchguard or replacement compact flash
Open Win32 Disk Imager
Select and confirm the device
Select the Blue Folder icon, locate the FreeDOSBios.img file
Select Write
Wait for success message
Copy and paste the X750EB2.BIN file to the newly created bootable compact flash using File Explorer
Install the compact flash into the watchguard

Backup and Flash the BIOS
Connect using your emulator software using 9600, 8, 1, None
After 3 beeps, you should get a command prompt
Backup the BIOS, awdflash /pn /sy WGbackup.bin /e
Once backup is complete, run the following to flash the BIOS

Freedos on COM1:
Current date is Mon 06-20-2011
Current time is  7:18:20.20 pm
C:\>cd bios
C:\BIOS>awdflash.exe X750EB2.BIN /py /sn /cc /e


Wait until the C:\BIOS> is ready for additional input

Configure the BIOS
Connect using your emulator software using 115200, 8, 1, None
Reboot the firebox
At POST, during the memory test, use the DEL or TAB keys to enter the BIOS
(The screen will show a standard BIOS Screen with options for configuration if your connected correctly)
Enter Standard CMOS Features
Select the IDE Master 0 (Zero) using the enter key
Update the following

IDE Channel 0 Master      [Manual]
Access Mode               [CHS]
Head                      [    2]

Exit using the ESC key
Save using the F10 key
Fan speed can also be adjusted inside the BIOS
Under Health Check{?}
Within fan speed, enter “BB” without quotes
Exit using the ESC key
Save using the F10 key

Write the Image for PFSense
Open Win32 Disk Imager
Connect the Compact Flash Media Reader
Insert the NEW 1, 2 or 4GB compact flash
Select the Blue Folder icon, locate the pfSense-2.2.4-RELEASE-4g-i386-nanobsd-upgrade-20150725-1956.img file
Select Write
Wait for
 success message
Power down the watchguard
Remove the factory/temporary compact flash card and install the new pfsense compact flash card

Connect to PFSense
Connect using your emulator software using 9600, 8, 1, None. I had to use 115200 myself, results vary…
After a bunch of garbled text, you should get a familiar PFSense console screen
Configure the device as needed

DMA Limited to UDMA33, controller found non-ATA66 cable
After the first boot, I kept getting the following message over and over again. Come to find out there is a fix…

ata0: DMA limited to UDMA33, controller found non-ATA66 cable
(ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 ff 37 77 40 00 00 00 00 01 00
(ada0:ata0:0:0:0): CAM status: Command timeout
(ada0:ata0:0:0:0): Retrying command
ata0: DMA limited to UDMA33, controller found non-ATA66 cable
(ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 ff 37 77 40 00 00 00 00 01 00
(ada0:ata0:0:0:0): CAM status: Command timeout
(ada0:ata0:0:0:0): Retrying command
ata0: DMA limited to UDMA33, controller found non-ATA66 cable
(ada0:ata0:0:0:0): READ_DMA. ACB: c8 00 ff 37 77 40 00 00 00 00 01 00
(ada0:ata0:0:0:0): CAM status: Command timeout
(ada0:ata0:0:0:0): Retrying command
ata0: DMA limited to UDMA33, controller found non-ATA66 cable

I found a post which requests you add a line to the /boot/loader.conf file (Link) which disables DMA (Link). Notes below…

In the newer 2.2.x nano images, DMA access is no longer disabled by default. A fresh 2.2 install won’t boot from a CF card. The following has to be added to the /boot/loader.conf.local file: hint.ata.0.mode=PIO4.

If you add this line before an upgrade, it will be copied to the new 2.2 slice which will boot. We will consider a fresh install (the same applies if you already upgraded to 2.2 but your Firebox won’t boot). Interupt the boot loader when it is counting down from 4.

FreeBSD/x86 bootstrap loader, Revision 1.1
(root@pfs22-i386-builder, Mon Apr 13 20:28:31 CDT 2015)
Loading /boot/defaults/loader.conf
/boot/kernel/kernel text=0x11fb1a7 data=0x832e48+0x279e60 syms=[0x4+0xf3a10+0x4+0x16bd76]

Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [/boot/kernel/kernel] in 4 seconds...

Type '?' for a list of commands, 'help' for more detailed help.

At the prompt enter:

set hint.ata.0.mode=PIO4


pfSense now continues booting and enters the initial setup. For now we don’t set up VLAN’s and set WAN to sk0 and LAN to sk1 (sk0 is the left most port (port 0) and MSK3 is the right most port (port 7)). If everything went well, you will now see the console configuration menu.

First thing to do now is enabling secure shell (sshd) by choosing option 14. This way, you can use PuTTY or any other SSH client to connect to a terminal over the LAN.

Next thing is editing the /boot/loader.conf.local file to disable DMA after a reboot. This can be done with the webinterface on or the console shell (option 8) or WinSCP.

Webinterface default username/password: admin/pfsense

Choose menu Diagnostics > NanoBSD and click ‘Switch to Read/Write’. This way you can make changes to the file system.


Then go to Diagnostics > Edit file and browse to /boot and open the file loader.conf. Then change the filename to loader.conf.local and press save. Then delete the existing content of this file and add the rule



Click save and it’s done. Don’t forget to mount the filesystem back to read-only via Diagnostics > NanoBSD. This happened to me automatically after I rebooted for testing.

If you use one of the other options, set the file permissions of loader.conf.local to 0644.

Config.xml is Corrupted and is 0 Bytes
As noted above, this was a bad PFSense image download. I tried all the download sites, only BluegrassNet produced an error free image. It booted right into the system with the newly written image.

>>> Under 512 megabytes of ram detected.  Not enabling APC.
ls: *.xml: No such file or directory
Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.Launching the init system... done. *.xml: No such file or directory
Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.Starting CRON... done.
ls: *.xml: No such file or directory
Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.Bootup complete
grep: /conf/config.xml: No such file or directory
[: -gt: unexpected operator

FreeBSD/i386 (Amnesiac) (console)

ls: *.xml: No such file or directory
Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.

 0) Logout (SSH only)
 1) Assign Interfaces

Fan Speed
Your watchguard is loud, if you want to quiet it down, use this post which controls fan speed (Link)

After enabling SSH access, login as your admin user.

Alternatively you can use the shellcmd package to execute the command at startup.

  • System > Packages
  • Available Packages Tab
  • Locate Shellcmd
  • Select the + icon to the right
  • Confirm install is complete
  • Services > Shellcmd
  • Click the + icon to add a new command
  • Enter in the following
    Command: /conf/WGXepc -f 30 (10 is minimum, FF is full speed [Loud])
    Shellcmd Type: Shellcmd
    Description: Configure Fan Speed
  • Reboot
  • Confirm

Note that while the fan speed I recommend above is the hex value 10, the slowest fan speed that should be selected in the BIOS is BB which is much faster. Stability problems have been reported when using the BIOS to slow down the fans; WGXepc does not have these limitations.

These settings are only after boot, if you want to control during startup, see this Link.

  • /etc/rc.conf_mount_rw
  • fetch -o /usr/local
  • cd /usr/local
  • tar -xzf
  • touch /etc/rc.conf.local
  • vi /etc/rc.conf.local
  • (Press “i” once, then type “fanctrld_enable=”YES” ” with the YES in double quotes. Press escape, then the colon : and type “x”, then press return to save and exit. Sorry, this step can be a little advanced if you’re not used to VI.)
  • /etc/rc.conf_mount_ro

LCD Screen
The LCD screen is supported by the LCDproc-dev package (Link). To use, do the following:

  • System > Packages
  • Available Packages Tab
  • Locate LCDproc-dev
  • Click the + sign
  • Confirm
  • Go to services->LCDproc
  • Tick “Enable LCDproc”
  • Change “Driver” from “prymaid” to “Watchguard Firebox with SDEC (x86 only)” driver
  • Click Save
  • Tick the “Screens” tab
  • Select what you want to show on the screens tab
  • Go to status > services and start the LCDProc service
  • Use the up/down button on the firebox to turn on the back-light and move between “screens”

To enable the NIC LED’s

8 Port Watchguard
If you have an x750e or x1250e, you have 4 additional ports, 8 total. PFSense is known to have problems with these ports, the fix is below, I wasn’t able to test this.

Then there could be problems with the MSK interfaces (the four most right interfaces). An interface becomes unresponsive and a watchdog timeout will be shown in the log. Add the following line to /boot/loader.conf.local to workaround this issue



SharePoint 2016 Released!

As noted in a recent office blog, SharePoint 2016 Preview was released to the general public.

A first look video is available too!

Unable to open Word, Excel, PowerPoint documents in Office Web Apps 2013 Office

I am working with SharePoint 2013 and Office Web Apps 2013. Microsoft decided to move this server / service away from a SharePoint integrated model to a dedicated server model., yah!

Issue: Unable to open Word, Excel, PowerPoint documents in Office Web Apps 2013. Documents spin on open, fail with “Server Busy” message or a message “Can’t Open the Word Document”. I can create new documents in Word, Excel and PowerPoint and edit OneNote documents.

The following were found in the WAC server logs (C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS) and Event Viewer > Applications and Services Logs > Microsoft Office Web Apps

HostingServiceWatchdog reported status for HostingService in category ‘CheckDiscoveryResponse’. Reported status: The Discovery request failed with an exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

BroadcastServicesWatchdog_Wfe reported status for BroadcastServices_Host in category ‘4’. Reported status: Contacting Present_2_0.asmx failed with an exception: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘’.

ServerSession.ProcessWebException: A Web exception during ExecuteWebMethod has occurred for server: http://WINSHRPTOD1:809/ecs/ExcelService*.asmx, method: GetHealthScore, ex: System.Net.WebException: The remote server returned an error: (401) Unauthorized.


The error “The remote server returned an error: (401) Unauthorized” was specific to installation on a the non-system drive. Office Web Apps does not like to be installed on another drive, I had installed on E:\ and moved back to C:\.

Second, the TLS error, I utilized a wildcard certificate. The friendly name started with a “*”. Updated to just the domain, It should work, instead I requested a SAN certificate with the servername and Internal load balanced URL. Either certificate should work but I stuck with the SAN cert.


The WOPI keys that are created when SharePoint is connected to OWA server enable a trust between. If a change to OWA or SP is made after the initial configuration and connection, running the command “Update-SPWOPIProofKey” resolves this issue by updating the security keys and trust between environments.

  • Update WOPI Key – Update-SPWOPIProofKey

If it doesn’t take, removing all bindings and adding again will also refresh the key.

  • Remove – Remove-SPWOPIBindings -All:$True
  • Add – New-SPWOPIBinding -ServerName

Last Thoughts:

Remember, Office web apps is a dummy service. Set it and forget it. Just make sure you set it right the first time.