Skip to main content

OWA not working after security update

Office web apps for SharePoint 2013 not working after security updates / server patching.

After installation of the following security patches, OWA stopped working there by causing issues with SharePoint 2013.

Details of ULS logs are provided below.

FarmStateReplicator.exe (0x0CD8)
Office Web Apps
Farm State

Error when trying to connect to Farm State Manager service: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http:///farmstatemanager/FarmStateManager.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream() --- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream() at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout) at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.Office.Web.Apps.Environment.WacServer.IFarmStateManagerService.GetAllSettings(DateTime lastGetTime, Guid correlationId) at Microsoft.Office.Web.Apps.Environment.WacServer.RemoteFarmSettings.Refresh() at Microsoft.Office.Web.Apps.Environment.WacServer.ACacheableFarmStateObject.Sync(Boolean force) at Microsoft.Office.Web.Apps.Environment.WacServer.AFarmSettings.get_MasterMachineName() at Microsoft.Office.Web.Apps.Environment.WacServer.RemoteFarmState.get_IsMaster() at Microsoft.Office.Web.WacServer.FarmStateReplicator.Replicate()

Understood that the following security updates were installed in the server

LinkDescriptionHotFixID UpdateKB2898865 UpdateKB2898866 UpdateKB2901119 UpdateKB2901120 UpdateKB2904659 UpdateKB2909210 UpdateKB2912390 UpdateKB2916036 UpdateKB2925418 UpdateKB2930275

The OWA server event logs have the following errors.

Service cannot be started. System.InvalidOperationException: The certificate has not been specified.
   at Microsoft.Web.Administration.SiteCollection.Add(String name, String bindingInformation, String physicalPath, Byte[] certificateHash)
   at Microsoft.Office.Web.Environment.WacServer.IisProvisioningUtil.ProvisionNewSite(ServerManager serverManager, String name, String physicalPath, String applicationPoolName, List`1 bindings)
   at Microsoft.Office.Web.Environment.WacServer.AgentManager.AgentController.ProvisionTopLevelSites(IEnumerable`1 webAgentsToRun)
   at Microsoft.Office.Web.Environment.WacServer.AgentManager.AgentController.StartAgents()
   at Microsoft.Office.Web.Environment.WacServer.AgentManager.AgentManagerApplication.OnStart(String[] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

trying to query the webapps machine returns the below error.


Get-OfficeWebAppsMachine : It does not appear that this machine is part of an Office Web Apps Server farm.
At line:1 char:1
+ Get-OfficeWebAppsMachine
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-OfficeWebAppsMachine], InvalidOperationException
    + FullyQualifiedErrorId : NotJoinedToFarm.AgentManagerNotRunning,Microsoft.Office.Web.Apps.Administration.GetMachineCommand


Get-OfficeWebAppsFarm : It does not appear that this machine is part of an Office Web Apps Server farm.
At line:1 char:1
+ Get-OfficeWebAppsFarm
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-OfficeWebAppsFarm], InvalidOperationException
    + FullyQualifiedErrorId : NotJoinedToFarm.AgentManagerNotRunning,Microsoft.Office.Web.Apps.Administration.GetFarmCommand

Restart-Service WACSM

WARNING: Waiting for service 'Office Web Apps (WACSM)' to start...
WARNING: Waiting for service 'Office Web Apps (WACSM)' to start...
Restart-Service : Failed to start service 'Office Web Apps (WACSM)'.
At line:1 char:1
+ Restart-Service WACSM
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service], ServiceCommandException
    + FullyQualifiedErrorId : StartServiceFailed,Microsoft.PowerShell.Commands.RestartServiceCommand

tried  the below with no result.

dism /online /enable-feature /featurename:IIS-ASPNET45
#reference :



Did not work

Finally for the solution

On OWA server:

New-OfficeWebAppsFarm -InternalUrl "" -ExternalUrl "" -CertificateName "OfficeWebApps Certificate" -EditingEnabled

To verify that the farm was created successfully, navigate to:

On SharePoint 2013
# Point PROD to PROD OWA server
Remove-SPWOPIBinding -All:$true
New-SPWOPIBinding -ServerName _owaservername_
#Set-SPWOPIZone -zone "external-https"
Get-SPWOPIZone | Get-SPWOPIBinding

Thankfully did not have to reinstall as mentioned in the article

Quoted below:
Applying Office Web Apps Server updates by using the automatic updates process isn’t supported with Office Web Apps Server. This is because updates to an Office Web Apps Server must be applied in a specific way, as described in this article. If Office Web Apps Server updates are applied automatically, users may be unable to view or edit documents in Office Web Apps. If this happens, you have to rebuild your Office Web Apps Server farm. To rebuild a farm, you must remove the Office Web Apps Server from the farm by using Remove-OfficeWebAppsMachine, uninstall Office Web Apps Server by using Add or remove programs, and then reinstall Office Web Apps Server by following the steps that are described in Deploy Office Web Apps Server. After you have reinstalled, apply the update by following the steps that are described in this article.
It is important that you review the guidelines in Planning updates for Office Web Apps Server and establish an update process for the Office Web Apps Server farm.


lehuspohus said…
Hello! I've experienced same bug recently after installing win2012 security updates. And it seems to be fixed after i'm delete orphaned certificates from computer cert store. Though WAC were needed to be patched anyway, so i've recreated the farm and this definitely fixed bug )
lehuspohus said…
Hello! I've experienced same bug recently after installing win2012 security updates. And it seems to be fixed after i'm delete orphaned certificates from computer cert store. Though WAC were needed to be patched anyway, so i've recreated the farm and this definitely fixed bug )
lehuspohus said…
This comment has been removed by the author.
Thanks lehuspohus, for posting your comment. Did you have to recreate the farm even after removing the orphaned certificates?
lehuspohus said…
No, it was not neccessary to recreate. When i delete certs and restart WAC service, my machine become appears in Get-OfficeWebAppsFarm respond. But I didn't test that thoroughly and start to install updates (with Remove-OfficeWebAppsMachine as first step of course). So i can't confirm with certainty that removing orphaned certs helps in 100% cases.
Unknown said…
Thanks! This just saved me!!!
Thanks Kris. Happy that I could help.
Nick said…
thanks this post saved my day - I really appreciate it!!
doNascimento said…
Had a similar problem with OWA 2016 and SP 2016. All IIS Sites on the OWA server disappeared, most likely after som Windows Updates.
The recreation of the farm did the trick for us.
Sasquat said…
I had a similar problem too with OWA 2013. The steps of recreation the farm did the trick.
Re-bind in sharepoint server was not necessary for me, because I've configured the farm in the same way as before.
Herschel said…
Thank you! after installing Security Patch and having similar errors, this post reminded me that I had to do this same fix 4-5 years ago and it fixed it now, so thank you for posting!

Popular posts from this blog

SharePoint 2013 workflow : The server was unable to process the request

Here, I received another SharePoint 2013 workflow error. This time the workflow was not able to send emails and the following error was being shown Retrying last request. Next attempt scheduled in less than one minute. Details of last request: HTTP Unauthorized to http://sitename/_vti_bin/client.svc/web/lists/getbyid(guid'guid') Correlation Id: id Instance Id: id Fortunately I came across this post which gave me the answer Solution 1: In InetMgr, go to advanced settings for Security Token Service Application Pool and change "Load User Profile" to true. Recycle application pool. Reason 2 and Solution 2 : There could be another reason for this error. The workflow authentication can fail if the user executing the workflow (this will be the user initiating the workflow) is given permission through active directory group and the co