A recent client experience provided a great opportunity to install and configure a Microsoft Office Web Apps (OWA) farm, also called Web Application Companion (WAC) with Microsoft SharePoint 2013. Below are some troubleshooting tips for the issues encountered during the configuration phase of this project.

OWA is a Microsoft Office server product providing browser-based file viewing and editing for Office files. An Office Web Apps Server farm can provide Office services to multiple on-premises hosts, and can be scaled from one to many servers as an organization’s needs grow. Office Web Apps Server can be installed on a single-server, or on a multi-server load-balanced farm.

Below are the high level Office Web Apps server farm installation steps. These steps are applicable to SharePoint server 2013 and Windows 2012 R2 Server.

  1. Before installation of OWA, check the software and hardware requirements – https://technet.microsoft.com/en-us/library/jj219435.aspx#software
  2. Login to the OWA server with an admin account
  3. Install the OWA pre-requisite software, for Windows 2012 R2 install .NET Framework 4.5.2
  4. Open Windows PowerShell as an administrator and run the below commands to install the required roles and services:
    1. Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices,NET-Framework-Features,NET-Framework-Core
    2. Add-WindowsFeature NET-WCF-HTTP-Activation45
  5. It is recommended to use SSL for communication with OWA server farm. You can create a self-signed certificate on non-production environments and use an SSL certificate issued by a trusted authority for production environments. Please note that the Common Name (CN) on the certificate should match the OWA internal/external name. The SSL certificate requirements for Office web apps server are available on MSDN.


  6. Note: The linked MSDN article states, “The fully qualified domain name (FQDN) in the SAN field can’t begin with an asterisk (*)” however I have tested this and the FQDN works with wild card characters. But, this will only work if the CN on the certificate matches with the OWA internal/external name. The installation of the SSL certificate to an IIS server is a standard process I have not covered here.

    If you have multiple servers, repeat steps 2-5

  7. Download the Office Web Apps 2013 executable and install on all OWA servers in the farm. You can get the exe file from the Office 2013 Professional volume licensing site. Install the application to the C: drive (default), installing it to a different drive may cause issues and is not recommended. The installation is straight forward; click on the .exe and follow the steps in the wizard.
  8. Open Windows Power Shell (run as admin) on the first OWA server (if you plan to have a multi-server farm). Create the Office Web Apps farm, run the below commands on the first server:
    1. Import-Module –Name officeWebApps
    2. To create the OWA farm, run below command:
      New-OfficeWebAppsFarm -Verbose -InternalUrl "https://owa.yourcompanyname.com" -ExternalUrl "https://owa.yourcompanyname.com" -CertificateName "CompanyWildcard" –EditingEnabled –logLocation “D:\Logs” –CacheLocation “D:\OWAAppsCacheLoc” -RenderingLocalCacheLocation “D:\waccache”
  9. The parameters specified in the command above will be different for each environment. For the internal and external name, I prefer to use an FQDN – owa.yourcompanyname.com. Of course the internal name can be different to the external. This is the point of entry for Office Web Apps Server traffic. Adjust these according to your requirements.

    Note: If you are not using SSL, then use this command:
    New-OfficeWebAppsFarm -Verbose -InternalUrl "owa.yourcompanyname.com" -ExternalUrl "owa.yourcompanyname.com" -AllowHttp
    –EditingEnabled –logLocation “D:\Logs” –CacheLocation “D:\OWAAppsCacheLoc” -RenderingLocalCacheLocation “D:\waccache”

    SSL Offloading

    Microsoft recommends using SSL offloading when configuring a load balancer in front of an Office Web Apps farm so this will require configuration first. To configure SSL offloading, add these parameters to the PowerShell script detailed above.

    –AllowHttp:$true –SSLOffloaded:$true

    SSL offloading terminates the SSL at the load balancer and allows for http communication between the load balancer and the OWA server(s).

  10. If you are adding additional servers to the farm, run the command below on any additional server to add it to the existing OWA farm

    New-OfficeWebAppsMachine –MachineToJoin “first OWA server FQDN, where the farm was created”

    The command is a little confusing, you are creating a new Office Web Apps machine, but when using the –MachineToJoin option you enter the FQDN of the first Office Web Apps server. Using this command, the new server will read the configuration from the first Office Web Apps machine and configure itself as an additional server in that farm.

  11. You can use the Get-OfficeWebAppsFarm command on the second server to retrieve the configuration of the farm. It will now show all the servers; in this example it will show two servers.
  12. Verify that the farm was created successfully. Browse to the OWA FQDN on any OWA server: https://owa.yourcompanyname.com/hosting/discovery
  13. If you are within a Dev/Test environment add a DNS entry for the SharePoint site in the hosts file of each OWA server, if the entry is not yet added to the DNS server.
  14. Now configure SharePoint to talk to the OWA farm. From any SharePoint server open SP Powershell (run as admin):

    New-SPWOPIBinding –Servername “owa.yourcompanyname.com

    If you are using http, then use:
    New-SPWOPIBinding –Servername “owa.yourcompanyname.com” –Allowhttp

  15. Now browse to the OWA URL – https://owa.yourcompanyname.com/hosting/discovery from any SharePoint server. You should see an xml file rendered, if so OWA has been successfully configured with SharePoint.

Note: If the OWA URL DNS entry is not registered, in this case owa.yourcompanyname.com you need to add the entry to the hosts file of all machines that you browse the SharePoint site with and try to open the Office documents.

Issues and Troubleshooting:

Problem 1.
You get an error like server could not be found or WARNING: The Server did not respond. Trying again (attempt 1 of 5) while trying to execute the below command:
New-SPWOPIBinding –Servername

Resolution 1.
Check the current zone by running the command:
Get –SPWopiZone

If you are using SSL for communication with the OWA farm change SPWopiZone to external-https by running the command Set-SPWopiZone external-https.

In case of HTTP use Set-SPWOPIZone –zone “internal-http”.

This command configures the zone that the current SharePoint farm uses to navigate the browser to the Web Application Open Platform Interface Protocol (WOPI) application, a server that runs Office Web Apps Server.

Problem 2.
When browsing to the SharePoint site and opening an Office document you get this error:
Content was blocked because it was not signed by a valid security certificate.

An operation failed because the following certificate has validation errors: Subject Name: CN=______________ Issuer Name: CN=______________ Thumbprint: EAFFF11BDEE3A3969C8485270BF21AA5189F0EF7 Errors: The root of the certificate chain is not a trusted root authority.

Resolution 2.
This error occurs if you are not using a trusted SSL certificate e.g. when you are using a self-signed certificate on a DEV/Test server. Perform these steps to resolve this:

  • Add the certificate to the trusted root folder within the Microsoft Management Console (MMC) of the SharePoint server.
  • Create the trust in SharePoint and add the OWA certificate under CA > Security > Manage Trusts > New > Add the .cer file.
  • Run the binding command again New-SPWOPIBinding –Servername

Problem 3.
When browsing the SharePoint site and opening an Office document , you get this error:

error

Resolution 3.

  1. Check if the document opens locally on the OWA server. In order to do that, login to the OWA server with an admin account and enable the local URL by running:

    Set-OfficeWebAppsFarm –OpenFromUrlEnabled

    This enables Office documents to be opened in a browser on a local machine where OWA farm services are running instead of going through SharePoint or Exchange/Lync.

    Browse to https://owa.yourcompanyname.com on an OWA server. This opens a page where you can enter an address to an Office document. For the shared folder option e.g. use \\server\Test\SP2013.docx. Click Create link and then click Test this link. This will open the document on the OWA server directly, or not. If it does not work then the issue could be related to the SharePoint configuration for OWA.

  2. You can enable verbose logging on the OWA farm by running the command below in Windows PowerShell:
    Set-OfficeWebAppsFarm –LogVerbosity Verbose

    Check the Unified Logging System (ULS) logs on the OWA server to troubleshoot the issue. The log files are stored C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs.

    Another route to check the event logs is under Event Viewer of the machine. You can find the logs under Event Viewer > Applications and Service Logs > Microsoft Office Web Apps.

  3. Run Get-OfficeWebAppsMachine command on the OWA server using PowerShell. The health status should display Healthy.

    If the status is reported as Unhealthy check the ULS logs or event viewer for more data points for troubleshooting.

    Common errors:

    • The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
      This error is due to invalid SSL certificate(s) installed on the machine(s). To fix this ensure the OWA machine names and the load balanced DNS entry is included in the SAN certificate (under the alternate subject names of the certificate) you are using.
    • BroadcastServicesWatchdog_Wfe reported status for BroadcastServices_Host in category '3'.
      Reported status: Contacting Participant.svc failed with an exception: The remote server returned an error: (404) Not Found.

      To resolve this make sure you install the Windows feature HTTP Activation for .Net framework by running the command below (if not already done during installation).
      Add-WindowsFeature NET-WCF-HTTP-Activation45

  4. If you see this error in ULS logs of OWA server:
    Cannot create WOPI Proof Token - could not find valid Old proof key data
    Run the PowerShell command Update-SPWOPIProofKey on the SharePoint server:
    Update-SPWOPIProofKey -ServerName
  5. After trying the above steps, if the error still persists when you try to open an office document from the SharePoint site, then try clearing the cache on OWA server. OWA caches previous results (including error results/pages). Clear the cache using below steps and try again.

    Office Web Apps caches in the following location:
    C:\ProgramData\Microsoft\OfficeWebApps\Working

    • Stop the Office Web Apps service by running the following PowerShell command
      Stop-Service wacsm
    • Clear the document cache:
      • Delete the “d” directory C:\ProgramData\Microsoft\OfficeWebApps\Working directory or if you change the path of cache location to D:\OWAAppsCacheLoc then remove all folders under that directory
      • Open the waccache directory
      • Locate LocalCacheStore directory and delete any files under it
      • Go to waccache directory and locate folder wac, delete any files under it
    • Once the cache had been cleared, restart the OWA service using PowerShell:
      Start-Service wacsm

    Now if you browse to an Office document from SharePoint or the OWA server, it should function.

Problem 4.
If DNS entries are not created for the site and OWA server, you will see errors in logs like server not found etc.

Resolution 4.
Ensure the DNS host entry for the site is present in the OWA server host file (in case the DNS entry is not created on DNS server).

Problem 5.
A WOPICheck file error in the OWA server ULS logs or event viewer.

Resolution 5.
Run this command on the SharePoint server:
Update-SPWOPIProofKey

This cmdlet updates the public key used to connect to the Office Web Apps Server on the current SharePoint farm where this cmdlet is run.

If you are in need of some SharePoint or OWA, or both, assistance get in touch today, we can help!