When trying to log in on Exchange OWA or ECP you get error about not functioning and you might see this error : “HMACProvider.GetCertificates:protectionCertificates.Length<1”:
Event 1003 is logged in the event viewer. For example, the following entry is logged:
Event ID: 1003
Source: MSExchange Front End HTTPS Proxy
[Owa] An internal server error occurred. The unhandled exception was: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)
This issue occurs if the Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly. The Sulotion is to create new OAuth certificate, here s the steps :
- check the status of the current certificate
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
2. Create a new OAuth certificate by running the following command:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
3. Set the new certificate for server authentication. To do this, run the following commands:
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date) Set-AuthConfig -PublishCertificate Set-AuthConfig -ClearPreviousCertificate
4. Either run the IISReset
command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools:
IIRESET or Restart-WebAppPool MSExchangeOWAAppPool Restart-WebAppPool MSExchangeECPAppPool
5. If you have more the one exchange server, you must execute the IIS restart on all of them:
Get-ExchangeServer | invoke-command -scriptblock {iisreset}
Now you have to wait patiently for few hours (1 to 5) until all the server will replicate with the certificate and the new configured setting