Exchange OWA and ECP not working and you get error about Exchange Server OAuth certificate is expired

0 Microsoft Exchange 2010, Microsoft Exchange 2013, Microsoft Exchange 2016, Tutorials, Windows, Windows server,

When trying to log in on Exchange OWA or ECP you get error about not functioning and you might see this error : “HMACProvider.GetCertificates:protectionCertificates.Length<1”:

 Event 1003 is logged in the event viewer. For example, the following entry is logged:

Event ID: 1003
Source: MSExchange Front End HTTPS Proxy
[Owa] An internal server error occurred. The unhandled exception was: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)

This issue occurs if the Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly. The Sulotion is to create new OAuth certificate, here s the steps :

  1. check the status of the current certificate
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

2. Create a new OAuth certificate by running the following command:

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

3. Set the new certificate for server authentication. To do this, run the following commands:

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

4. Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools:

IIRESET    or
Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

5. If you have more the one exchange server, you must execute the IIS restart on all of them:

Get-ExchangeServer | invoke-command -scriptblock {iisreset}

Now you have to wait patiently for few hours (1 to 5) until all the server will replicate with the certificate and the new configured setting

Good Luck

Leave a Reply

Your email address will not be published. Required fields are marked *