Error after Exchange KB5019758 update

Carlos Legrand 6 Reputation points
2022-11-10T22:20:48.483+00:00

KB5019758 was applied on our Exchange 2019 CU12,
After restart Exchange services do not start giving this error when
accesing via OWA :

Server Error in '/owa' Application.
Active Directory operation failed on . The supplied credential for 'NT AUTHORITY\SYSTEM' is invalid.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ServiceModel.FaultException`1[[Microsoft.Exchange.Data.Directory.TopologyDiscovery.TopologyServiceFault, Microsoft.Exchange.Data.Directory, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Active Directory operation failed on . The supplied credential for 'NT AUTHORITY\SYSTEM' is invalid.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Any help will be appreciated, thanks in advance

Carlos Legrand

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,497 questions
{count} vote

5 answers

Sort by: Most helpful
  1. MichaelFuller-1588 66 Reputation points
    2022-11-15T13:27:34.707+00:00

    This is not Exchange specific. A patch was applied to 2012, 2016, and 2019 domain controllers. Removing the patch listed below from the DCs resolved the issue for our network. This may be affecting other systems on your network. We have seen gpupdate failing on other systems throughout our network.

    The affected patches:

    kb5020023 - Windows Server 2012
    kb5019964 - Windows Server 2016
    kb5019966 - Windows Server 2019

    "It's complicated, but it basically boils down to the RC4 bit being used as a signal of whether it should use a preferred cipher list or a legacy interop list in a specific section of code."

    So, this update will break Kerberos for any computer that has RC4 disabled.

    https://dirteam.com/sander/2022/11/11/knowledgebase-you-experience-errors-with-event-id-14-and-source-kerberos-key-distribution-center-on-domain-controllers/

    This is what Microsoft support is telling people to do instead of uninstalling the patch. It reverses the changes made by the patch.

    Workaround from MSFT engineer is to add the following reg keys on all your DCs.

    reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v
    KrbtgtFullPacSignature /t REG_DWORD /d 0 /f

    reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v
    RequireSeal /t REG_DWORD /d 0 /f

    reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v
    ApplyDefaultDomainPolicy /t REG_DWORD /d 0 /f

    1 person found this answer helpful.

  2. Nihat Eriş 6 Reputation points
    2022-11-22T03:51:50.99+00:00

    Hi,
    Check the exchange back end ssl in iis. After this update ssl may drop to null

    1 person found this answer helpful.
    0 comments No comments

  3. LilyLi2-MSFT 1,956 Reputation points
    2022-11-11T05:19:24.923+00:00

    Hi @Carlos Legrand ,

    Welcome to our forum, here is my troubleshooting for this issue:

    • Is the ECP accessible?
    • Are there any errors in Event Viewer?
    • Check Exchange Server OAuth certificate and try to create a new one:

    (1) Create a new OAuth certificate by running the following command:

    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()  
    

    (2) Set the new certificate for server authentication:

    Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)  
    Set-AuthConfig -PublishCertificate  
    Set-AuthConfig -ClearPreviousCertificate  
    

    (3) Restart the Microsoft Exchange Service Host Service.
    (4) restart IIS
    Please refer to this article for more details: cannot-access-owa-or-ecp-if-oauth-expired

    Besides, after installing Exchange Security update, you cannot access OWA or ECP, please read this article: owa-stops-working-after-update


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  4. Amit Singh 3,731 Reputation points
    2022-11-11T10:26:02.28+00:00

    Did you run setup/PrepareAllDomains when you installed Exchange?
    Do you have missing DCs?

    0 comments No comments

  5. Carlos Legrand 6 Reputation points
    2022-11-25T14:48:21.197+00:00

    lilyli2-msft

    Thank you all, problem solved restoring backup but today came back.

    ECP not accesible, nor Exchange console

    Event viewer : The supplied credential for 'NT AUTHORITY\SYSTEM' is invalid.

    I will try michaelfuller-1588 solution and come again.

    Best regards