This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 72%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
KB5019758 was applied on our Exchange 2019 CU12,
After restart Exchange services do not start giving this error when
accesing via OWA :
Server Error in '/owa' Application.
Active Directory operation failed on . The supplied credential for 'NT AUTHORITY\SYSTEM' is invalid.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ServiceModel.FaultException`1[[Microsoft.Exchange.Data.Directory.TopologyDiscovery.TopologyServiceFault, Microsoft.Exchange.Data.Directory, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Active Directory operation failed on . The supplied credential for 'NT AUTHORITY\SYSTEM' is invalid.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Any help will be appreciated, thanks in advance
Carlos Legrand
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 72%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHH%3C/text%3E%3C/svg%3E)
I've been working on this same issue for the last 8 hours.
Havel
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 92%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGR%3C/text%3E%3C/svg%3E)
Came across your thread while googling for a possible answer. I tried EVERYTHING with zero luck. Ended up going through updates recently installed. Short answer, it ended up being KB5019966 installed on our domain controllers. The second I removed that update and rebooted the DC, all exchange services started immediately working again.
Hope this helps someone else as much as it helped me. Maybe it'll save you 5+ hours out of your day :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Same on here, we too had the same error and removing KB5019966 from DC's solved it, but we need to find the solution for this because, domain admins will eventually install the update and we will have the same error. If anyone has a solution please help.
Have a nice and errorless days , Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 53%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Also having this issue.
I don't know if everyone will have this portion but after uninstalling it took over an hour to restart each DC. The server sat at "working on updates 100% complete" for about 80 minutes before completing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 33%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM1%3C/text%3E%3C/svg%3E)
This is not Exchange specific. A patch was applied to 2012, 2016, and 2019 domain controllers. Removing the patch listed below from the DCs resolved the issue for our network. This may be affecting other systems on your network. We have seen gpupdate failing on other systems throughout our network.
The affected patches:
kb5020023 - Windows Server 2012
kb5019964 - Windows Server 2016
kb5019966 - Windows Server 2019
"It's complicated, but it basically boils down to the RC4 bit being used as a signal of whether it should use a preferred cipher list or a legacy interop list in a specific section of code."
So, this update will break Kerberos for any computer that has RC4 disabled.
This is what Microsoft support is telling people to do instead of uninstalling the patch. It reverses the changes made by the patch.
Workaround from MSFT engineer is to add the following reg keys on all your DCs.
reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v
KrbtgtFullPacSignature /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v
RequireSeal /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v
ApplyDefaultDomainPolicy /t REG_DWORD /d 0 /f
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 3%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFR%3C/text%3E%3C/svg%3E)
Hello MichaelFuller-1588 Thanks to your contribution we were able to solve this problem with our OnPrem Exchange today.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 76%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENE%3C/text%3E%3C/svg%3E)
Hi,
Check the exchange back end ssl in iis. After this update ssl may drop to null
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 94%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
Hi @Carlos Legrand ,
Welcome to our forum, here is my troubleshooting for this issue:
(1) Create a new OAuth certificate by running the following command:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
(2) Set the new certificate for server authentication:
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
(3) Restart the Microsoft Exchange Service Host Service.
(4) restart IIS
Please refer to this article for more details: cannot-access-owa-or-ecp-if-oauth-expired
Besides, after installing Exchange Security update, you cannot access OWA or ECP, please read this article: owa-stops-working-after-update
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
I am checking the status of this case. Please let us know if you would like further assistance.
If you have any update about this issue, please feel free to post back.
Have a nice day!
Did you run setup/PrepareAllDomains when you installed Exchange?
Do you have missing DCs?
lilyli2-msft
Thank you all, problem solved restoring backup but today came back.
ECP not accesible, nor Exchange console
Event viewer : The supplied credential for 'NT AUTHORITY\SYSTEM' is invalid.
I will try michaelfuller-1588 solution and come again.
Best regards
Hi,
Thanks for your reply.
Waiting for your feedback about this issue, share your updates here if you have any progress on it.
Warm Thanks.