Exchange 2019 CU 12 Cannot login to ECP after installing new SSL certificate

uranus829 66 Reputation points
2023-02-05T00:45:34.27+00:00

Hello everyone,

Recently on our Exchange 2019 CU12 server, I updated an Auth Certificate, installed a new certificate, and verified that I can access ECP and log in to OWA with the IP addresses of two Exchange servers, and I am using the new certificate. But SLB is used in the environment, and SLB VIP is used to log in and access, when I go to ECP URL to log in, it redirects to OWA URL:

.../owa/auth/logon.aspx?replaceCurrent=1&url...

The following IIS recycling commands have been executed, and it does not work.

[PS] C:>Restart-WebAppPool "MSExchangeOWAAppPool"

[PS] C:>Restart-WebAppPool "MSExchangeECPAppPool"

The strange thing is that after waiting for 8 hours, the SLB VIP access is normal. I think the CU12 version still does not solve the problem of UTC time zone, although there is no phenomenon of "ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1" in the previous version .

Admin please help, thanks

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,096 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,369 questions
0 comments
Accepted answer
  1. Kael Yao-MSFT 37,496 Reputation points Microsoft Vendor
    2023-02-07T07:36:31.8+00:00

    Hi @uranus829

    Glad to hear that and thanks for the sharing.

    While due to the forum policy, the original poster cannot accept their own reply as the answer to the question.

    I have written a summary of this issue.

    Please feel free to accept it as the answer to highlight the solution to help other community members.

    Thanks for your understanding.

    [Exchange 2019 CU 12 Cannot login to ECP after installing new SSL certificate - Summary]

    Issue Symptom:
    scenario: two Exchange 2019 CU 12 servers and load balancer

    Once the Exchange Oauth certificate is updated, accessing the ecp url (pointed to the load balancer) would be redirected to login page, cause the login to loop.

    It may take about 8 hours for it to work correctly.

    Solution:
    Refer to the Workaround part in this link:

    Cannot log in to OWA or ECP after July 2021 SU for Exchange Server 2019, 2016, and 2013 (KB 5005341)

    You can work around the issue that's described in the "Cause 2" section by setting the persistence to “source-ip” in the load balancer configuration.

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. uranus829 66 Reputation points
    2023-02-05T02:03:18.62+00:00

    I found that the https 443 of the IIS Default Web Site certificate of exchange01 and exchange02 is bound to wmsvc-sha2 at the same time, and the slb vip will always be redirected to the login page. If the https 443 wmsvc- of one of the Default Web Site certificates is canceled There is no problem with sha2 certificate binding.

    0 comments
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Kael Yao-MSFT 37,496 Reputation points Microsoft Vendor
    2023-02-06T03:35:49.6633333+00:00

    Hi @uranus829

    Sorry not sure I understand your question correctly.

    Would you please clarify:

    Do you still have issues with accessing ECP via SLB vip? Or it is working fine now after 8 hours.

    If the issue has gone, the possible cause may be the OAuth certificate needs some time to be published.

    Just as you mentioned in the post, it may be 8 hours or more (up to 48 hours).

    when I go to ECP URL to log in, it redirects to OWA URL: .../owa/auth/logon.aspx?replaceCurrent=1&url...

    This may be the expected behavior, as this url is for authentication to login ECP.

    If the session expired, once you access ECP it would redirect you to this url to authenticate.

    I found that the https 443 of the IIS Default Web Site certificate of exchange01 and exchange02 is bound to wmsvc-sha2 at the same time

    Do you have a third-party (commercial) certificate?

    Normally it is supposed to be the commercial certificate (or Exchange self-signed certificate if you don't want to use commercial certificate) which is bound to the IIS Default Web Site.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. uranus829 66 Reputation points
    2023-02-06T03:49:06.3433333+00:00

    Hi,Now it can be accessed normally after 8 hours. Every time the auth certificate is updated, it is like this. How can I solve this problem? The following link says that CU12 has solved the problem of UTC time zone, but this problem will occur if the access of the load balancing device is used.

    https://support.microsoft.com/en-us/topic/invalid-new-auth-certificate-for-servers-that-are-not-on-utc-time-zone-kb5012779-583ad7df-2a41-4479-8f11-e7aa2cb23401

    0 comments