Share via

Exchange 2019 CU 12 Cannot login to ECP after installing new SSL certificate

uranus829 66 Reputation points
2023-02-05T00:45:34.27+00:00

Hello everyone,

Recently on our Exchange 2019 CU12 server, I updated an Auth Certificate, installed a new certificate, and verified that I can access ECP and log in to OWA with the IP addresses of two Exchange servers, and I am using the new certificate. But SLB is used in the environment, and SLB VIP is used to log in and access, when I go to ECP URL to log in, it redirects to OWA URL:

.../owa/auth/logon.aspx?replaceCurrent=1&url...

The following IIS recycling commands have been executed, and it does not work.

[PS] C:>Restart-WebAppPool "MSExchangeOWAAppPool"

[PS] C:>Restart-WebAppPool "MSExchangeECPAppPool"

The strange thing is that after waiting for 8 hours, the SLB VIP access is normal. I think the CU12 version still does not solve the problem of UTC time zone, although there is no phenomenon of "ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1" in the previous version .

Admin please help, thanks

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,108 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,389 questions
0 comments
Accepted answer
  1. Kael Yao-MSFT 37,576 Reputation points Microsoft Vendor
    2023-02-07T07:36:31.8+00:00

    Hi @uranus829

    Glad to hear that and thanks for the sharing.

    While due to the forum policy, the original poster cannot accept their own reply as the answer to the question.

    I have written a summary of this issue.

    Please feel free to accept it as the answer to highlight the solution to help other community members.

    Thanks for your understanding.

    [Exchange 2019 CU 12 Cannot login to ECP after installing new SSL certificate - Summary]

    Issue Symptom:
    scenario: two Exchange 2019 CU 12 servers and load balancer

    Once the Exchange Oauth certificate is updated, accessing the ecp url (pointed to the load balancer) would be redirected to login page, cause the login to loop.

    It may take about 8 hours for it to work correctly.

    Solution:
    Refer to the Workaround part in this link:

    Cannot log in to OWA or ECP after July 2021 SU for Exchange Server 2019, 2016, and 2013 (KB 5005341)

    You can work around the issue that's described in the "Cause 2" section by setting the persistence to “source-ip” in the load balancer configuration.

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. uranus829 66 Reputation points
    2023-02-06T05:31:31.5433333+00:00

    Hi,

    Yes,Both exchanges 2019 have reached CU12. If you use the IP addresses of exchange01 and exchange02, you can log in normally. But as I just mentioned, we use SLB load balancing equipment here, and use the virtual IP address to access the two exchanges. Yes, this virtual IP address access has a time zone problem. For example, both Kemp LoadMaster and Haproxy have tested the same.

    0 comments