This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
After installing the July Security update access to ECP and OWA is broken.
Mail Flow works, but accessing OWA or ECP returns the following error:
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
It also logs error 1003 to the Event Logs.
As many others have suggested, we have tried replacing the OATH Certificate according to this: https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired several times, we also waited >60 minutes after doing it - but the error persists. Even after full server reboot.
Please advice on what to do next.
Full Stack Trace Here:
Server Error in '/owa' Application.
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1]
Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) +241
Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert(Boolean condition, String formatString, T1 parameter1, T2 parameter2) +2694334
Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() +363
Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() +140
Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) +14
Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +1032
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +3581
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +20
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +257
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1528
Microsoft.Exchange.HttpProxy.<>c__DisplayClass280_0.<OnCalculateTargetBackEndCompleted>b__0() +303
Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate) +35
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method) +59
[AggregateException: One or more errors occurred.]
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +414
System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +231
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +172
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4330.0
Same problem here since Exchange security update last night. Recreating and assigning a new certificate will not resolve the problem.
Outlook works fine!, but OWA and ECP only work to signin page, after typing credentials it gives the message.
Hope someone can help to fix this!
Followed this instructions has solved the problem:
https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
But is does take time (more then one hour) before it works.
Can confirm this.
I renew the cert for like the fifth time and then went to bed.
Woke up and saw this comment and checked, and mine works now too.
Same here, never had so much anxiety after waking up but at least I'm awake now :-))
Yeah really got the system going and jump out of bed didn't it :D
Yeah, you are right, my cert gonna expire on year 26 but at event viewer it don´´t stop to alert me since I did yesterday the "security Exchange 2016 update" and this link to renew and apply the new cert only to the auth, and wait a couple of hours, did it only in one server and it fix every OWAs and ECPs
thanks a lot, so fast to report this Microsoft fail, in my case I updated test enviroment, on saturday I´m gonna do on producction, we´ll see but I hope I only will have to do this on first room servers.
thanks a lot Willem
Best regards and keep save
Thank you so much for this link. We have a simple configuration, so going through all the steps all the way down through restarting IIS fixed our issue immediately. Now I can go back to being on vacation.
You can try to copy "Microsoft Exchange Server Auth Certificate" to the "Trusted Root Certification Authorities" on all servers in order to restore the ecp and owa functionality through hardware balancer.
For me these worked: if you go to specific server with http://server.domain/owa worked OK but for the https://vip.domain/owa the page prompted continously for credentials.
Thank youu
Works great. Thanks for the link. No waiting time. The problem was fixed after the last command.
Late installer to the game. Same issue here. The only certificate that I see that is expired is my Exchange Federation Delegation cert. is this the same one that you are referring to as expired?
Will following the link to fix the cert issues impact mail flow at all. We run hybrid.
What is this oAuth certificate used for? Could it be listed under a different name in my exchange certificates?
It worked for me after 5 hours of waiting, EXCH2016CU21
I suspect this command:
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Does not take the timezone into account, i'm in NZ with a +12 timezone and that's about how long it took after I ran the command for it to start working.
Some people are saying it worked immediately, some 1 hour and someone posted it took 4 hours for them. This may correlate to their timezone?
Maybe try:
$Time = Get-Date
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate $Time.ToUniversalTime()
Yes, I too think this is Time Zone related.
I tried using:
$Time = Get-Date
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate $Time.ToUniversalTime()
However I got:
You cannot call a method on a null-valued expression.
At line:1 char:1
I had this issue on 3 Servers all in UK. All 3 had to wait 1 hour after commands issued for it to take effect. I'm wondering iif this is because we are currently UTC +1 as its BST (British Summer Time). Would be interesting to know if this would have worked instantly if we was on UTC 0 when BST ends.
If anyone knows how to get this work work instantly in future would be appreicated.
Change timezone on Exchange server to UTC.
open new Exchange powershell Window
Check time with get-date (Existing powershell windows will have old timezone)
Run commands to generate new certificate.
And restart IIS and Service
Set timezone back to what it should be.
Should now work.
Mike.
Have all 3 of my servers online now, will try it on any future ones though
IIt worked for me with the following steps (I'm in +1 timezone):
Same error with Exchange 2013 CU23. Replaced the OAuth certificate about an hour ago but no luck yet. Our original OAuth certificate did not expire until 2024.
I followed these steps to replace the OAuth cert:
https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
Same here, I ran the July update from windows update, and had ECP and OWA not work with error above after restart. My OAuth doesn't expire until 2024. I ran the steps to replace it, and restarted the services Microsoft Exchange Service Host Service.
ran IISReset command to restart IIS. Then it started to work right away it seems, fingers crossed.
In my case it just took approx. 2 - 3 hours until it started working again. Seems to be all OK now, knock on wood...
Our Exchange does handle multiple SMTP-domains. The certificate was issued for the one marked default by Get-AcceptedDomain
Would I have to do this for all domains in the server?
I have an environment with multiple domains as well, and those domains are used as the primary email address depending on which department you are in. Did running this using the default domain from the Get-AcceptedDomain resolve the issue for you?
Thanks
Yeah it did, but it took a few hours.
First time I waited around 65 minutes, then I started troubleshooting - to no success. Redoing it multiple times etc.
So I did it for the default domain one last time, and went to bed since Mail Flow was working, OWA / ECP not working wasn't a deal breaker.
When I woke up, it worked.
Other have reported it taking up to 4 hours, so do the cert renewal and just say it'll take a few hours for it to fix.
I'm sure it's gonna work for you.
Same problem here since Exchange security update last night. Recreating and assigning a new certificate will not resolve the problem.
Outlook works fine!, but OWA and ECP only work to signin page, after typing credentials it gives the message.
Hope someone can help to fix this!
We manually uninstalled the Exchange 2019 CU9 security update (KB5004780) and OWA started working again.
Do you mind sharing the steps/process to uninstall the security update?
Same issue with Exchange 2013 CU23 after uninstalling July SU KB5004778 the issue was resolved. Then after checking the Exchange Team Blog you can see they added "Installation Tips"
Hi,
Are you accessing ECP/OWA via a load balanced URL? If so, try directly accessed from the server URL.
I experience the same error. Currently 2 servers, on one server the workaround to re-create the OAUTH certificate worked well. On the other one, it worked at first glance, but after the next reboot the error appeared again. After removing the Security Update KB5007480 everything's ok again.
As it is designated to be a "hybrid" server by next week, I of course do not want to operate this server without that update.
Does anybody experience the same issue where the re-creation of the OAUTH cert is not a permanent solution?
Has anybody solved that issue?
Cheers, Thomas
If you are running a local exchange server in Hybrid mode just run the latest version of the Hybrid Configuration Wizard and follow the steps to reconfigure the connection. Gave it 30 minutes after going through the configuration and now everything is working again.
If you are running a local exchange server in Hybrid mode just run the latest version of the Hybrid Configuration Wizard and follow the steps to reconfigure the connection. Gave it 30 minutes after going through the configuration and now everything is working again.
Sign in to comment