EX2019-CU10 OWA/ECP not working after July Security Update

asked 2021-07-14T19:07:37.263+00:00
Emil Gustafsson 266 Reputation points

Hello,

After installing the July Security update access to ECP and OWA is broken.
Mail Flow works, but accessing OWA or ECP returns the following error:

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

It also logs error 1003 to the Event Logs.

As many others have suggested, we have tried replacing the OATH Certificate according to this: https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired several times, we also waited >60 minutes after doing it - but the error persists. Even after full server reboot.

Please advice on what to do next.

Full Stack Trace Here:

Server Error in '/owa' Application.  
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1  
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.  
  
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1  
  
Source Error:  
  
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  
  
Stack Trace:  
  
  
[ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1]  
   Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) +241  
   Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert(Boolean condition, String formatString, T1 parameter1, T2 parameter2) +2694334  
   Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() +363  
   Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() +140  
   Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) +14  
   Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +1032  
   Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +3581  
   Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +20  
   Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +257  
   Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1528  
   Microsoft.Exchange.HttpProxy.<>c__DisplayClass280_0.<OnCalculateTargetBackEndCompleted>b__0() +303  
   Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate) +35  
   Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method) +59  
  
[AggregateException: One or more errors occurred.]  
   Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +414  
   System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +231  
   System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +172  
  
  
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4330.0   
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
2,876 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,064 questions
{count} votes

Accepted answer
  1. answered 2021-07-14T21:08:15.277+00:00
    Willem Hendrik Berkhof 96 Reputation points

    Followed this instructions has solved the problem:
    https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired

    But is does take time (more then one hour) before it works.


10 additional answers

Sort by: Most helpful
  1. answered 2021-07-15T23:40:58.97+00:00
    Mike Grant 31 Reputation points

    I suspect this command:

    Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)

    Does not take the timezone into account, i'm in NZ with a +12 timezone and that's about how long it took after I ran the command for it to start working.

    Some people are saying it worked immediately, some 1 hour and someone posted it took 4 hours for them. This may correlate to their timezone?

    Maybe try:

    $Time = Get-Date

    Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate $Time.ToUniversalTime()


  2. answered 2021-07-14T22:56:06.807+00:00
    Romeo S 16 Reputation points

    Same error with Exchange 2013 CU23. Replaced the OAuth certificate about an hour ago but no luck yet. Our original OAuth certificate did not expire until 2024.

    I followed these steps to replace the OAuth cert:
    https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired


  3. answered 2021-07-14T19:33:59.64+00:00
    Emil Gustafsson 266 Reputation points

    Our Exchange does handle multiple SMTP-domains. The certificate was issued for the one marked default by Get-AcceptedDomain

    Would I have to do this for all domains in the server?


  4. answered 2021-07-14T19:59:37.61+00:00
    Willem Hendrik Berkhof 96 Reputation points

    Same problem here since Exchange security update last night. Recreating and assigning a new certificate will not resolve the problem.
    Outlook works fine!, but OWA and ECP only work to signin page, after typing credentials it gives the message.

    Hope someone can help to fix this!