After KB5004778 update, unable to access OWA & ECP (http code 500)

EM Support 36 Reputation points
2021-07-18T01:59:12.187+00:00

Exchange 2013 CU23
After login to OWA or ECP, I encountered http code 500.
Before that, I was updated security update KB5004778 (after a few failed attempts).
115623-image.png

I followed "OWA or ECP stops working after you install a security update" but failed.
https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/owa-stops-working-after-update
I run security update KB5004778 again without any issue.
But I still got http code 500.
Please advise, thanks.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,705 questions
{count} vote

Accepted answer
  1. Kael Yao-MSFT 37,661 Reputation points Microsoft Vendor
    2021-07-19T01:40:56.317+00:00

    Hi @EM Support

    Sorry I need to add the following questions to get some more information:

    1. Is it a standalone Exchange server?
    2. Can you find some error events in the Event Viewer>Application log?
    3. Can Exchange Management Shell be opened without any problems?

    And was the detailed HTTP 500 error message "HMACProvider.GetCertificates:protectionCertificates.Length<1"?

    If it is the case, this issue may be caused by the OAuth certificate is missing or expired.
    115669-15.jpg

    Please run this command to first check if the OAuth certificate is missing or expired:

    Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint  
    

    If there is no result returned or the OAuth certificate has expired, please follow this link to create a new OAuth certificate and see if it can get rid of the problem.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


11 additional answers

Sort by: Most helpful
  1. EM Support 36 Reputation points
    2021-07-24T03:24:17.73+00:00

    Source: MSExchange Front End HTTP Proxy
    Event ID: 1003
    Description:
    [Owa] An internal server error occurred. The unhandled exception was: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

    All my certificates are still valid which are expiring in 2023.
    But I still proceed to create OAuth certificate.

    1) New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Ex
    change Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "domain.com"
    2) No - for Overwrite the existing default SMTP certificate
    3) Get-ExchangeCertificate |fl (to confirm new Auth Certificate's thumprint)
    4) Set-AuthConfig -NewCertificateThumbprint 1B8C8682D9C09167D5D18B926B4EED6D12345678 -NewCertifica
    teEffectiveDate (Get-Date)
    5) Yes - Confirm
    6) Set-AuthConfig -PublishCertificate
    7) Set-AuthConfig -ClearPreviousCertificate
    8) Restart Microsoft Exchange Service Host Service
    9) IISReset
    I waited more than 12 hours to be able to access OWA and ECP.
    Thank you, everyone.

    2 people found this answer helpful.

  2. Filip Kohout 6 Reputation points
    2021-07-22T10:36:32.63+00:00

    Now it WORKS!

    Exchange 2013 CU23, KB5004778

    1. Renew Auth Certificate > https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired?preserve-view=true#resolution

    Note: (Get-Date) - Check timezone! I recommend server timezone set to UTC. You can wait. It depent on your timezone

    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "contoso.com"

    !!!No install for SMTP certificate!!!

    Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)

    Set-AuthConfig -PublishCertificate

    Set-AuthConfig -ClearPreviousCertificate

    iisreset

    2. Update Schema 2013 CU23 > https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421 / without schema update does not work!

    • Install July 2021 Security Update for Exchange 2013
    • Extend the Active Directory schema using the elevated Command prompt. Command will be similar to the following:

    “Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” using the setup.exe from location “c:\Program Files\Microsoft\Exchange Server\V15\Bin\setup.exe” (use the folder for the installation location of your Exchange server)

    NOTES:

    • For Exchange 2013 only, schema version will not change after this.
    • In case of Schema Master existing in an empty root domain, consider installing Exchange CU23 Management Tools on Windows 2012 R2 in the same domain, installing July SU and then running \prepareschema from that workstation.
    1 person found this answer helpful.
    0 comments No comments

  3. Manu Philip 18,696 Reputation points MVP
    2021-07-18T02:41:48.877+00:00

    Can you check, if the bindings are assigned correctly in IIS console for both websites (Default website and Exchange Backend)

    115603-image.png


  4. Giorgio Busoni 1 Reputation point
    2021-07-19T18:52:04.89+00:00

    I also have the same issue. I tried to run the command, it returned a thumbprint. Servercis: only S listed
    I have checked the binding, seems correct. Default website has the usuale certificate, while backend has no certificate assigned

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.