The account DOMAIN\Administrator provided valid credentials, but is not authorized to use the server; failing authentication.

Question

I'm running exchange 2013 on a Windows 2019 server. Recently I updated an expiring certificate and now I'm unable to login to OWA or EAC. Some of the errors are Event ID 1020 "not authorized to use the server" and Event ID 1309 WebEvent ASP.NET 4.0.30319.0 Unhandled exception. The OWA page appears but it does not authenticate any one, just simply looking back to the signin page.

Answer 1

The issue you are experiencing with the Exchange Server 2013 after updating the certificate could be related to the OAuth certificate or permissions on the server. Here are some steps you can take to troubleshoot and resolve the problem:

1. Check OAuth Certificate: Run the following command in the Exchange Management Shell to check the status of your existing OAuth certificate:

      (Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
   

   If the command returns an error or the certificate has expired, you will need to create and deploy a new OAuth certificate.
2. Create New OAuth Certificate: If necessary, create a new OAuth certificate using the following command:

      New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
   

3. Set New Certificate for Authentication: Set the new certificate for server authentication with these commands:

      Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
      Set-AuthConfig -PublishCertificate
      Set-AuthConfig -ClearPreviousCertificate
   

4. Restart Services: Restart the Microsoft Exchange Service Host Service and run the following commands to recycle the Outlook on the web and EAC application pools:

      Restart-WebAppPool MSExchangeOWAAppPool
      Restart-WebAppPool MSExchangeECPAppPool
   

5. Check Permissions: Ensure that the computer object is not part of any group that denies the ms-Exch-EPI-Token-Serialization user right, which can cause authorization issues. You may need to remove the computer object from such groups.
6. IIS Reset: Finally, run the iisreset command to restart IIS and verify if you can now access OWA and EAC without errors.

Following these steps should help you resolve the authentication issues you are facing with OWA and EAC.

---

References:

• Can't sign in to Outlook on the web or EAC if Exchange Server OAuth certificate is expired
• Error occurs in EMS, EAC, ECP, OWA, or Outlook on the web in Exchange Server 2013 or Exchange Server 2016

Answer 2

Hi Tom Hoang

Thank you for posting your question in the Microsoft Q&A forum regarding the issues related to your Exchange 2013 server.

Based on your description, I understand that after a recent SSL certificate update, you are unable to log in to the Outlook Web App (OWA) or the Exchange Admin Center (EAC). The login page reappears after credential submission, and the server is logging Event ID 1020 ("not authorized to use the server") and Event ID 1309 (ASP.NET Unhandled Exception).

I would like to provide some information from my side, which I hope will be useful.

Both errors are symptoms of a single problem - a disruption in the server's internal communication. Your password is correct, but the front-end login service cannot connect to the back-end mailbox service. This is because the back end is not configured to use the new SSL certificate. This single misconfiguration triggers the "not authorized" error, which then causes the application to stop working.

Before proceeding, please note that server’s configuration of Exchange 2013 on Windows Server 2019 has reached its end of support. Therefore, my recommended solution is based on my knowledge and research of this situation. You may refer to it, and I hope it is at least partially helpful for you.

Correct the Exchange Back End Certificate Binding - An unsupported configuration can introduce unique variables. The new certificate must be manually bound to the back-end website in IIS. Please open IIS Manager on your Exchange server to edit the Back End Site Bindings

• In the Connections pane on the left, expand your server's name, then expand Sites > Select the Exchange Back End site.
• In the Actions pane on the right, click Bindings....
• In the Site Bindings window, select the entry for https on port 444, and click Edit....
• From the SSL certificate dropdown menu, select your newly installed, valid SSL certificate. You can use the "View..." button to confirm its expiration date and details > Click OK, then click Close.

After that, restart IIS Open an administrative Command Prompt or PowerShell window and run the following command to apply the changes:

textiisreset

After the services restart (around 60 seconds), please attempt to log in to OWA or EAC again.

I hope these suggestions provide some helpful ideas. If you need further assistance, feel free to ask via comments section.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

That did not work. After entering the correct credential the page cycles back to the sign-in screen again.