Can't sign in to Outlook on the web or EAC if Exchange Server OAuth certificate is expired

  • Article
  • Applies to:
    Exchange Server 2019, Exchange Server 2016, Exchange Server 2013, Exchange Server 2010

Original KB number:   2617816

Symptoms

When you try to sign in to Outlook on the web or the EAC in Exchange Server, the web browser freezes or reports that the redirect limit was reached. Additionally, Event 1003 is logged in the event viewer. For example, the following entry is logged:

Event ID: 1003
Source: MSExchange Front End HTTPS Proxy
[Owa] An internal server error occurred. The unhandled exception was: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)

Note

The EAC was introduced in Exchange Server 2013, and replaces the Exchange Management Console (EMC) and the Exchange Control Panel (ECP), which were the two management interfaces in Exchange Server 2010.

Cause

This issue occurs if the Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly.

Resolution

To check the status of your existing OAuth certificate, run the following command in the Exchange Management Shell:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

If the command returns an error, or the certificate has expired, use the following steps to create and deploy a new OAuth certificate to the Exchange server:

  1. Create a new OAuth certificate by running the following command:

    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

  2. Set the new certificate for server authentication. To do this, run the following commands:

    Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

  3. Restart the Microsoft Exchange Service Host Service.

  4. Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools:

    Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

    Note

    In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Microsoft Entra ID.

More information

To check the expiration date of your certificate, follow these steps:

  1. Open the Microsoft Management Console. To do this, open the Run box (Windows logo key+R), enter MMC, and then press Enter.

    Note

    If you are prompted for an administrator password or for confirmation, type the password or select Yes.

  2. Select File > Add/Remove Snap-in > Select Certificates > Add > Computer Account, and then select Finish to close the window.

  3. Find the Microsoft Exchange Server Auth Certificate entry in the Personal > Certificate folder, and verify the expiration date.