Exchange Server Server Error in '/owa' Application

You may encounter issues during your access attempts. “Exchange Server OWA / ECP; ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length” warning is mostly caused by SSL certificate configurations on your server. Especially Microsoft exchange server july 2021 These types of errors are encountered more frequently after the update.

The schema expansion that came with this update also brought to light some existing configuration issues.

  • The error encountered is usually Microsoft Exchange Server Auth Certificate (OAuth) This occurs because the certificate has expired or is not configured properly.
  • You may experience problems accessing ECP and OWA when a valid SSL Certificate is not assigned on IIS on your Exchange Server servers.
  • Certificates, Exchange Server'.n OWA ve ECP plays a critical role in ensuring safe access to services.

What is Exchange Server Auth Certificate?

Microsoft Exchange Server Auth Certificate, Exchange Server It is provided by default with the installation and has a validity period of five years. The expiration of this certificate is often overlooked in daily operations because many organizations plan to migrate to a new version of Exchange Server within five years and may retire their old systems.

Exchange Server, internal servers (ADFS etc.) and various Exchange to communicate securely with our services Transport Layer Security (TLS) However, since it also communicates regularly with external clients, on-premises Exchange Server Various certificates can be used for different purposes in configurations.

One of these certificates is 'Microsoft Exchange Server Auth Certificate' is also used for cross-server authentication and communicating with other services such as SharePoint Server.

Renewing this certificate before it expires is critical to ensure uninterrupted service and secure data communication.

Exchange Server, Server Error in '/OWA' Application Error

On Exchange Server ECP ve OWA When we have problems accessing the pages, we may receive errors such as the one below.

This error, which we experience while accessing the OWA and ECP pages on Exchange Server, generally occurs when the Auth Certificate has expired or there is no valid SSL certificate on IIS.
[ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1] Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) +241 Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert(Boolean condition, String formatString, T1 parameter1, T2 parameter2) +2687950 Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() +363 Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() +140 Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) +14 Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +1032 Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +3579 Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +20 Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +257 Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1528 Microsoft.Exchange.HttpProxy.<>c__DisplayClass280_0.b__0() +303
Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func2 filterDelegate, Action1 catchDelegate) +35
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method) +59

[AggregateException: One or more errors occurred.]
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +414
System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +231
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +172

Solving the Problem of Accessing Exchange Server ECP and OWA Pages

Microsoft Exchange Server Auth Certificate Renewal

Firstly, Exchange Management Shell'I (EMS) by starting the following PowerShell using the command a new OAuth we will create a certificate. In this command, <YourDomain.com> You need to replace the part with your own domain name:

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "YourDomain.com"

While creating a new Auth Certificate, the existing SMTP You will be asked whether to overwrite the certificate. Answer 'Y' to continue. When the certificate is successfully created, an alphanumeric thumbprint is created. Make a note of this fingerprint for use in the next steps.

To activate the certificate, specify the thumbprint and activation date of the new certificate using the following command:

Set-AuthConfig -NewCertificateThumbprint "YourNewCertificateThumbprint" -NewCertificateEffectiveDate (Get-Date)

Set-AuthConfig

  • This cmdlet is used to update the authentication configuration on Exchange servers. OAuth authentication and other related settings are managed by this cmdlet.

-NewCertificateThumbprint

  • This parameter specifies the thumbprint of the new OAuth certificate. This value is an alphanumeric string obtained when the certificate is created, which is a unique identifier of the certificate.

-NewCertificateEffectiveDate

  • This parameter specifies the date when the new certificate will become valid. Usually, this value is the moment the command is run (Get-Date) so that the certificate becomes effective immediately.

YourNewCertificateThumbprint It should be used by entering a real fingerprint value instead.

When you run the above command, you will be asked for confirmation to activate the certificate. Answer 'Y' to confirm the action.

Newly created Microsoft Exchange Auth To publish the new certificate to all servers, run the following command. This command will publish the new certificate to all Exchange servers in your environment:

Set-AuthConfig -PublishCertificate

To clear the old OAuth certificate key from the system, simply use the following command.

Set-AuthConfig -ClearPreviousCertificate

Finally, you need to restart the Microsoft Exchange Service Host service. You can do this via PowerShell with the following command or services.msc You can manually restart the service via:

Restart-Service "MSExchangeServiceHost"

We have completed the Exchange Server Auth Certificate creation process and restarted the MSExchangeServiceHost service. Now we need to restart our IIS services.

IIS Restart (IISRESET)

The IISRESET command allows you to restart all Internet Information Services (IIS) services. This command affects all web applications and websites running on the server. You can run the command directly in Command Prompt (CMD):

IISRESET

Restarting IIS Web App Pool

Exchange Server has special IIS Application Pools (App Pools) for ECP (Exchange Control Panel) and OWA (Outlook Web App). These pools manage the running environment of specific web applications.

The following PowerShell commands restart each application pool individually:

Restart-WebAppPool "MSExchangeOWAAppPool"
Restart-WebAppPool "MSExchangeECPAppPool"
Auth Certificate It may take approximately 2-3 hours for the renewal process to propagate and activate throughout the system. During this time, you should avoid making major changes to the system or restarting the server in order for the certificates to be distributed properly.

Exchange Server Auth Certificate Deletion Steps

It is important to remove any unused or old Auth Certificate from Microsoft Exchange Server. You can do this through ECP (Exchange Admin Center) or by using Exchange Management Shell (EMS).

Remove OAuth Certificate via ECP (Exchange Admin Center)

  • By logging into ECP,ServersGo to the ' tab and select 'CertificatesClick on the ' section.
  • Among the listed certificates, select the old one you want to delete. OAuth Find the certificate. Confirm that it is the correct certificate using the thumbprint of the certificate you just created.
  • Remove the old certificate from the system by clicking the "Remove" button next to it. This will completely remove the certificate from the system.

Remove OAuth Certificate via EMS (Exchange Management Shell)

  • Start EMS: Exchange Management ShellOpen l.
  • To see all available certificates, you can use the following command;
Get-ExchangeCertificate | Format-List Subject, Thumbprint, Services
  • The certificate you want to remove thumbprint determine the code.
  • You can remove the relevant certificate with the following command.
Remove-ExchangeCertificate -Thumbprint "47D45E9E2A6AF54463B3FF7D3EA74B0E2C8BCC79"

Important notes

  • Security precautionsBefore removing the certificate, make sure that this certificate does not serve any other function in the system. Especially in hybrid environments, integrations with Azure AD may depend on these certificates.
  • Backup RecommendationBefore permanently removing the certificate, it is always better to observe for at least a week whether the removal of the certificate has any negative impact on the system.
  • Hybrid EnvironmentsIf you have a Hybrid configuration, after any certificate change Hybrid Configuration WizardMake sure the connections to Azure AD are updated by running .

IIS on Exchange Server

"Server Error in '/owa' ApplicationAfter resolving the error, we will focus on other potential error sources that we may encounter in the next step. This error usually occurs Exchange ServerMade in Cumulative Update (CU) after installation or SSL caused by changes in certificates

Server Error in ‘/owa’ Application.
https://CY-EX01-localhost/owa/auth/errorFE.aspx?CafeError=SSLCertificateProblem
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.Exception Details: System.Web.HttpException: CY-EX01-localhost/owa/auth/errorFE.aspx?CafeError=SSLCertificateProblemSource Error:An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.Stack Trace:[HttpException (0x80004005): https://CY-EX01-localhost/owa/auth/errorFE.aspx?CafeError=SSLCertificateProblem%5D
Microsoft.Exchange.HttpProxy.FbaModule.OnBeginRequestInternal(HttpApplication httpApplication) +441
Microsoft.Exchange.HttpProxy.<>c__DisplayClass16_0.b__0() +1672
Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func1 catchDelegate) +35
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +75
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +93Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.3928.02 filterDelegate, Action

Configuring Exchange Server Default Website SSL

  • Access to the Default Web Site site on the IIS console on the Exchange Server is required.
  • It is necessary to check whether the SSL certificates are assigned correctly by opening the HTTPS records in the Site Bindings section.
  • If you have an SSL certificate obtained from a global CA, you can assign the SSL certificate you obtained from the CA in the SSL Certificate section.
  • After all SSL certificate assignments are completed, an IIS reset is performed for the changes to take effect.
  • You must perform this operation on all HTTPS records on the Default Web Site.

Exchange Server Exchange Back End SSL Configuration

  • Access to the Exchange Back End site is required on the IIS console on the Exchange Server.
  • It is necessary to check whether the SSL certificates are assigned correctly by opening the HTTPS records in the Site Bindings section.
  • The record with type HTTPS and port 444 is checked and if no certificate is assigned here, a valid SSL Certificate must be assigned.
  • If you have an SSL certificate obtained from a global CA, you can assign the SSL certificate you obtained from the CA in the SSL Certificate section.
  • After all SSL certificate assignments are completed, an IIS reset is performed for the changes to take effect.

After these operations are completed, the 'OWA'and'ECP' you can access without any problems.

One comment on “Exchange Server Server Error in '/owa' Application”

Comment