Broken OWA/ECP

After installing a new Exchange 2016 server into an environment where they only had an Exchange 2010 server I was unable to login to the Exchange Admin Center with the following error:

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

 Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

The Exchange Federation certificate had expired and needed replacing. You can get the current Federation certificate using the Exchange Management Shell and running the following:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | fl

As you can see the certificate expired back in January 2020 and needs to be replaced with a new certificate. Run the following command to create the certificate:

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Next we need to set the Auth Config with the newly created certificate:

Set-AuthConfig -NewCertificateThumbprint 277D3768D526EB96B51EFC891DF040166B4B306A -NewCertificateEffectiveDate (Get-Date)

You can validate the previous command by running Get-AuthConfig and checking the NextCertificateThumbprint value matches the certificate you created:

The next step is to publish the certificate:

Set-AuthConfig -PublishCertificate

Again you can validate the results by running Get-AuthConfig and checking the new certificate thumbprint is set to the CurrentCertificateThumbprint

Since the old certificate has expired you can clear it from the config by running:

Set-AuthConfig -ClearPreviousCertificate

The final step is to recycle the IIS App Pools for OWA and ECP:

Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

Now the login for Exchange Admin Center is working:

Leave a Reply

Your email address will not be published.