Unable to login to OWA – Encryption Certificate

I was recently working with a customer who had issues with logging into OWA. The users would get the following error:


Something went wrong

We can’t get that information right now. Please try again later.

X-FEServer: <servername>

Date: 8/3/2017 4:13:24 PM

In the event viewer under the application logs I found the following warnings:

Log Name: Application

Source: MSExchange OAuth

Date: 8/3/2017 11:13:08 AM

Event ID: 2004

Task Category: Configuration

Level: Warning

Keywords: Classic

User: N/A

Computer: <servername>


Unable to find the certificate with thumbprint EF6392A5E64713AD43598B7A0FF75080964FB096 in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.



To find the existing certificate for which the authentication configuration is looking you can run:


I found that the certificate returned wasn’t listed when I ran the command Get-ExchangeCertificate. I was required to create a new exchange certificate by running the following commands:


Now to set the AuthConfig to the newly created certificate we need to run the following:


Now when I check the AuthConfig you can see the update certificate:


Within minutes and without any service restarts managed availability had determined OWA to be healthy:

Mailbox Database Copy Failed

When working in HA environments it is possible for one of the mailbox database copies to be Failed and Suspended.

In this situation depending on what is wrong you can attempt to resume the copy or update the copy. The situation I came across recently was giving the following error:

A source-side operation failed. Error An error occurred while performing the seed operation. Error: The process cannot access the file ‘CiPT0000.000’ because it is being used by another process..

I was able to find information in the following article to help resolve the issue. https://social.technet.microsoft.com/Forums/exchange/en-US/19387e3b-95e7-47da-bea1-682947b71cfd/dag-copy-resedding-error?forum=exchange2010

I was required to:

· Stop the Search Service

· Deleted the Catalog Directory

· Start the Search Service

· $Exscripts: .\ResetSearchIndex.ps1 -force "DB_Name"

· Update-MailboxDatabaseCopy -CatalogOnly

Truncated Results in Powershell

I was recently working with a receive connector that truncated the results of the remote IP ranges.

If you run the following command it will prevent truncation of results:


Now the same command returns the complete list.


This is true for the results of anything in Powershell that is truncated.

Recoverable Items

I was recently asked to determine how much of the mailbox database is taken up by recover deleted items?

It’s good to understand that the recoverable items folder resides in the non-IPM subtree of each mailbox. The non-IPM subtree is a storage area within the mailbox that contains operational data about the mailbox. This subtree isn’t visible to users using Outlook, Microsoft Office Outlook Web App, or other email clients.

With Exchange 2013 this provides the following key benefits:

  • When a mailbox is moved to another mailbox database, the Recoverable Items folder moves with it.
  • The Recoverable Items folder is indexed by Exchange Search and can be discovered using In-Place eDiscovery.
  • The Recoverable Items folder has its own storage quota.
  • Exchange can prevent data from being purged from the Recoverable Items folder.
  • Exchange can track edits of certain content.

The Recoverable Items folder contains the following subfolders:

  • Deletions   This subfolder contains all items deleted from the Deleted Items folder. (In Outlook, a user can permanently delete an item by pressing Shift+Delete.) This subfolder is exposed to users through the Recover Deleted Items feature in Outlook and Outlook Web App.
  • Versions   If In-Place Hold or Litigation Hold is enabled, this subfolder contains the original and modified copies of the deleted items. This folder isn’t visible to end users.
  • Purges   If either Litigation Hold or single item recovery is enabled, this subfolder contains all items that are purged. This folder isn’t visible to end users.
  • Audits   If mailbox audit logging is enabled for a mailbox, this subfolder contains the audit log entries.
  • DiscoveryHolds   If In-Place Hold is enabled, this subfolder contains all items that meet the hold query parameters and are purged.
  • Calendar Logging   This subfolder contains calendar changes that occur within a mailbox. This folder isn’t available to users.


If you wanted to know how much data you had in recoverable items you can try the following:

The above shows each of the recoverable item folders for each mailbox

Now I have the total size of all the recoverable items for all the mailboxes in Bytes. Thankfully powershell has an easy way to convert that to GB for me. You don’t need to divide by 1024 then divide by 1024 then divide by 1024 etc. You can copy the result of the Sum and divide it by 1GB.

54GB is the total amount of space used by Recoverable Items.

Now the question came around how much space is taken up by Legal using In-Place Hold. I ran the following command:


Health Manager Service Restarts

I was working with a customer who was constantly having the Microsoft Exchange Health Manager service restarting. The problem turned out to be a server monitor override set with a date format that didn’t follow the MM/DD/YYYY format. The override below was set to expire on 16/08/2018 which is (16th August) Managed Availability tried to read this as the 16th month of the year and would crash.

This can happen when the server is configured to use non-US regional settings and the override is populated without the Duration parameter specified. Of course this is only a problem when overrides are created after the 12th day of each month. I guess Microsoft expects all overrides to be applied within the first 12 days of each month for anyone living outside of the US!

In order to fix this you have two options:

  1. Remove the override and add it back.
  2. Edit the override in regedit

Removing a server monitor override is done with the following command:


Using regedit.exe to change an override can be found in:

Dynamic Distribution Groups

I was recently working with a customer who had setup the hybrid configuration and moved some pilot users mailboxes to Exchange Online. After moving the mailboxes he stop receiving emails sent to a dynamic distribution group.


I confirmed the list of recipients in the dynamic distribution group by running the following:


The list of recipients were all UserMailbox because the dynamic distribution group was created filtering on city and RecipientType UserMailbox.


After moving mailboxes to Exchange Online the on-prem mailbox is converted to a MailUser and no longer included in the dynamic distribution group. In order to fix this you need to update the recipient filter to include MailUser objects.


In this situation we were filtering based on city and I was able to fix the problem for each site with the following:



Don’t worry about adding back any of the additional filters like:

(-not(Name -like ‘SystemMailbox{*’)) -and (-not(Name -like ‘CAS_{*’))

(-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’))

(-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’))

(-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’))

(-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’))

These get automatically added back into the filter for you.