This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 94%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEG%3C/text%3E%3C/svg%3E)
Hello,
After installing the July Security update access to ECP and OWA is broken.
Mail Flow works, but accessing OWA or ECP returns the following error:
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
It also logs error 1003 to the Event Logs.
As many others have suggested, we have tried replacing the OATH Certificate according to this: https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired several times, we also waited >60 minutes after doing it - but the error persists. Even after full server reboot.
Please advice on what to do next.
Full Stack Trace Here:
Server Error in '/owa' Application.
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1]
Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) +241
Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert(Boolean condition, String formatString, T1 parameter1, T2 parameter2) +2694334
Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() +363
Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() +140
Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) +14
Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +1032
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +3581
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +20
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +257
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1528
Microsoft.Exchange.HttpProxy.<>c__DisplayClass280_0.<OnCalculateTargetBackEndCompleted>b__0() +303
Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate) +35
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method) +59
[AggregateException: One or more errors occurred.]
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +414
System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +231
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +172
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4330.0
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 92%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWH%3C/text%3E%3C/svg%3E)
Same problem here since Exchange security update last night. Recreating and assigning a new certificate will not resolve the problem.
Outlook works fine!, but OWA and ECP only work to signin page, after typing credentials it gives the message.
Hope someone can help to fix this!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
Hi,
Are you accessing ECP/OWA via a load balanced URL? If so, try directly accessed from the server URL.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 2%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
I experience the same error. Currently 2 servers, on one server the workaround to re-create the OAUTH certificate worked well. On the other one, it worked at first glance, but after the next reboot the error appeared again. After removing the Security Update KB5007480 everything's ok again.
As it is designated to be a "hybrid" server by next week, I of course do not want to operate this server without that update.
Does anybody experience the same issue where the re-creation of the OAUTH cert is not a permanent solution?
Has anybody solved that issue?
Cheers, Thomas
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 5%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
If you are running a local exchange server in Hybrid mode just run the latest version of the Hybrid Configuration Wizard and follow the steps to reconfigure the connection. Gave it 30 minutes after going through the configuration and now everything is working again.
If you are running a local exchange server in Hybrid mode just run the latest version of the Hybrid Configuration Wizard and follow the steps to reconfigure the connection. Gave it 30 minutes after going through the configuration and now everything is working again.
Followed this instructions has solved the problem:
https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
But is does take time (more then one hour) before it works.
Can confirm this.
I renew the cert for like the fifth time and then went to bed.
Woke up and saw this comment and checked, and mine works now too.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 97%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Same here, never had so much anxiety after waking up but at least I'm awake now :-))
Yeah really got the system going and jump out of bed didn't it :D
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 16%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Yeah, you are right, my cert gonna expire on year 26 but at event viewer it don´´t stop to alert me since I did yesterday the "security Exchange 2016 update" and this link to renew and apply the new cert only to the auth, and wait a couple of hours, did it only in one server and it fix every OWAs and ECPs
thanks a lot, so fast to report this Microsoft fail, in my case I updated test enviroment, on saturday I´m gonna do on producction, we´ll see but I hope I only will have to do this on first room servers.
thanks a lot Willem
Best regards and keep save
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 12%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Thank you so much for this link. We have a simple configuration, so going through all the steps all the way down through restarting IIS fixed our issue immediately. Now I can go back to being on vacation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 25%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
You can try to copy "Microsoft Exchange Server Auth Certificate" to the "Trusted Root Certification Authorities" on all servers in order to restore the ecp and owa functionality through hardware balancer.
For me these worked: if you go to specific server with http://server.domain/owa worked OK but for the https://vip.domain/owa the page prompted continously for credentials.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 26%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Thank youu
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 81%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Works great. Thanks for the link. No waiting time. The problem was fixed after the last command.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 45%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Late installer to the game. Same issue here. The only certificate that I see that is expired is my Exchange Federation Delegation cert. is this the same one that you are referring to as expired?
Will following the link to fix the cert issues impact mail flow at all. We run hybrid.
What is this oAuth certificate used for? Could it be listed under a different name in my exchange certificates?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 61%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAY%3C/text%3E%3C/svg%3E)
It worked for me after 5 hours of waiting, EXCH2016CU21
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 59%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
We had this exact error from OWA/ECP and replacing the OAuth "Microsoft Exchange Server Auth Certificate" does work but the time for the certificate to "publish" seems to be inordinate. It was at least four hours for us, which happened to be over night so i'm not sure exactly how long.
To replace the OAuth cert, we followed these steps https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired with the exception of the domain being a wildcard, so -DomainName "*.contoso.com"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 62%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
same error with CU9 and now with CU10.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 83%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
hello, we have the same problem after install the Exchange Server 2013 CU23 (KB5004778) AND Exchange Server 2019 CU10 (KB5004780] july update
3x ex134 and 1x ex19 OWA is corupt !
this option: https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired dont work for me, becuase my Exchange Server Open Authentication (OAuth) certificate is NOT! expired
so anyone habe a other idea ?
sorry @microsoft WHATS out Problem?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 14.000000000000002%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
@stefan seidl / tele-crew.de My OAUTH cert was not expired either. Something in this security update seems to break the OAUTH cert, even if it is not expired. Going through this process fixed our problem. https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
It is not immediate. Microsoft says this can take an hour to process the change. It took about 20 minutes for ours to work, but I have seen people say that it took them a couple of hours.
Good luck.
and this morning:
* drum roll *
works it again
after 1, 2, 3 hours no function was possible
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 9%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
I tried this solution as well and waited over 19 hours because i'm EST and i wasn't sure if I could check at 5 ours or wait 19 hours.
When I did this, man I was really tired having wrestled with this issue for three days, but I think I recall seeing a message that said something about time to publish and the number 48. I hope that doesn't mean I have to wait two days from about 4PM EST yesterday. nobody here has said it takes anything like that long.
i have another thread "On Premisis Exchange 2019 EAC text only, no pictures after CU9". In my case OWA opens, but EAC doesn't. i get the EAC logon page, and thin it presents as text only, and none of the links work. There is a screenshot attached over there.
Has anyone here had that exact issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 87%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Had the exact same issue with Exchange 2013 CU23 just last night. My Exchange Auth Certs had years left on them so proceeded with the patch installs on all servers and completed the AD Schema Update. Rebooted all servers and tested OWA and ECP access and could no longer access either of them. Log in pages would load fine but could not get passed sign in. Decided to renew the Exchange Auth certificates and recycled the App Pools as per the article but still couldn't get into OWA or ECP. Checked each Exchange sever with Get-AuthConfig to verify the new certificate had propagated to all Exchange servers and, based on its thumbprint, it had. ECP and OWA still weren't working. Waited an hour or so and tested both again and could then log in fine. No idea what happens in that 60mins which allows it to then start working, even though the new certificate had propagated to all Exchange servers within a few minutes. However, pleased to say, simply waiting did the trick for me so hope this helps someone else. Very annoying how this is documented as a "known issue" but ONLY when the existing Exchange Auth Certificate/s is expired. These patches are clearly breaking the existing certificate...