This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 43%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
Exchange 2013 CU23
After login to OWA or ECP, I encountered http code 500.
Before that, I was updated security update KB5004778 (after a few failed attempts).
I followed "OWA or ECP stops working after you install a security update" but failed.
https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/owa-stops-working-after-update
I run security update KB5004778 again without any issue.
But I still got http code 500.
Please advise, thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 17%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
After installing updates kb5004778
https://mail.ourexchange.com/owa/auth/errorFE.aspx?httpCode=500
X-ClientId: SSLX - LPN0 - IOTY - WLWHQW
X-FEServer: MAIL
Date: 19.07.2021 11:19:36
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @EM Support
Sorry I need to add the following questions to get some more information:
And was the detailed HTTP 500 error message "HMACProvider.GetCertificates:protectionCertificates.Length<1"?
If it is the case, this issue may be caused by the OAuth certificate is missing or expired.
Please run this command to first check if the OAuth certificate is missing or expired:
Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint
If there is no result returned or the OAuth certificate has expired, please follow this link to create a new OAuth certificate and see if it can get rid of the problem.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @EM Support
I am writing here to confirm with you how thing going now?
Did the issue get resolved?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 68%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
KaelYao,
I am having a similar issue with my exchange environment? Any way we can connect somehow?
Hi,
Sorry but here we mainly focus on supporting via forum posts.
If your issue is very urgent, please consider opening a support ticket via phone.
You can get the numbers in this link: Global Customer Service phone numbers
Besides, did the recreating new OAuth certificate solution not work for you?
Source: MSExchange Front End HTTP Proxy
Event ID: 1003
Description:
[Owa] An internal server error occurred. The unhandled exception was: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
All my certificates are still valid which are expiring in 2023.
But I still proceed to create OAuth certificate.
1) New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Ex
change Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "domain.com"
2) No - for Overwrite the existing default SMTP certificate
3) Get-ExchangeCertificate |fl (to confirm new Auth Certificate's thumprint)
4) Set-AuthConfig -NewCertificateThumbprint 1B8C8682D9C09167D5D18B926B4EED6D12345678 -NewCertifica
teEffectiveDate (Get-Date)
5) Yes - Confirm
6) Set-AuthConfig -PublishCertificate
7) Set-AuthConfig -ClearPreviousCertificate
8) Restart Microsoft Exchange Service Host Service
9) IISReset
I waited more than 12 hours to be able to access OWA and ECP.
Thank you, everyone.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 37%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECZ%3C/text%3E%3C/svg%3E)
Hi,
I found this solution in another post.
There seems to be a timezone issue with this fix. So to get around the 12 hour waiting, you can just change the timezon in your Windows Exchange Server to UTC World Time.
Afterwards you can login to ecp without having to wait.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 94%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENN%3C/text%3E%3C/svg%3E)
Hi, i follow all the steps, but i was chosen to Y to overwrite existing default smtp certificate.
So is this totally wrong? How can i go back if i was wrong, thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 89%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Thank you, That was the best answer,only in row four replace certificate generated in row one
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 70%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
This was the solution! Followed to a T today. None of the existing certs were expired but ran this anyway on the onprem exchange server and was immediately able to log into OWA and ECP (my time zone was not set to UTC and I didn't have to mess with that). Thanks so much!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 30%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFI%3C/text%3E%3C/svg%3E)
It's working, thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 6%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi Christian, your suggestion worked well for me, adjusting the time zone and then reverting solved the issue immediately
Many thanks
Now it WORKS!
Exchange 2013 CU23, KB5004778
1. Renew Auth Certificate > https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired?preserve-view=true#resolution
Note: (Get-Date) - Check timezone! I recommend server timezone set to UTC. You can wait. It depent on your timezone
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "contoso.com"
!!!No install for SMTP certificate!!!
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
iisreset
2. Update Schema 2013 CU23 > https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421 / without schema update does not work!
“Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” using the setup.exe from location “c:\Program Files\Microsoft\Exchange Server\V15\Bin\setup.exe” (use the folder for the installation location of your Exchange server)
NOTES:
Can you check, if the bindings are assigned correctly in IIS console for both websites (Default website and Exchange Backend)
I have tried to create new certificate but still unable to access OWA or ECP.
https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/owa-ecp-ems-cannot-connect-after-self-signed-certificate-removed
Yes the binding is correct.
Against each 443 bindings, make sure that you have the right certificates assigned. Are you using thirdparty SSL? is it expired or still valid?
What about the expiry conditions of other certificates?
Few other checks. Looks like you have fixed something else during the installation (as you mentioned in the initial question).
yes, self-signed certificate for 443 bindings. Not thirdparty SSL.
Still valid, up to 2023.
1) yes, CU23 installed on 2019.
2) Exchange Server version is 15.00.1497.023
3) i have checked it, installation completed without error.
4) All Exchange services are running.
5) i still checking the event logs.
Solution2:
after clear values of msExchCanaryData0, msExchCanaryData1 and msExchCanaryData2 and recycle MSExchangeOWAAppPool, does msExchCanaryData0 to 2 filled with values?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 64%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGB%3C/text%3E%3C/svg%3E)
I also have the same issue. I tried to run the command, it returned a thumbprint. Servercis: only S listed
I have checked the binding, seems correct. Default website has the usuale certificate, while backend has no certificate assigned