Symptoms
Users cannot log in to Outlook on the web (OWA) or the Exchange Control Panel (ECP) after you install the July 2021 security update or any later update for Microsoft Exchange Server 2019, 2016, or 2013
The OWA or ECP login fails and returns the following error message if the Exchange Server authorization (OAuth) certificate is missing or expired:
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Cause
This issue occurs if the Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly.
Resolution
To check the status of your existing OAuth certificate, run the following command in the Exchange Management Shell:
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
[PS] C:\Windows\system32>(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 2021-12-26 20:51:11
NotBefore : 2017-01-21 20:51:11
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 12504B7DCD287CBA4863A35634C18507
Services : SMTP
Status : Invalid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : 7F54ACF4442A9F52C0926D3FE43FADBE16EF3D95
If the command returns an error, or the certificate has expired, use the following steps to create and deploy a new OAuth certificate to the Exchange server:
- Create a new OAuth certificate by running the following command:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
Confirm
Overwrite the existing default SMTP certificate?
Current certificate: '242F5F799B6AE9A7CFAEFFB87460FCCAFBEC1CD8' (expires 2022-08-29 04:05:08)
Replace it with certificate: 'E5742ACCA5985E6D27C73B6F78AE5892CB6ABDC3' (expires 2027-01-23 07:40:33)
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): A
Thumbprint Services Subject
---------- -------- -------
E5742ACCA5985E6D27C73B6F78AE5892CB6ABDC3 ....S.. CN=Microsoft Exchange Server Auth Certificate
2. Set the new certificate for server authentication. To do this, run the following commands:
Set-AuthConfig -NewCertificateThumbprint E5742ACCA5985E6D27C73B6F78AE5892CB6ABDC3 -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
[PS] C:\Windows\system32>Set-AuthConfig -NewCertificateThumbprint E5742ACCA5985E6D27C73B6F78AE5892CB6ABDC3 -NewCertificateEffectiveDate (Get-Date)
Confirm
The new certificate effective date is not at least "48" hours in the future and may not be deployed on all necessary servers. Do you wish to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): A
3. Restart the Microsoft Exchange Service Host Service.
4. Either run the IISReset
command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools:
Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool
Note : In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD).
Fixed my issues Thanks