Cannot log in to OWA or ECP



Users cannot log in to Outlook on the web (OWA) or the Exchange Control Panel (ECP) after you install the July 2021 security update or any later update for Microsoft Exchange Server 2019, 2016, or 2013

The OWA or ECP login fails and returns the following error message if the Exchange Server authorization (OAuth) certificate is missing or expired:

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1


This issue occurs if the Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly.


To check the status of your existing OAuth certificate, run the following command in the Exchange Management Shell:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
[PS] C:\Windows\system32>(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 2021-12-26 20:51:11
NotBefore          : 2017-01-21 20:51:11
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 12504B7DCD287CBA4863A35634C18507
Services           : SMTP
Status             : Invalid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : 7F54ACF4442A9F52C0926D3FE43FADBE16EF3D95

If the command returns an error, or the certificate has expired, use the following steps to create and deploy a new OAuth certificate to the Exchange server:

  1. Create a new OAuth certificate by running the following command:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
Overwrite the existing default SMTP certificate?

Current certificate: '242F5F799B6AE9A7CFAEFFB87460FCCAFBEC1CD8' (expires 2022-08-29 04:05:08)
Replace it with certificate: 'E5742ACCA5985E6D27C73B6F78AE5892CB6ABDC3' (expires 2027-01-23 07:40:33)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): A

Thumbprint                                Services   Subject
----------                                --------   -------
E5742ACCA5985E6D27C73B6F78AE5892CB6ABDC3  ....S..    CN=Microsoft Exchange Server Auth Certificate

2. Set the new certificate for server authentication. To do this, run the following commands:

Set-AuthConfig -NewCertificateThumbprint E5742ACCA5985E6D27C73B6F78AE5892CB6ABDC3 -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
[PS] C:\Windows\system32>Set-AuthConfig -NewCertificateThumbprint E5742ACCA5985E6D27C73B6F78AE5892CB6ABDC3 -NewCertificateEffectiveDate (Get-Date)

The new certificate effective date is not at least "48" hours in the future and may not be deployed on all necessary servers. Do you wish to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): A

3. Restart the Microsoft Exchange Service Host Service.

4. Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools:

Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

 Note : In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD).

1 Comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.