After updating several Exchange Servers uneventfully (2013 to CU23 and  2016 to CU21) and applyting the related security updates KB5000871 and KB 5004779 both OWA and ECP stopped working on one particulat Exchange 2013 server.

After the update was completed, the following digital poison ivy was rubbed into my eyeballs on a Friday, at 4:59 pm Sad smile.

image

Server Error in ‘/owa’ Application

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

I followed these steps as per Microsoft, however that did not fix the problem.

After some Web sleuthing, it appeared that my issue was related to the current certificate, just like a lot of other people experiencing the same problem. Once I figured out the underlying problem, the fix was pretty straight forward.

Running the following command from Exchange Powershell presented an error, idicating all was not well with the current certificate despite the fact that the current certificate was not expired. If you suspect that you may be experiencing the same issue, run this command:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List


If it returns an error, you have a problem with your current certificate. The relatively easy fix is to create and set a new certificate by running these commands.

1. Create a new certificate

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

2. Set the new certificate

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)


3. Publish the new certificate


Set-AuthConfig -PublishCertificate


4. Clear the previous certificate


Set-AuthConfig -ClearPreviousCertificate

5. Restart IIS

IISRESET


Leave a comment

Your email address will not be published. Required fields are marked *