Exchange 2016 OWA Fails to Login

And how to fix it

The Problem

I had to set up a forms based authentication Exchange 2016 server for OWA so that hourly workers at my company could log into at a kiosk.

Unfortunately after they logged in, they were greeted with this error message:

“Something went wrong. We can’t get that information right now. Please try again later. X-FEServer MyServer”

I have blurred the server name for X-FEServer, but it was the short name of the Exchange server.

Looking at the Logs

Looking for answers, I discovered there were log files in: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa

I found an Exception error in the logs corresponding to my failed login attempts.

UnexpectedException=Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

It was part of a much larger line of logging:

2022-04-14T19:01:56.678Z,84199fbc-fc5c-4ea3-9848-9199faffe6b1,15,1,2308,27,,Owa,localhost,/OWA/auth.owa,,FBA,true,MYDOMAIN\HealthMailboxa93375b,,Sid~S-1-5-21-448539723-2052111302-1801674531-102098,AMProbe/Local/ClientAccess,127.0.0.1,MYSERVER,500,,,POST,,,,,WindowsIdentity,,,,359,,,,0,1,,0,,0,,0,0,,0,3,0,,,,,,,,,0,1,1,,2,,2,2,,,,BeginRequest=2022-04-14T19:01:56.676Z;CorrelationID=<empty>;ProxyState-Run=None;FEAuth=BEVersion-1942063364;ProxyState-Complete=CalculateBackEnd;SharedCacheGuard=0;EndRequest=2022-04-14T19:01:56.678Z;,UnexpectedException=Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1    at Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString  Object[] parameters)    at Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert[T1 T2](Boolean condition  String formatString  T1 parameter1  T2 parameter2)    at Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()    at Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()    at Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)    at Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)    at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)    at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass280_0.<OnCalculateTargetBackEndCompleted>b__0()    at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate  Func`2 filterDelegate  Action`1 catchDelegate)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method);,,|RoutingDB:614f79d4-80da-4e36-8da7-d5cd0406ede1,,,

Solving the Case

Googling that gem of an error message led me to this Microsoft document which outlines the solution to the problem.

Can't access OWA/EAC with expired OAuth certificate - Exchange

In case Microsoft pulls that article someday, which they seem apt to do lately on Exchange articles, I will also summarize it here.

I ran the troubleshooting Exchange Powershell command, and was thrown an error:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

Because I got an error, the document by Microsoft recommended I generate a new OAuth certificate. Here are the Microsoft steps for that:

If the command returns an error, or the certificate has expired, use the following steps to create and deploy a new OAuth certificate to the Exchange server:

1. Create a new OAuth certificate by running the following command in Exchange Powershell:
2. New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

• Set the new certificate for server authentication. To do this, run the following commands in Exchange Powershell:
• Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date) Set-AuthConfig -PublishCertificate Set-AuthConfig -ClearPreviousCertificate
• Restart the Microsoft Exchange Service Host Service.
• Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools in Exchange Powershell:

1. Restart-WebAppPool MSExchangeOWAAppPool Restart-WebAppPool MSExchangeECPAppPool

In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD).

Personally — I just rebooted instead of all that service restarting, which Microsoft didn’t seem fully confident in.

After I rebooted my forms based authentication started working.