Exchange 2016 OWA Fails to Login

The Problem

Looking at the Logs

UnexpectedException=Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
2022-04-14T19:01:56.678Z,84199fbc-fc5c-4ea3-9848-9199faffe6b1,15,1,2308,27,,Owa,localhost,/OWA/auth.owa,,FBA,true,MYDOMAIN\HealthMailboxa93375b,,Sid~S-1-5-21-448539723-2052111302-1801674531-102098,AMProbe/Local/ClientAccess,127.0.0.1,MYSERVER,500,,,POST,,,,,WindowsIdentity,,,,359,,,,0,1,,0,,0,,0,0,,0,3,0,,,,,,,,,0,1,1,,2,,2,2,,,,BeginRequest=2022-04-14T19:01:56.676Z;CorrelationID=<empty>;ProxyState-Run=None;FEAuth=BEVersion-1942063364;ProxyState-Complete=CalculateBackEnd;SharedCacheGuard=0;EndRequest=2022-04-14T19:01:56.678Z;,UnexpectedException=Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1    at Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString  Object[] parameters)    at Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert[T1 T2](Boolean condition  String formatString  T1 parameter1  T2 parameter2)    at Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()    at Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()    at Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)    at Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)    at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)    at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass280_0.<OnCalculateTargetBackEndCompleted>b__0()    at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate  Func`2 filterDelegate  Action`1 catchDelegate)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method);,,|RoutingDB:614f79d4-80da-4e36-8da7-d5cd0406ede1,,,

Solving the Case

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store