Exchange 2016 OWA Fails to Login

The Problem

I had to set up a forms based authentication Exchange 2016 server for OWA so that hourly workers at my company could log into at a kiosk.

Looking at the Logs

Looking for answers, I discovered there were log files in: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa

UnexpectedException=Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
2022-04-14T19:01:56.678Z,84199fbc-fc5c-4ea3-9848-9199faffe6b1,15,1,2308,27,,Owa,localhost,/OWA/auth.owa,,FBA,true,MYDOMAIN\HealthMailboxa93375b,,Sid~S-1-5-21-448539723-2052111302-1801674531-102098,AMProbe/Local/ClientAccess,127.0.0.1,MYSERVER,500,,,POST,,,,,WindowsIdentity,,,,359,,,,0,1,,0,,0,,0,0,,0,3,0,,,,,,,,,0,1,1,,2,,2,2,,,,BeginRequest=2022-04-14T19:01:56.676Z;CorrelationID=<empty>;ProxyState-Run=None;FEAuth=BEVersion-1942063364;ProxyState-Complete=CalculateBackEnd;SharedCacheGuard=0;EndRequest=2022-04-14T19:01:56.678Z;,UnexpectedException=Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1    at Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString  Object[] parameters)    at Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert[T1 T2](Boolean condition  String formatString  T1 parameter1  T2 parameter2)    at Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()    at Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()    at Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)    at Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)    at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)    at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass280_0.<OnCalculateTargetBackEndCompleted>b__0()    at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate  Func`2 filterDelegate  Action`1 catchDelegate)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method);,,|RoutingDB:614f79d4-80da-4e36-8da7-d5cd0406ede1,,,

Solving the Case

Googling that gem of an error message led me to this Microsoft document which outlines the solution to the problem.

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
  1. Create a new OAuth certificate by running the following command in Exchange Powershell:
  2. New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
  • Set the new certificate for server authentication. To do this, run the following commands in Exchange Powershell:
  • Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date) Set-AuthConfig -PublishCertificate Set-AuthConfig -ClearPreviousCertificate
  • Restart the Microsoft Exchange Service Host Service.
  • Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools in Exchange Powershell:
  1. Restart-WebAppPool MSExchangeOWAAppPool Restart-WebAppPool MSExchangeECPAppPool

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lindsay Leeds

Lindsay Leeds

I am an IT guy by trade, with interests in investing and personal finance.