Exchange 2016 OWA Fails to Login
And how to fix it
I had to set up a forms based authentication Exchange 2016 server for OWA so that hourly workers at my company could log into at a kiosk.
Unfortunately after they logged in, they were greeted with this error message:
“Something went wrong. We can’t get that information right now. Please try again later. X-FEServer MyServer”
I have blurred the server name for
X-FEServer, but it was the short name of the Exchange server.
Looking at the Logs
Looking for answers, I discovered there were log files in:
C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa
I found an Exception error in the logs corresponding to my failed login attempts.
UnexpectedException=Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
It was part of a much larger line of logging:
2022-04-14T19:01:56.678Z,84199fbc-fc5c-4ea3-9848-9199faffe6b1,15,1,2308,27,,Owa,localhost,/OWA/auth.owa,,FBA,true,MYDOMAIN\HealthMailboxa93375b,,Sid~S-1-5-21-448539723-2052111302-1801674531-102098,AMProbe/Local/ClientAccess,127.0.0.1,MYSERVER,500,,,POST,,,,,WindowsIdentity,,,,359,,,,0,1,,0,,0,,0,0,,0,3,0,,,,,,,,,0,1,1,,2,,2,2,,,,BeginRequest=2022-04-14T19:01:56.676Z;CorrelationID=<empty>;ProxyState-Run=None;FEAuth=BEVersion-1942063364;ProxyState-Complete=CalculateBackEnd;SharedCacheGuard=0;EndRequest=2022-04-14T19:01:56.678Z;,UnexpectedException=Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1 at Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString Object parameters) at Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert[T1 T2](Boolean condition String formatString T1 parameter1 T2 parameter2) at Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() at Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() at Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte messageArrays) at Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass280_0.<OnCalculateTargetBackEndCompleted>b__0() at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate Func`2 filterDelegate Action`1 catchDelegate) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method);,,|RoutingDB:614f79d4-80da-4e36-8da7-d5cd0406ede1,,,
Solving the Case
Googling that gem of an error message led me to this Microsoft document which outlines the solution to the problem.
Can't access OWA/EAC with expired OAuth certificate - Exchange
Original KB number: 2617816 When you try to sign in to Outlook on the web or the EAC in Exchange Server, the web…
In case Microsoft pulls that article someday, which they seem apt to do lately on Exchange articles, I will also summarize it here.
I ran the troubleshooting Exchange Powershell command, and was thrown an error:
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
Because I got an error, the document by Microsoft recommended I generate a new OAuth certificate. Here are the Microsoft steps for that:
If the command returns an error, or the certificate has expired, use the following steps to create and deploy a new OAuth certificate to the Exchange server:
- Create a new OAuth certificate by running the following command in Exchange Powershell:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
- Set the new certificate for server authentication. To do this, run the following commands in Exchange Powershell:
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date) Set-AuthConfig -PublishCertificate Set-AuthConfig -ClearPreviousCertificate
- Restart the Microsoft Exchange Service Host Service.
- Either run the
IISResetcommand to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools in Exchange Powershell:
Restart-WebAppPool MSExchangeOWAAppPool Restart-WebAppPool MSExchangeECPAppPool
In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD).
Personally — I just rebooted instead of all that service restarting, which Microsoft didn’t seem fully confident in.
After I rebooted my forms based authentication started working.