After installing the July security updates it can happen that the Exchange Administrative Center (EAC) and OWA can no longer be opened. The cause is an expired certificate for Exchange Server OAuth authentication. Microsoft also points out this problem in the release notes of the updates. Unfortunately, people sometimes overlook the notes on the updates or install the updates with WSUS, for example, so that they usually don't notice the known problems with the updates. So here is a short article on how the problem can be solved.
Ursache des Fehlers ist das abgelaufene Zertifikat mit dem Namen „Microsoft Exchange Server Auth Certificate“:
The following error is logged in the Event Viewer of the Exchange Server:
- Event ID: 1003
- Source: MSExchange Front End HTTPS Proxy
- Message:
[Owa] An internal server error occurred. The unhandled exception was: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1 at Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) at Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert[T1,T2](Boolean condition, String formatString, T1 parameter1, T2 parameter2) at Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() at Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() at Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) at Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.c__DisplayClass280_0.b__0()
for Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func2 filterDelegate, Action1 catchDelegate)
The problem can be solved with the following script:
The script must be executed in an Exchange shell with administrative rights (elevated). The script restarts the IIS AppPools, which does not interrupt the Outlook connection, but it can take up to an hour for OWA and EAC to work again. So you have to be patient here.
Note: In an Exchange Hybrid environment, the Hybrid Configuration Wizard must be run again after changing the certificate so that the changes are also applied in Azure AD.