Users cannot log in to Outlook on the web (OWA) or the Exchange Control Panel (ECP) after you install the July 2021 security update or any later update for Microsoft Exchange Server 2019, 2016, or 2013.


The following conditions occur after the update installation.

Cause 1

The OWA or ECP login fails and returns the following error message if the Exchange Server authorization (OAuth) certificate is missing or expired:

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

See "Resolution 1."

Cause 2

Users see a blank webpage after they try to log in, or the login process goes into a loop. This occurs if users are accessing the servers through a load balancer, and not all servers in the pool are updated to at least the July 2021 security update. This condition may cause users to be redirected back to the login page when they use OWA or ECP.

See "Resolution 2."


Resolution 1

To resolve the issue that's described in the "Cause 1" section, follow the steps in this article to renew the Exchange Server authorization certificate.

Resolution 2

The issue that's described in the "Cause 2" section should stop occurring after the July 2021 SU or a later update is installed on all servers that are handled by the load balancer.

You can update all the non-updated servers in the pool at one time. You can also update them in batches by removing non-updated servers from the pool, applying the July SU or the latest update, and then swapping those servers for others that are not yet updated. 


You can work around the issue that's described in the "Cause 2" section by setting the persistence to “source-ip” in the load balancer configuration.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!