Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Consider the following scenario:

  • In an Exchange Server environment, an Outlook Web App or Exchange Control Panel (ECP) website is configured to use forms-based authentication (FBA).

  • A user enters a valid mailbox user name and password.

When the user logs on to Outlook Web App or ECP in this scenario, he or she is redirected to the FBA page. There is no error message. 

Additionally, in the HttpProxy\Owa log, entries for "/owa" show that "CorrelationID=<empty>;NoCookies=302" was returned for the failed requests. Earlier in the log, entries for "/owa/auth.owa" indicate that the user was authenticated successfully.


This problem may occur if the website is secured by a certificate that uses a Key Storage Provider (KSP) for its private key storage through Cryptography Next Generation (CNG).

Exchange Server does not support CNG/KSP certificates for securing Outlook Web App or ECP. A Cryptographic Service Provider (CSP) must be used instead. You can determine whether the private key is stored in the KSP from the server that hosts the affected website. You can also verify this if you have the certificate file that contains the private key (pfx, p12).

How to use CertUtil to determine private key storage

If the certificate is already installed on the server, run the following command:

certutil -store my <CertificateSerialNumber>If the certificate is stored in a pfx/p12 file, run the following command:

certutil <CertificateFileName>In either case, the output for the certificate in question displays the following:

Provider = Microsoft Storage Key Provider


To resolve this issue, migrate the certificate to a CSP, or request a CSP certificate from your certificate provider.

Note If you use a CSP or KSP from another software or hardware vendor, contact the relevant vendor for the appropriate instructions. For example, you should do this if you use a Microsoft RSA SChannel Cryptographic Provider and if the certificate is not locked into a KSP.

  1. Back up your existing certificate, including the private key. For more information about how to do this, see Export-ExchangeCertificate.

  2. Run the Get-ExchangeCertificate command to determine which services are currently bound to the certificate.

  3. Import the new certificate into a CSP by running the following command:

    certutil -csp "Microsoft RSA SChannel Cryptographic Provider" -importpfx <CertificateFilename>

  4. Run Get-ExchangeCertificate to make sure that the certificate is still bound to the same services.

  5. Restart the server.

  6. Run the following command to verify that the certificate now has its private key stored with a CSP:

    certutil -store my <CertificateSerialNumber>

The output should now show the following:

Provider = Microsoft RSA SChannel Cryptographic Provider

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!