Can't sign in to OWA or ECP if Exchange Server OAuth certificate is expired

Se aplică la: Exchange Server 2013Exchange Server 2016Exchange Server 2019

Symptoms


When you try to sign in to Outlook Web Access (OWA) or the Exchange Control Panel in Microsoft Exchange Server, the web browser freezes or reports that the redirect limit was reached. Additionally, Event 1003 is logged in the event viewer. For example, the following entry is logged:

Event ID: 1003
Source: MSExchange Front End HTTPS Proxy
[Owa] An internal server error occurred. The unhandled exception was: System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)

Cause


This issue occurs because the Exchange Server Open Authentication (OAuth) certificate is expired.

Resolution


To create and deploy a new OAuth certificate to the server that's running Exchange Server, follow these steps:

  1. Create a new OAuth certificate by running the following command:
     

    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "contoso.com"

    Note Change the value of the DomainName parameter in the example (contoso.com) to the SMTP domain that's used in your organization.

  2. Set the new certificate for server authentication. To do this, run the following commands:
     

    Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
    Set-AuthConfig –PublishCertificate
    Set-AuthConfig -ClearPreviousCertificate

  3. Restart the Microsoft Exchange Service Host Service.
  4. Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle the OWA and ECP application pools:
     

    Restart-WebAppPool MSExchangeOWAAppPool
    Restart-WebAppPool MSExchangeECPAppPool

    Note In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD).

More information


To check the expiration date of your certificate, follow these steps:

  1. Open the Microsoft Management Console. To do this, open the Run box (Windows logo key+R), enter MMC, and then press Enter.

    Note If you are prompted for an administrator password or for confirmation, type the password or select Yes.
  2. Select File > Add/Remove Snap-in > Select Certificates > Add > Computer Account, and then select Finish to close the window.
  3. Find the Microsoft Exchange Server Auth Certificate entry in the Personal > Certificate folder, and verify the expiration date.