- In an Exchange Server 2013 environment, an Outlook Web App or Exchange Control Panel (ECP) website is configured to use forms-based authentication (FBA).
- A user enters a valid mailbox user name and password.
Additionally, in the HttpProxy\Owa log, entries for "/owa" show that "CorrelationID=<empty>;NoCookies=302" was returned for the failed requests. Earlier in the log, entries for "/owa/auth.owa" indicate that the user was authenticated successfully.
Exchange Server does not support CNG/KSP certificates for securing Outlook Web App or ECP. A Cryptographic Service Provider (CSP) must be used instead. You can determine whether the private key is stored in the KSP from the server that hosts the affected website. You can also verify this if you have the certificate file that contains the private key (pfx, p12).
How to use CertUtil to determine private key storageIf the certificate is already installed on the server, run the following command:
Note If you use a CSP or KSP from another software or hardware vendor, contact the relevant vendor for the appropriate instructions. For example, you should do this if you use a Microsoft RSA SChannel Cryptographic Provider and if the certificate is not locked into a KSP.
- Back up your existing certificate, including the private key. For more information about how to do this, see Export-ExchangeCertificate.
- Run the Get-ExchangeCertificate command to determine which services are currently bound to the certificate.
- Import the new certificate into a CSP by running the following command:
certutil -csp "Microsoft RSA SChannel Cryptographic Provider" -importpfx <CertificateFilename>
- Run Get-ExchangeCertificate to make sure that the certificate is still bound to the same services.
- Restart the server.
- Run the following command to verify that the certificate now has its private key stored with a CSP:
certutil -store my <CertificateSerialNumber>
Article ID: 3032024 - Last Review: Feb 22, 2016 - Revision: 1