Users get a security warning when trying to connect OWA and ECP
Original KB number: 4469384
Symptom
Users can't connect to OWA or ECP. The browser generates an error message that states that the session can't be secured due to inadequate security settings.
Cause
This is a known issue with Exchange 2019 RTM. The cryptography cipher suites that are configured by Exchange setup are incorrect and don't include HTTP/2 support on all supported browsers.
Resolution
Run the following PowerShell commands on each server after Exchange Server is installed.
# Copyright Microsoft Corporation 2018, All rights reserved
$script:cipherSuite = @( 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' );
# Vacate current list of suites
$suites = Get-TLSCipherSuite;
foreach ($suite in $suites)
{
if (Get-TlsCipherSuite -Name $suite.Name)
{
Disable-TlsCipherSuite -Name $suite.Name;
}
}
# Enable Cipher Suites
foreach($suite in $cipherSuite)
{
if ($suite -ne $null)
{
Enable-TlsCipherSuite -Name $suite;
}
}
#Configure Elliptic Curve Preference
Disable-TlsEccCurve "curve25519";
Enable-TlsEccCurve "NistP384" -Position 0
More information
This issue is expected to be resolved in Exchange Server 2019 Cumulative Update 1. New servers that are deployed with Cumulative Update 1 will not experience this issue. Customers who deploy a server by using the RTM version of Exchange Server 2019 or who upgrade an RTM-based server to Cumulative Update 1 (or a later version) will need to apply the workaround to each Exchange Server.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for