Outlook Web App and ECP redirect to the FBA page in Exchange Server 2013

Symptoms
Consider the following scenario:
  • In an Exchange Server 2013 environment, an Outlook Web App or Exchange Control Panel (ECP) website is configured to use forms-based authentication (FBA).
  • A user enters a valid mailbox user name and password.
When the user logs on to Outlook Web App or ECP in this scenario, he or she is redirected to the FBA page. There is no error message. 

Additionally, in the HttpProxy\Owa log, entries for "/owa" show that "CorrelationID=<empty>;NoCookies=302" was returned for the failed requests. Earlier in the log, entries for "/owa/auth.owa" indicate that the user was authenticated successfully.
Cause
This problem may occur if the website is secured by a certificate that uses a Key Storage Provider (KSP) for its private key storage through Cryptography Next Generation (CNG).

Exchange Server does not support CNG/KSP certificates for securing Outlook Web App or ECP. A Cryptographic Service Provider (CSP) must be used instead. You can determine whether the private key is stored in the KSP from the server that hosts the affected website. You can also verify this if you have the certificate file that contains the private key (pfx, p12). 

How to use CertUtil to determine private key storage

If the certificate is already installed on the server, run the following command:
certutil -store my <CertificateSerialNumber>
If the certificate is stored in a pfx/p12 file, run the following command:

certutil <CertificateFileName>
In either case, the output for the certificate in question displays the following:

Provider = Microsoft Storage Key Provider
Resolution
To resolve this issue, migrate the certificate to a CSP, or request a CSP certificate from your certificate provider.

Note If you use a CSP or KSP from another software or hardware vendor, contact the relevant vendor for the appropriate instructions. For example, you should do this if you use a Microsoft RSA SChannel Cryptographic Provider and if the certificate is not locked into a KSP. 
  1. Back up your existing certificate, including the private key. For more information about how to do this, see Export-ExchangeCertificate.
  2. Run the Get-ExchangeCertificate command to determine which services are currently bound to the certificate.
  3. Import the new certificate into a CSP by running the following command:

    certutil -csp "Microsoft RSA SChannel Cryptographic Provider" -importpfx <CertificateFilename>
  4. Run Get-ExchangeCertificate to make sure that the certificate is still bound to the same services.
  5. Restart the server.
  6. Run the following command to verify that the certificate now has its private key stored with a CSP:

    certutil -store my <CertificateSerialNumber>
The output should now show the following:

Provider = Microsoft RSA SChannel Cryptographic Provider
cng, ksp, owa, ecp, redirect, fba, RSACryptoServiceProvider
Properties

Article ID: 3032024 - Last Review: 02/22/2016 17:02:00 - Revision: 3.0

Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • kbsurveynew kbtshoot kbexpertiseinter KB3032024
Feedback