Blog Post

Exchange Team Blog
6 MIN READ

Released: July 2021 Exchange Server Security Updates

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jul 13, 2021
Microsoft has released security updates for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 All versions (Cumulative Update levels) are impacted. ...
Updated Aug 05, 2021
Version 15.0
announcements
Exchange 2013
exchange 2016
exchange 2019
security
setup
ExpertNSK's avatar
ExpertNSK
Copper Contributor
Jul 22, 2021

Hi, i have Exchange Server 2013 CU23 on Windows Server 2012 R2  and AD on Windows Server 2012 R2. 

I installed SU KB5004778 using Microsoft Update. After the update, ECP \ OWA - httpCode = 500 does not work. First of all, I checked the certificate with the command:

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint

The certificate was not found. I updated it, installed it according to the article: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired .
When the command: 

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)

was executed, I received a notification:
"The validity date of the new certificate does not come at least after "48" hours and may not be available for deployment on all required servers. Proceed?" - I confirmed. 

After 4 hours ECP \ OWA does not work.

In the event log, every time you try to log in to ECP \ OWA, the following events appear:

 Source: ASP.NET 4.0.30319.0  EventID: 1309

 

Spoiler

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 22.07.2021 18:32:24
Event time (UTC): 22.07.2021 11:32:24
Event ID: 723762ba2fd0427fa4d182db21bad221
Event sequence: 56
Event occurrence: 17
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-2-132714267063136299
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
Machine name: EXCHANGE

Process information:
Process ID: 12140
Process name: w3wp.exe
Account name: NT AUTHORITY\СИСТЕМА

Exception information:
Exception type: ExAssertException
Exception message: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
в Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters)
в Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()
в Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()
в Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)
в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
в Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method)



Request information:
Request URL: https://localhost:443/OWA/auth.owa
Request path: /OWA/auth.owa
User host address: ::1
User: MYDOMAIN\HealthMailboxc8d513b
Is authenticated: True
Authentication Type: Basic
Thread account name: NT AUTHORITY\СИСТЕМА

Thread information:
Thread ID: 50
Thread account name: NT AUTHORITY\СИСТЕМА
Is impersonating: False
Stack trace: в Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters)
в Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()
в Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()
в Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)
в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
в Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method)


Custom event details:

Source: MSExchange Front End HTTP Proxy, EventID: 1003

 

Spoiler
[Owa] An internal server error occurred. The unhandled exception was: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
в Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters)
в Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()
в Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()
в Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)
в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)

 

 

I tried the recommendations of the article: https://docs.microsoft.com/ru-ru/exchange/troubleshoot/client-connectivity/event-1309-code-3005-cannot-access-owa-ecp 

I did  

Setup.exe / PrepareSchema / IAcceptExchangeServerLicenseTerms

 

Сheck HealthChecker.ps1 returned 

 

Spoiler
Valid Auth Certificate Found On Server: True
SMB1 Installed: True
SMB1 Blocked: False
SMB1 should be uninstalled SMB1 should be blocked
More Information: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-and-smbv1/ba-p/1165615
Security Vulnerability: CVE-2021-34470
See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34470 for more information.

Full report i can send to message. What can I do?