Microsoft has released security updates for vulnerabilities found in:
Exchange Server 2013
Exchange Server 2016
Exchange Server 2019
All versions (Cumulative Update levels) are impacted. ...
Updated Aug 05, 2021
Version 15.0
Blog Post
For those that may stumble across this in the future.
When you renew the Microsoft Exchange Auth Certificate as per this article:http:// https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
The steps include setting a -NewCertificateEffectiveDate for the certificate.
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
You can view the output of this command in the MSExchange Management event log to confirm what the NewCertificateEffectiveDate is which has been set.
Reviewing the date/time against the changes in Get-Authconfig and reviewing the certificate validity period "NotAfter" and "NotBefore" all matched the actual dates/times the changes were made.
There's possibly a bug with how the -NewCertificateEffectiveDate is applied.
After creating the Cert we waited an hour and still had no ECP/OWA access. Event logs 1309 and 1003 continued to be generated on each attempt to access the ECP.
Our Exchange Server time zone is NZDT so UTC +13.
At 8:04:05pm 2nd October NZDT (the Exchange servers time zone), we ran the Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate and set a date/time of "2/10/2021 7:04:05 AM" - this effective date was 13 hours in the past, the certificate should be immediately effective.
13 hours later at 3rd October 9:04:05am NZDT, being 2nd October 8:05pm UTC actual time the certificate became useable, ECP/OWA access was available.
Looks to be a bug or undocumented. This also looks to explain why some people have reported +1 to +4 hours for the renewed certificate to become effective. Different timezones, different effective dates/time for the certificate.