Forum Discussion
tonyguadagno
Aug 07, 2023Copper Contributor
upgrading from exchange 2013 to 2019, new install of 2019..cannot login to ecp or owa
hi, thanks in advance for your help.
i have an existing small environment. it consists of a pair of 2022 domain controllers, the domain/forest level is set to 2016. I have an existing 2012 (not r2) server running exchange 2013 and a brand new 2022 server with newly installed exchange 2019. everything is patched fully.
the install of 2019 proceeded without error. however, i cannot login to either owa or ecp on the 2019 server. when i try, i just get sent back to the login screen. in the event log, i see this warning:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/7/2023 1:09:12 PM
Event time (UTC): 8/7/2023 5:09:12 PM
Event ID: 31c12d2579ac4779bfec01933febc091
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/2/ROOT/owa-1-133359017471842518
Trust level: Full
Application Virtual Path: /owa
Application Path: D:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\
Machine name: HOME-EXCH1
Process information:
Process ID: 472
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: TargetInvocationException
Exception message: Exception has been thrown by the target of an invocation.
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.
Thumbprint: '9F650D5586F179E05BA85AE833DFB66044CA2F08'
at System.IdentityModel.X509Util.EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)
at System.IdentityModel.RsaEncryptionCookieTransform..ctor(X509Certificate2 certificate)
at Microsoft.Exchange.Security.Authentication.OAuthExtension.DataHandler.RsaGenericDataProtector..ctor(X509Certificate2[] certificates)
at Microsoft.Exchange.Clients.Owa2.Server.Core.notifications.SignalR.SignalRStartup.Configuration(IAppBuilder app)
Invalid provider type specified.
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.X509Util.EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)
Request information:
Request URL: https://localhost:444/owa/proxylogon.owa
Request path: /owa/proxylogon.owa
User host address: 127.0.0.1
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 13
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Custom event details:
i see a lot of info on the web about permissions to private keys but i have checked and the app pool user is localsystem, and system has full access to the keys. i also see some information about the provider type but this cert was generated by the install.....so would it generate a cert it could not use??
i have working on this for days and am going around in circles. i really appreciate anyone's help on this!
thanks
ok, after spending $500, 3 weeks and 4 engineers, I finally have this fixed...i hope this will help you.
the moral of the story is pay attention to the warning messages. In mine, you will see it referencing a cert thumbprint. this thumbprint is the Microsoft Auth Certificate on my Exchange 2019 server. I had found this article but it talks about your auth cert being expired...my auth cert was not expired so I dismissed it...and so did the Microsoft tech until they could not think of anything else to do....so they recommended we recreate the auth cert any...and this fixed my issue.
if you have this warning message, the issue is almost certainly the cert it references!
good luck
- Did you move the admin mailbox to Exchange 2019?
- tonyguadagnoCopper Contributorhi, i have not moved the admin mailbox....do i have to do that in order for ecp and owa to work?
Yes, That's right.
- In the IIS Management Console, click the Binding Settings section of the Site->Exchange Back End item and verify that Microsoft Exchange Certificate is selected for port 444.
- tonyguadagnoCopper Contributor
TAE_YOUN_ANN hi, thanks, my SAN cert was bound to port 444 so i changed it back to the "Microsoft exchange" cert that setup created and i did an iisreset....that did not help.