Forum Discussion

tonyguadagno's avatar
tonyguadagno
Copper Contributor
Aug 07, 2023

upgrading from exchange 2013 to 2019, new install of 2019..cannot login to ecp or owa

hi, thanks in advance for your help.

i have an existing small environment. it consists of a pair of 2022 domain controllers, the domain/forest level is set to 2016. I have an existing 2012 (not r2) server running exchange 2013 and a brand new 2022 server with newly installed exchange 2019. everything is patched fully.

the install of 2019 proceeded without error. however, i cannot login to either owa or ecp on the 2019 server. when i try, i just get sent back to the login screen. in the event log, i see this warning:

 

 

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 8/7/2023 1:09:12 PM 
Event time (UTC): 8/7/2023 5:09:12 PM 
Event ID: 31c12d2579ac4779bfec01933febc091 
Event sequence: 2 
Event occurrence: 1 
Event detail code: 0 
 
Application information: 
    Application domain: /LM/W3SVC/2/ROOT/owa-1-133359017471842518 
    Trust level: Full 
    Application Virtual Path: /owa 
    Application Path: D:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\ 
    Machine name: HOME-EXCH1 
 
Process information: 
    Process ID: 472 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\SYSTEM 
 
Exception information: 
    Exception type: TargetInvocationException 
    Exception message: Exception has been thrown by the target of an invocation.
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
   at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
   at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
   at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
   at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
   at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
   at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
   at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
   at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.
Thumbprint: '9F650D5586F179E05BA85AE833DFB66044CA2F08'
   at System.IdentityModel.X509Util.EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)
   at System.IdentityModel.RsaEncryptionCookieTransform..ctor(X509Certificate2 certificate)
   at Microsoft.Exchange.Security.Authentication.OAuthExtension.DataHandler.RsaGenericDataProtector..ctor(X509Certificate2[] certificates)
   at Microsoft.Exchange.Clients.Owa2.Server.Core.notifications.SignalR.SignalRStartup.Configuration(IAppBuilder app)

Invalid provider type specified.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at System.IdentityModel.X509Util.EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)

 
 
Request information: 
    Request URL: https://localhost:444/owa/proxylogon.owa 
    Request path: /owa/proxylogon.owa 
    User host address: 127.0.0.1 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\SYSTEM 
 
Thread information: 
    Thread ID: 13 
    Thread account name: NT AUTHORITY\SYSTEM 
    Is impersonating: False 
    Stack trace:    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
   at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
   at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
   at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
   at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
   at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
   at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
   at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
   at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
 
 
Custom event details: 

 

i see a lot of info on the web about permissions to private keys but i have checked and the app pool user is localsystem, and system has full access to the keys. i also see some information about the provider type but this cert was generated by the install.....so would it generate a cert it could not use??

i have working on this for days and am going around in circles. i really appreciate anyone's help on this!

thanks

 

  • tonyguadagno's avatar
    tonyguadagno
    Sep 01, 2023

    ok, after spending $500, 3 weeks and 4 engineers, I finally have this fixed...i hope this will help you.

     

    the moral of the story is pay attention to the warning messages.  In mine, you will see it referencing a cert thumbprint.  this thumbprint is the Microsoft Auth Certificate on my Exchange 2019 server.  I had found this article but it talks about your auth cert being expired...my auth cert was not expired so I dismissed it...and so did the Microsoft tech until they could not think of anything else to do....so they recommended we recreate the auth cert any...and this fixed my issue.

     

    if you have this warning message, the issue is almost certainly the cert it references!

     

    good luck

     

     

  • In the IIS Management Console, click the Binding Settings section of the Site->Exchange Back End item and verify that Microsoft Exchange Certificate is selected for port 444.
    • tonyguadagno's avatar
      tonyguadagno
      Copper Contributor

      TAE_YOUN_ANN hi, thanks, my SAN cert was bound to port 444 so i changed it back to the "Microsoft exchange" cert that setup created and i did an iisreset....that did not help.

Resources