Released: July 2021 Exchange Server Security Updates
Published Jul 13 2021 10:32 AM 264K Views

Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

All versions (Cumulative Update levels) are impacted. Updates are available for the following specific builds of Exchange Server:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB article).

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU20 and CU21
  • Exchange Server 2019 CU9 and CU10

The July 2021 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Latest /PrepareSchema needed for full effect

Because of additional security hardening work for CVE-2021-34470, the following actions should be taken in addition to application of July 2021 security updates:

The latest version of Exchange installed

Additional steps needed to extend AD schema

Exchange 2016 CU21 or
Exchange 2019 CU10

Nothing; schema was extended during installation of June 2021 CUs.

Exchange 2016 CU20 or
Exchange 2019 CU9

Extend the schema using June 2021 CUs.

Exchange 2013 CU23

- Install July 2021 Security Update for Exchange 2013

- Extend the Active Directory schema using the elevated Command prompt. Command will be similar to the following:

“Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” using the setup.exe from location “c:\Program Files\Microsoft\Exchange Server\V15\Bin\setup.exe” (use the folder for the installation location of your Exchange server)

NOTES:

- For Exchange 2013 only, schema version will not change after this.

- In case of Schema Master existing in an empty root domain, consider installing Exchange CU23 Management Tools on Windows 2012 R2 in the same domain, installing July SU and then running \prepareschema from that workstation.

Older versions of Exchange (earlier than 2013)

 

Or

 

Exchange no longer installed in the forest

How to update AD schema to address CVE-2021-34470 if Exchange is very old or no longer installed

Known issues in July 2021 security updates

During the release of April 2021 SUs, we received some reports of issues after installation. The following issues reported for April 2021 SUs also apply to July SUs and have the following workarounds:

  • Administrator/Service accounts ending in ‘$’ cannot use the Exchange Management Shell or access ECP. The only workaround at this time is to rename Admin accounts or use accounts with no ‘$’ at the end of the name.
  • Some cross-forest Free/Busy relationships based on Availability address space can stop working (depending on how authentication was configured) with the error: “The remote server returned an error: (400) Bad Request.” Please see this KB article for how to solve this problem.
  • Cmdlets executed against the Exchange Management Console using an invoked runspace might fail with the following error message: The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode. Please see this KB article for more information.
  • Installing June 2021 Cumulative Updates for Exchange 2016 or 2019 might fail with the error: 

    System.NullReferenceException: Object reference not set to an instance of an object. Please see this KB article for resolution.

  • Starting with July 2021 updates, users might be redirected back to the login page when using OWA/ECP if organization uses Load Balancing. You should avoid running mixed pools (servers with the latest SU applied together with servers which have not yet received the update). Please see this KB article for more information.
  • Prior to installing the Security Update (SU), we recommend you check if a valid Microsoft Exchange Server Auth Certificate is present on every Exchange server (except Edge Transport servers). The easiest way to do this is to run the Exchange Health Checker and check for the Auth Certificate output:

July2021SUs03.jpg

You can also run the following PowerShell command to check if the Auth Certificate is available on your system:

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint

If there is no Auth Certificate or it has expired, then follow the steps outlined here to configure it correctly.

Please note: In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD). If this certificate is missing or is expired, users may face issues logging in to OWA/ECP with HTTP 500 error after application of July updates. KB article is here.

Update installation

Because of the recommended schema update requiring the latest set of June 2021 CUs, there are several scenarios that you might need to follow:

July2021SUs02.jpg

Inventory your Exchange Servers / determine which updates are needed

Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU. Then click the “Tell me the steps” button, to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the July 2021 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

Instructions seem to indicate that for Exchange 2013, we should extend the schema after July 2021 SU is installed; is that correct?
Yes. Because we did not release an Exchange 2013 Cumulative Update (CU) that contains the new schema updates, the July 2021 SU package updates the schema files in Exchange server folders when July 2021 SU is installed. That is why once those files are updated (SU is installed) – we ask you to go and explicitly update the schema using setup from \v15\Bin folder.

We have Exchange 2016 CU20 and 2019 CU9 servers and have installed July 2021 security updates but did not run /PrepareSchema using June 2021 CUs first. Is this a problem?
No. Extension of AD schema using June 2021 CU is really a separate step that should be taken to address a specific CVE. There is no dependency in July 2021 SUs on this schema change, or vice versa. Just make sure that both of those actions are taken; order is not important.

Updates to this post:

  • 8/5: Added a link to How to update AD schema to address CVE-2021-34470 if Exchange is very old or no longer installed
  • 7/20: Merged "Installation tips" section into "Known issues" section and provided additional detail and links
  • 7/19: Added a note about updating servers in a Load Balancing (LB) pool
  • 7/15: Added a clarification that all CU levels of Exchange are impacted; we only release security updates for latest CUs only. Please see this for more information on update cadence.
  • 7/15: Added a note about how to extend schema in a root domain with no Exchange servers.
  • 7/15: Added a note that schema version does not change after schema extension if Exchange 2013 Server is the latest version in the org.
  • 7/15: Added the installation tips section and moved the info about OWA/ECP errors there.
  • 7/14: Added a note about what to do if OWA/ECP with HTTP 500 error is seen after application of SUs.
  • 7/13: Clarified the graphics to illustrate that Exchange Server 2016 CU20 and Exchange Server 2019 CU9 with July SUs are not 'fully' updated (because we released June CUs for both versions).

The Exchange Team

216 Comments
Copper Contributor

We have Exchange 2016 CU20 servers and have installed July 2021 security updates but did not yet run /PrepareSchema using June 2021 CUs first.

 

Question1: can we update the schema only but otherwise not install CU21? Is this supported?

 

Question2: I’ve seen some different paths referenced to setup.exe - if we do only apply the CU21 schema update, am I correct the setup.exe to be used is the one in the CU’s mounted ISO?

Copper Contributor

Just to add some variety to the comments. 

 

I just successfully upgraded (1) of our (6) Exchange 2019 Server Core DAG members to CU10 (previously CU8) along with KB5004780.

 

(2) of the (6) servers host passive copies of the databases and sit in a separate datacenter. (1) of these servers were used to test these updates.

 

All Exchange services sit behind a NLB (Network Load-Balancer).

 

My process went as follows:

 

  1. Ran HealthChecker.ps1 on server, prior to ugprade, and confirmed OAuth cetificate existed and was not expired
  2. Attached CU10 .iso to Domain Controller in Primary AD site. (Site with Domain Controller holding FSMO roles)
  3. Assigned AD account to the "EnterpriseAdmin" and "SchemaAdmin" groups. 
  4. Ran the following command from an elevated command prompt using and AD account with the above group memberships:
    1. D:\Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
  5. Allowed replication to replicate changes over night.
  6. Disabled server being updated in NLB.
  7. Placed server into maintenance mode.
  8. Rebooted server
  9. Ran the following command from an elevated command prompt using the same AD account as above:
    1. D:\Setup.exe /IAcceptExchangeServerLicenseTerms /Mode:Upgrade /DomainController:<FQDN of DC in site where server being upgraded sits>
  10. Rebooted server after CU installed.
  11. Installed July Windows Updates
  12. Rebooted server
  13. Installed KB5004780 by issuing the following command from an elevated command prompt under the same AD account as above:
    1. C:\msiexec.exe /p Exchange2019-KB5004780-x64-en.msp /qb
  14. Rebooted server
  15. Took server out of maintenance mode
  16. Enabled server in NLB.
  17. Disabled secondary Exchange server in NLB and tested access to updated Exchange server through the VIP on NLB.
    1. Ex: 192.168.1.1/owa
  18. Confirmed OWA loaded and verified connection to patched server was shown in statistics on NLB.
  19. Complete.
Copper Contributor

 

@The_Exchange_Team @Nino Bilic @Yeroen1966 

 

I am seeing the same thing Yeroen1966 is with the schema update. The .msp patch file pulled down through Windows Update contains the newer LDF files but it only extracted the files named:

 

PostExchange2000_schema99.ldf

PostExchange2003_schema99.ldf

PostWindows2003_schema99.ldf

schema99.ldf

 

These ldf files did not get extracted and loaded:

schemaadam.ldf

SchemaVersion.ldf

So it appears only part of the schema got updated. The HealthChecker.ps1 script also doesn't seem to check all parts of the schema so it gives a false positive of it being patched? Schema version stays at 15312 because of the two missed files.

 

So do we manually load the two missing files??

 

Edit:  Just saw the note added about the schema version not updating if you were already on CU23 and applied the July patch. 

Copper Contributor

Re-Post with updates:

We have Exchange 2016 CU20 servers and have installed July 2021 security updates but did not yet run /PrepareSchema using June 2021 CU21 yet.

Question1: Can we update the schema only but otherwise not install CU21? Is this supported?

Question2: I’ve seen some different paths referenced to setup.exe for the schema update - if we do only apply the CU21 schema update, am I correct the setup.exe to be used is the one in CU21's mounted ISO?

Question3: Assuming it is supported to only update the schema for a 2016CU20 server with the July 2021 SU's installed - is it only /PrepareSchema that is required? (ie we don't have to run /PrepareAD or /PrepareDomain until we are ready to actually install CU21)

Microsoft

@wazcal Yes (it is supported), Yes (run it from CU21) and Yes (only /prepareschema)

Copper Contributor

I have noticed the link to the July Patch Article in the Security Update Guide goes to the April 2021 patch (5001779) and not the July 2021 (5004779) patch for all versions except Exchange 2016 CU21 and Exchange 2019 CU10. I had downloaded the .msp file for the April patch and was ready to install tonight but just happened to notice that it was the April patch and not the July patch. 

 

@Nino Bilic Can you please get the right links on the Security Update Guide? Unless I'm missing something?

 

Thanks!

 

SSemanco_1-1626381600051.png

 

 

 

 

Microsoft

@SSemanco the links are correct... but I understand why this is a bit confusing (it is basically a documentation issue). I addressed this question on Page 1 in comments, this should take you straight there:

Released: July 2021 Exchange Server Security Updates - Microsoft Tech Community

Copper Contributor

I am running Server 2019 Core and Exchange 2019 CU8.  I installed CU10 and all seemed to go well.  I tried to install the SU and see no indication it actually installed.  I am running powershell as administrator.  I tried running just the name of the file and it went through the GUI and said it finished.  I rebooted but running wmic qfe list does not show it listed as installed.  So I ran the file with /qn switch and after a long time the server rebooted itself.  wnic qfe still does not show it installed.  Any clues to how to get it installed and how to verify it is installed?  I did try the healthchecker script links in the previous posts but running it on my other box in the cluster it reports all up to date even though I have not even run CU10 in it yet, so I don't trust that script.

Thanks

Microsoft

@david812 just use the Health Checker script with the -server parameter and pass the server name. Make sure to use the latest release (aka.ms/ExchangeHealthChecker)

You can also run Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo} locally. Build should be 15.2.922.13 for E19 CU10 + July 2021 SU.

Copper Contributor

Ok.  the " Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo} " showed the correct version.

Thank you very much for your accurate and very quick reply!!!

Copper Contributor

What is the current version of the healthchecker script?

Thank you

Copper Contributor

@Nino Bilic  unfortuntately its 10 hours now and even though the new auth cert seems to be found when i run 

 

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint 

 

The error still is present on all servers after doing iis reset etc and steps in article 

 

I applied update through normal windows update thus not needing the elevated prompt which is how i have run all security updates

 

There seems to more to this issue than doing just the fix above so think it really needs some extra investigation due to the volume of people still reporting it - ill have to raise a support case to hopefully help with the issue as i have only found uninstalling the update fixes the issue

Copper Contributor

For multiple Exchange servers, should I install the July SU on ALL Exchange 2013 servers first, then update schema at last? 

And both expired and valid Microsoft Exchange Server Auth Certificate on some of CAS servers, can I just remove expired one ? 

Thanks. 

Microsoft

 

@david812 The latest version is: 21.07.13.1221. You will get the latest version using this link: https://aka.ms/ExchangeHealthChecker . The script has an auto-update function. If you run it on a computer with internet access and the version to be used is not current, the script performs an update.

 

@AADSI the Health Checker does not check the schema version. We perform testings if the changes that have come with the schema update have been applied.

 

@fw888888 Make sure to update the Auth certificate (as outlined here: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oa...). Wait some time until the deployment of the new Auth certificate is completed. Run the Health Checker (https://aka.ms/ExchangeHealthChecker) against every server and check the Auth certificate (see: Installation Tips section of the blog post). Deploy / install the July 2021 Security Update (SU) and then run the PrepareSchema.

 

Copper Contributor

@Lukas Sassl and @Joshua Davis 

 

It looks like after patching the second node and extending AD Schema, login to ECP and OWA works as before.

Thank you.

Copper Contributor

@Lukas Sassl 

 

Can I extend the AD schema if my domain controllers are Windows Server 2008R2?

MI Exchange 2013 CU23 on windows server 2012r2

Copper Contributor

@sasger thank you so much, it worked for me

Brass Contributor

@Nino BilicGreat Success ;)
it worked great, thanks for your hint.
One more thing we stumbled upon was that with a fresh set up Server 2012R2 you have to install .net 4.8 and also  C++ Redist 2012 Update 4 https://www.microsoft.com/en-US/download/details.aspx?id=30679 else i would get errors like "Could not load file or assembly 'Microsoft.Exchange.CabUtility.dll' or one of its dependencies. The specified module could not be found."

Copper Contributor

Hello everybody.

Does anyone have an idea, what should be the path for Schema Update in our configuration?

 

Exchange 2013 CU23 - June2021 SU

We are running Hybrid scenario with EXO/O365

Because there is a plan to upgrade and migrate to Exchange 2019, schema was already updated by Exchange 2019 CU9 binaries - rangeUpper 17002 (yea, I know latest is CU10).

But only schema was updated, there is none Exchange 2019 server yet.

 

So that we will go with installing July 2021 SU for exchange 2013 CU23. but then what? I guess we should not run schema update from current Exch2013, or am I wrong? I'm really confused here. Does it mean that we need to install the first Exchange 2019 in order to be fully safe?

 

Thank you

urbandan

Copper Contributor

Good afternoon,

 

We're running Exchange Server 2016 CU 20 on -prem and I've just run the setup command from the CU21 .iso to extend the Active Directory schema.  Installation reported that the extension had completed successfully but when I check the object versions referred to in Prepare Active Directory and domains for Exchange Server, Active Directory Exchange Server, Exchange... only the value for the rangeUpper column has changed (to 15334) .  The values for objectVersion (default) and objectVersion (Configuration) remain at their CU20 values (13240 and 16220 respectively).

 

Is this expected behavior ?

 

Regards,

 

Scott

Brass Contributor

I am running CU20 with July2021 SecurityUpdates. As I have read, I now have to update the Schema with CU21.

Is it sufficient to only run this command: Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

 

or do I have to run all of the 3 commands?

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareAD /OrganizationName:"ExchangeOrganisationName" /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms
 
Sorry for asking, but I have never installed CUs using the command line...
After schema update (to schema of CU21) is it safe to stay on CU20 for a while? We don't have the time at the moment to test CU21 in detail.
Copper Contributor

Hi,


Question:

If i directly install Exchange 2016 CU21 doing prepare Schema as part of an exchange 2010 to 2016 upgrade, i this enough ?

Thanks.

Microsoft

@gjrodrigo Yes!

Microsoft

@Duncan1528 Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms is what you need and yes, it is safe to run like this until you update to next CU.

@sbeane66 Yes, this is expected because you just ran /prepareschema and schema update, therefore, got increased

@urbandan If you already extended the schema using Exchange 2019 binaries, then all that you should do is extend the schema using the latest Exchange 2019 CU (CU10)

Copper Contributor

@Nino Bilic: thx a lot. Actually when I think about it, it makes sense. Let's do that

  1. install the July 2021 SU to Exchange 2013 servers and then
  2. execute "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms" from Exchange 2019 CU10 binaries
Copper Contributor

Thanks for the great blog and comments.

 

I am planning to install this update this week, I have found that we have an expired OAuth certificate. Not sure what it is used for, but as it has been expired for 2 years already I assume that it was not really necessary. I do not want to end up in the OWA/ECP error 500, so I was wondering if it would be a good idea to Publish a new certificate first and then start the update. Or will it conflict / stop publishing when I start the update directly after the publish commands?

 

My plan for a standalone Exchange 2013:

1. Publish new certificate and restart AppPools & IIS.

2. Wait about 15 minutes.

3. Run Windows Update to install KB5004778

4. Run the Schema Update

 

Does this make any sense?

Microsoft

@Kokkie deployment of a new Auth certificate takes a couple of hours. So, you should give the deployment process some time. 

I'd recommend replacing the certificate as outlined here: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oa... After that, wait a couple of hours (if you have the time, just kick of the process to replace the certificate a day before installing the update). Then install the Security Update and run the PrepareSchema command.

Copper Contributor

I have followed all the steps in the various MS discussions on this to no avail - OWA/ECP remains broken on my 2013 Server. I extended the schema, I deleted and re-issued the auth cert (which was still valid) and even cleared out the Canary Data. I waited for 24 Hours. Rebooted etc etc. The big question is: after extending the schema as required can I still safely uninstall KB5004778?

Microsoft

@DesertSweeper what issue do you see? The HMACProvider.GetCertificates:protectionCertificates.Length<1 or Session expired?

Copper Contributor

@Lukas SasslI get The HMACProvider.GetCertificates:protectionCertificates.Length<1 in Event Viewer

Copper Contributor

We have three environments, where Exchange Server 2016 CU19 is running with installed security updates from March, April and May. To install the July security updates, we need to go to a more current CU. CU21 is currently not an option, since we faced performance degradation issues with AMSI in our test environment. So we plan to install CU20 on top of CU19 for now.

 

Could someone clarify the following: When we install CU20, do we need to install Apr21SU and May21SU prior to Jul21SU? Or does the Jul21SU already contain the other two?

 

Thanks for your advice!

Microsoft

@mfacen You don't need to install the other Security Updates for CU20. Just install the July 2021 SU. You should also run /PrepareSchema from CU21.

 

@DesertSweeper I've dropped you a PM.

Copper Contributor

@Lukas SasslI see in the log file of the health checker:

 

MAPI Front End App Pool GC Mode: Workstation --- Error
To Fix this issue go into the file MSExchangeMapiFrontEndAppPool_CLRConfig.config in the Exchange Bin directory and change the GCServer to true and recycle the MAPI Front End App Pool

 

Is the resolution?

Copper Contributor

I changed the MSExchangeMapiFrontEndAppPool_CLRConfig.config config (bin directory) from false to true and recycled the mapi-front-end-pool and it works. Thank you so much for your patience

Copper Contributor

@Lukas Sassl 

Thanks!

 

Last question. If OWA/ECP breaks, will Outlook / iPhone mail / SMTP transport still work? I have no users using OWA and I can do without ECP while fixing any issue.

 

Copper Contributor

@Kokkieit only affects the web-services. Everything else continues to run fine

Copper Contributor

@DesertSweeper 

Thanks, that makes it a low risk for me if it breaks.

Iron Contributor
@david812 Running wmic qfe, or running get-hotfix or looking for updates in WAC when looking for installed Exchange hotfixes on a Windows 2019 Core server does not work and will logically lead people to think that the hotfix is not installed. This is not a problem with other Windows Server security hotfixes - only with Exchange hotfixes.
This is an issue for administrators, installers, auditors etc.  Its been reported many times without any response other than "run Healthchecker" which is a waste of time  when you or someone auditing the system who knows nothing about Exchange and its idiosyncrasies just needs a simple answer as to whether a particular hotfix has been installed or not.    

 

Copper Contributor

On Exchange 2013

installed CU23,

OWA became inaccessible, replaced the certificate, OWA becomes accessible... but...

noticed that exchange will not send out email

discovered this article that mentions the schema update.  did that.

exchange will not send e-mail outbound. Any new email composed in OWA gets moved to draft and not sent.

Multiple reboots, iisrestarts, service restarts.... nothing 

So right now, the main issue is that we can't send email. We think we are seeing 401 errors in the logs (for example):
POST /ews/exchange.asmx - 444 - 192.168.1.88 ExchangeInternalEwsClient-EwsStoreDataProvider+(ExchangeServicesClient/15.00.1497.000) - 401
Any suggestions?

Copper Contributor

As others have stated the login loop issue with servers behind a load balancer appears to be corrected once you apply the July 2021 Security Patch to all servers in the load balancer.  This morning I have tested this again and now I have both of our servers running Exchange 2016 CU21 with the July Security Patch.  So far I have not noticed any issues logging into ECP or OWA like I was seeing last week with only having one of my servers patched. 

Copper Contributor

I updated to Exchange 2019 CU10 and the Security update and now users are complain of OWA timing out quickly.  I checked the "ActivityBasedAuthenticationTimeoutInterval" and it is set for 6 hours.  Any ideas where else I can look for this issue?

Thanks

Copper Contributor

Tagging to follow

Copper Contributor

Hello,

We are using Exchange2013 CU23 on premise and have an hybrid environment.

We updated our ExchangeServers successfully and now we are trying to update our Schema. And there we encountered a problem.

During the prerequisite it failed at 96%. 

 

CMD/Setup:

Microsoft Exchange Server 2013 Cumulative Update 23 Unattended Setup

Performing Microsoft Exchange Server Prerequisite Check

Prerequisite Analysis FAILED
The On-Premises test failed with the message: Object reference not set to an instance of an object..
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DidOnPremisesSettingCreatedAn...


The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the
<SystemDrive>:\ExchangeSetupLogs folder.

 

error(s) in Exchangesetuplog:

 

[07-22-2021 07:55:28.0679] [1] Failed [Rule:DidOnPremisesSettingCreatedAnException] [Message:The On-Premises test failed with the message: Object reference not set to an instance of an object..]
[07-22-2021 07:55:28.0679] [1] [REQUIRED] The On-Premises test failed with the message: Object reference not set to an instance of an object..
[07-22-2021 07:55:28.0679] [1] Help URL: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DidOnPremisesSettingCreatedAn...

 

Unfortunally there is no information on the Microsoft site provided in error message.

 

In the Exchangesetuplog we see also this message:

[07-22-2021 07:55:28.0679] [1] Evaluated [Setting:MicrosoftExchangeSystemObjectsCN] [HasException:True] [Value:
System.DirectoryServices.DirectoryServicesCOMException (0x8007202B): A referral was returned from the server.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at Microsoft.Exchange.Management.Deployment.ADProvider.Run(Boolean useGC, String directoryEntry, String[] listOfPropertiesToCollect, String filter, SearchScope searchScope)
at Microsoft.Exchange.Management.Analysis.PrereqAnalysis.<CreateActiveDirectoryPrereqProperties>b__120(Result`1 x)
at Microsoft.Exchange.Management.Analysis.Builders.SettingBuilder`2.<>c__DisplayClass1.<SetValue>b__0(Result x)
] [ParentValue:"<NULL>"] [Thread:41] [Duration:00:00:46.3759730]
[07-22-2021 07:55:28.0679] [1] Finished [Setting:MicrosoftExchangeSystemObjectsCN] [Duration:00:00:46.3759730]

 

and this one:

 

[07-22-2021 07:54:43.0115] [1] Evaluated [Setting:IsHybridObjectFoundOnPremises] [HasException:True] [Value:
Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetectionException: The On-Premises test failed with the message: Object reference not set to an instance of an object.. ---> System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.TestOnPremisesOrgRelationshipDomainsCrossWithAcceptedDomain(IOnPremisesHybridDetectionCmdlets onPremCmdlets)
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
--- End of inner exception stack trace ---
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
at Microsoft.Exchange.Management.Analysis.PrereqAnalysis.<.ctor>b__27(Result`1 x)
at Microsoft.Exchange.Management.Analysis.Builders.SettingBuilder`2.<>c__DisplayClass1.<SetValue>b__0(Result x)
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.TestOnPremisesOrgRelationshipDomainsCrossWithAcceptedDomain(IOnPremisesHybridDetectionCmdlets onPremCmdlets)
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
] [ParentValue:"<NULL>"] [Thread:44] [Duration:00:00:00.8437672]
[07-22-2021 07:54:43.0115] [1] Finished [Setting:IsHybridObjectFoundOnPremises] [Duration:00:00:00.8437672]

 

We need help or information to upgrade our AD schema so we are not vulnerable anymore!

Copper Contributor

additional information added at our post of problems with Schema-update:

 

In the Exchangesetuplog we see also this message:

[07-22-2021 07:55:28.0679] [1] Evaluated [Setting:MicrosoftExchangeSystemObjectsCN] [HasException:True] [Value:
System.DirectoryServices.DirectoryServicesCOMException (0x8007202B): A referral was returned from the server.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at Microsoft.Exchange.Management.Deployment.ADProvider.Run(Boolean useGC, String directoryEntry, String[] listOfPropertiesToCollect, String filter, SearchScope searchScope)
at Microsoft.Exchange.Management.Analysis.PrereqAnalysis.<CreateActiveDirectoryPrereqProperties>b__120(Result`1 x)
at Microsoft.Exchange.Management.Analysis.Builders.SettingBuilder`2.<>c__DisplayClass1.<SetValue>b__0(Result x)
] [ParentValue:"<NULL>"] [Thread:41] [Duration:00:00:46.3759730]
[07-22-2021 07:55:28.0679] [1] Finished [Setting:MicrosoftExchangeSystemObjectsCN] [Duration:00:00:46.3759730]

 

and this one:

 

[07-22-2021 07:54:43.0115] [1] Evaluated [Setting:IsHybridObjectFoundOnPremises] [HasException:True] [Value:
Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetectionException: The On-Premises test failed with the message: Object reference not set to an instance of an object.. ---> System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.TestOnPremisesOrgRelationshipDomainsCrossWithAcceptedDomain(IOnPremisesHybridDetectionCmdlets onPremCmdlets)
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
--- End of inner exception stack trace ---
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
at Microsoft.Exchange.Management.Analysis.PrereqAnalysis.<.ctor>b__27(Result`1 x)
at Microsoft.Exchange.Management.Analysis.Builders.SettingBuilder`2.<>c__DisplayClass1.<SetValue>b__0(Result x)
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.TestOnPremisesOrgRelationshipDomainsCrossWithAcceptedDomain(IOnPremisesHybridDetectionCmdlets onPremCmdlets)
at Microsoft.Exchange.Management.Deployment.HybridConfigurationDetection.HybridConfigurationDetection.RunOnPremisesHybridTest()
] [ParentValue:"<NULL>"] [Thread:44] [Duration:00:00:00.8437672]
[07-22-2021 07:54:43.0115] [1] Finished [Setting:IsHybridObjectFoundOnPremises] [Duration:00:00:00.8437672]

Copper Contributor

Hi, i have Exchange Server 2013 CU23 on Windows Server 2012 R2  and AD on Windows Server 2012 R2. 

I installed SU KB5004778 using Microsoft Update. After the update, ECP \ OWA - httpCode = 500 does not work. First of all, I checked the certificate with the command:

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint

The certificate was not found. I updated it, installed it according to the article: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oa... .
When the command: 

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)

was executed, I received a notification:
"The validity date of the new certificate does not come at least after "48" hours and may not be available for deployment on all required servers. Proceed?" - I confirmed. 

After 4 hours ECP \ OWA does not work.

In the event log, every time you try to log in to ECP \ OWA, the following events appear:

 Source: ASP.NET 4.0.30319.0  EventID: 1309

 

Spoiler

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 22.07.2021 18:32:24
Event time (UTC): 22.07.2021 11:32:24
Event ID: 723762ba2fd0427fa4d182db21bad221
Event sequence: 56
Event occurrence: 17
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-2-132714267063136299
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
Machine name: EXCHANGE

Process information:
Process ID: 12140
Process name: w3wp.exe
Account name: NT AUTHORITY\СИСТЕМА

Exception information:
Exception type: ExAssertException
Exception message: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
в Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters)
в Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()
в Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()
в Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)
в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
в Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method)



Request information:
Request URL: https://localhost:443/OWA/auth.owa
Request path: /OWA/auth.owa
User host address: ::1
User: MYDOMAIN\HealthMailboxc8d513b
Is authenticated: True
Authentication Type: Basic
Thread account name: NT AUTHORITY\СИСТЕМА

Thread information:
Thread ID: 50
Thread account name: NT AUTHORITY\СИСТЕМА
Is impersonating: False
Stack trace: в Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters)
в Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()
в Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()
в Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)
в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
в Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method)


Custom event details:

Source: MSExchange Front End HTTP Proxy, EventID: 1003

 

Spoiler
[Owa] An internal server error occurred. The unhandled exception was: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
в Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters)
в Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates()
в Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider()
в Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays)
в Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer)
в Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate()
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon)
в Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e()
в Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)

 

 

I tried the recommendations of the article: https://docs.microsoft.com/ru-ru/exchange/troubleshoot/client-connectivity/event-1309-code-3005-cann... 

I did  

Setup.exe / PrepareSchema / IAcceptExchangeServerLicenseTerms

 

Сheck HealthChecker.ps1 returned 

 

Spoiler
Valid Auth Certificate Found On Server: True
SMB1 Installed: True
SMB1 Blocked: False
SMB1 should be uninstalled SMB1 should be blocked
More Information: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-and-smbv1/ba-p/1165615
Security Vulnerability: CVE-2021-34470
See: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34470 for more information.

Full report i can send to message. What can I do?

 

 

 

 

 

Copper Contributor

@ExpertNSK 
After you set (and confirmed the prompt) of the new certificate thumbprint, you also need to publish the AuthConfig certificate to all of the Exchange servers, as well as clear out the previous certificate. First run an FL in powershell so you have a snapshot of the current settings:

Get-AuthConfig | FL

Make sure the current thumbprint field shows the new certificate then run:
Set-AuthConfig -PublishCertificate

After that, you should run:
Set-AuthConfig -ClearPreviousCertificate

Then run another snapshot to confirm that the previous certificate field is gone:
Get-AuthConfig | FL

Copper Contributor

@JoshGardner 

Yes. after command: 

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)

i did commands: 

Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

and IISReset. 

Now command Get-AuthConfig | FL  - return:

Spoiler
RunspaceId : 569af6a9-5855-4a5c-a08a-1db541958cbb
CurrentCertificateThumbprint : 76CECC370D75297*****
PreviousCertificateThumbprint :
NextCertificateThumbprint :
NextCertificateEffectiveDate :
ServiceName : 00000002-0000-0ff1-ce00-000000000000
Realm :
Name : Auth Configuration
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
DistinguishedName : CN=Auth Configuration,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
Identity : Auth Configuration
Guid : f5994286-9035-4233-a1dd-b00bee367c31
ObjectCategory : nsksan.local/Configuration/Schema/ms-Exch-Auth-Auth-Config
ObjectClass : {top, container, msExchContainer, msExchAuthAuthConfig}
WhenChanged : 22.07.2021 18:24:26
WhenCreated : 11.09.2014 19:47:03
WhenChangedUTC : 22.07.2021 11:24:26
WhenCreatedUTC : 11.09.2014 12:47:03
OrganizationId :
Id : Auth Configuration
OriginatingServer : dc1.mydomain.local
IsValid : True
ObjectState : Unchanged
Copper Contributor

@Yeroen1966 
This article mentions that error you received, granted its for Exchange 2016 and 2019, but hey may be worth taking a look at.


https://support.microsoft.com/en-us/topic/-object-reference-not-set-to-an-instance-of-an-object-erro...

You may need to run the AD Preps (like /PrepareSchema and /PrepareAD)

Copper Contributor

 @JoshGardner 

we have the Computers container. So that's not the problem...but thanks for sharing.

Co-Authors
Version history
Last update:
‎Aug 05 2021 01:07 PM
Updated by: