Exchange Server error in '/owa' application

New Contributor



ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1]
Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) +241
Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() +478
Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() +143
Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) +16
Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +826
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +2776
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +20
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +229
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1379
Microsoft.Exchange.HttpProxy.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e() +311
Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate) +35
Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler) +121
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method) +69

[AggregateException: One or more errors occurred.]
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +416
System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +231
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +172


54 Replies

@Nikolas_Athanasakis  Hi i have the same problem it started today at 2 am on our server. We can't log in to owa and ecp. I tried to create new auth-Config certificate becouse i couldn't display the thumprint but it didin't work too. im thinking about cu 10 bot not sure if this will fix problem.

best response confirmed by Nikolas_Athanasakis (New Contributor)
Ok i found solution. Use this to create new certificate

And after creating the certificate you must wait like a hour or more for changes work. Restart dont change the wait time :)

We are having the same issue. However my current OAuth cert doesn't expire until 4/22. Any reason to replace it anyway? Also, I applied KB5004779 yesterday.
Same issue here, not sure if I should replace a valid cert or just wait for a different fix.

@Asterofus The link you provided said to restart a couple app pools.  As soon as I did that it took effect immediately.


Thank you for the answer!

I encountered the same issue, uninstalled the update and it worked. I'm going to wait to see is there is a new update that doesn't break anything.

@Asterofus Thank you for this tip it worked. One note for others. I created a new certificate and waited for almost two hours, but OWA and ECP were still not working. Then I tried to log into OWA from phone. It took a while but it loaded and stared working normaly. :) Phone method tested on two different servers with the same result. Hope it helps :) 

Thank you very much... Working Working!!! Respect!!! @Asterofus

FYI, Update:
Since our cert wasn't expired I tried and installed CU10 and that solved it for me.

@Asterofus Thanks for the link.  That did the trick for me.  I was not about to uninstall the security update.  I just reinstalled exchange in March after we got hit by HAFNIUM 2 weeks before the patch came out.


I did not have to wait an hour, I restarted the Exchange Service Host and did an IISREST and ECP and OWA worked right away.



Our cert is an externally signed cert that is due to expire next year so we wanted to keep using it and not have to generate a new self sign one.

We worked around this by just running the three PS commands below in Exchange PS

Set-AuthConfig -NewCertificateThumbprint <WE JUST USED OUR CURRENT CERT THUMPRINT HERE> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate


Note: that we did have issues running the first command because our cert had been installed NOT allowing the export of the cert key. once we reinstalled the same cert back into the (local Computer) personal cert store but this time using the option to allow export of the cert key, the commands above worked fine.

We then just needed to restart ISS and everything was golden. :D

oh and an easy way to find your thumbprints is to run the following PS command on the Exchange server. dir Cert:\LocalMachine\My
See my reply below
I did all above with out any luck.
then running the kb5004780 (Exchange 2019) i an elevated cmd, then OWA and ECP worked again.
(ran kb5004780 first as a normal user, not elevated cmd)

Thank you very much for the link! This fixed my issue as well. We were running Exchange 2013 CU23 (no SU installed) and I installed Jul21SU. I received no errors during the install and our Outlook clients could still connect after the upgrade, but I could no longer access OWA or EAC. Our cert was not expired either.  I followed the commands in the article and then ran IISRESET and both worked again! Thank you again!!

I believe this issue about evelated rights is documented in the link below. Unfortunately, this was not our issue. We were experiencing the issue @Asterofus provided the solution for.
I got wiser after I saw the article. the installer .msp should just tell that it should be run as elevated and not as a normal user, it would have solved a lot :)
I went ahead and updated the cert even though mine wasn't expired. After the other steps it started to work right away.

Hello all,


I installed Exchange 2013 CU23 on our standalone server and got the same issue:


Exception type: ExAssertException
Exception message: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

The Exchange Auth certificate wasn't expired though. Anyway I tried generating a new certificate and publish it. It didn't resolve the issues. Even after 2 hours of waiting.

After all (before trying the last resort option to uninstall CU23) I tried using the old valid certificate and published it using the same procedure as described here.

After that OWA and ECP returned back to life.


With the best regards,