Forum Discussion
Exchange Server error in '/owa' application
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1]
Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) +241
Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() +478
Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() +143
Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) +16
Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +826
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +2776
Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +20
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +229
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1379
Microsoft.Exchange.HttpProxy.<>c__DisplayClass3f.<OnCalculateTargetBackEndCompleted>b__3e() +311
Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate) +35
Microsoft.Exchange.HttpProxy.Diagnostics.SendWatsonReportOnUnhandledException(MethodDelegate methodDelegate, LastChanceExceptionHandler exceptionHandler) +121
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(MethodDelegate method) +69
[AggregateException: One or more errors occurred.]
Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +416
System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +231
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +172
- Ok i found solution. Use this to create new certificate https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
And after creating the certificate you must wait like a hour or more for changes work. Restart dont change the wait time 🙂
Our cert is an externally signed cert that is due to expire next year so we wanted to keep using it and not have to generate a new self sign one.
We worked around this by just running the three PS commands below in Exchange PS
Set-AuthConfig -NewCertificateThumbprint <WE JUST USED OUR CURRENT CERT THUMPRINT HERE> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificateNote: that we did have issues running the first command because our cert had been installed NOT allowing the export of the cert key. once we reinstalled the same cert back into the (local Computer) personal cert store but this time using the option to allow export of the cert key, the commands above worked fine.
We then just needed to restart ISS and everything was golden. 😄
- oh and an easy way to find your thumbprints is to run the following PS command on the Exchange server. dir Cert:\LocalMachine\My
Hello all,
I installed Exchange 2013 CU23 on our standalone server and got the same issue:
Exception type: ExAssertException Exception message: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
The Exchange Auth certificate wasn't expired though. Anyway I tried generating a new certificate and publish it. It didn't resolve the issues. Even after 2 hours of waiting.
After all (before trying the last resort option to uninstall CU23) I tried using the old valid certificate and published it using the same procedure as described here.
After that OWA and ECP returned back to life.
With the best regards,
Marat
Nikolas_Athanasakis Hi i have the same problem it started today at 2 am on our server. We can't log in to owa and ecp. I tried to create new auth-Config certificate becouse i couldn't display the thumprint but it didin't work too. im thinking about cu 10 bot not sure if this will fix problem.
- Ok i found solution. Use this to create new certificate https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
And after creating the certificate you must wait like a hour or more for changes work. Restart dont change the wait time 🙂Asterofus The link you provided said to restart a couple app pools. As soon as I did that it took effect immediately.
Thank you for the answer!
- thanks god.
Worked for me too and take 2 hours and half.
i have no more hairs ^^
- FYI, Update:
Since our cert wasn't expired I tried and installed CU10 and that solved it for me.installed exchange 2019 c11 error re certificate error.
- I went ahead and updated the cert even though mine wasn't expired. After the other steps it started to work right away.
I have the same error, I just update Exchange2016-KB5004779-x64-en for my Exchange 2016 CU20.
I take following my OAuth cert do not expire.
Help please
Nikolas_Athanasakis This solution worked for me with Exchange 2016 CU20. After installing several security updates today I experienced the same problem. I followed the instructions in the link and after restarting the two WebAppPools, OWA and ECP started working immediately. Thanks!
Ran into the same issue with the October update. In our case, the Exchange Server Auth Cert was not expired, but it was never properly activated and published. The posted solution worked like a charm without any delays.
- OAuth certificate has been expired and I am trying renew from exchange management shell and I am getting error like network services did not have permission like that. However I can see the certificate in personal folder.
I am not able to assign this certificate. please advice how do I fix this issue- Picture with error message ?
Something in évent viewer?
Can tout try as domain admin?
Is your user member of exchange admins ?
- You can cahnge system time to UTC or wait to update your time zone to utc sync. If you cahnge it to UTC it's work instantly.
