SOLVED

upgrading from exchange 2013 to 2019, new install of 2019..cannot login to ecp or owa

Copper Contributor

hi, thanks in advance for your help.

i have an existing small environment. it consists of a pair of 2022 domain controllers, the domain/forest level is set to 2016. I have an existing 2012 (not r2) server running exchange 2013 and a brand new 2022 server with newly installed exchange 2019. everything is patched fully.

the install of 2019 proceeded without error. however, i cannot login to either owa or ecp on the 2019 server. when i try, i just get sent back to the login screen. in the event log, i see this warning:

 

 

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 8/7/2023 1:09:12 PM 
Event time (UTC): 8/7/2023 5:09:12 PM 
Event ID: 31c12d2579ac4779bfec01933febc091 
Event sequence: 2 
Event occurrence: 1 
Event detail code: 0 
 
Application information: 
    Application domain: /LM/W3SVC/2/ROOT/owa-1-133359017471842518 
    Trust level: Full 
    Application Virtual Path: /owa 
    Application Path: D:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\ 
    Machine name: HOME-EXCH1 
 
Process information: 
    Process ID: 472 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\SYSTEM 
 
Exception information: 
    Exception type: TargetInvocationException 
    Exception message: Exception has been thrown by the target of an invocation.
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
   at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
   at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
   at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
   at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
   at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
   at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
   at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
   at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.
Thumbprint: '9F650D5586F179E05BA85AE833DFB66044CA2F08'
   at System.IdentityModel.X509Util.EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)
   at System.IdentityModel.RsaEncryptionCookieTransform..ctor(X509Certificate2 certificate)
   at Microsoft.Exchange.Security.Authentication.OAuthExtension.DataHandler.RsaGenericDataProtector..ctor(X509Certificate2[] certificates)
   at Microsoft.Exchange.Clients.Owa2.Server.Core.notifications.SignalR.SignalRStartup.Configuration(IAppBuilder app)

Invalid provider type specified.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at System.IdentityModel.X509Util.EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)

 
 
Request information: 
    Request URL: https://localhost:444/owa/proxylogon.owa 
    Request path: /owa/proxylogon.owa 
    User host address: 127.0.0.1 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\SYSTEM 
 
Thread information: 
    Thread ID: 13 
    Thread account name: NT AUTHORITY\SYSTEM 
    Is impersonating: False 
    Stack trace:    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
   at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
   at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
   at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
   at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
   at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
   at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
   at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
   at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
   at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
 
 
Custom event details: 

 

i see a lot of info on the web about permissions to private keys but i have checked and the app pool user is localsystem, and system has full access to the keys. i also see some information about the provider type but this cert was generated by the install.....so would it generate a cert it could not use??

i have working on this for days and am going around in circles. i really appreciate anyone's help on this!

thanks

 

11 Replies
In the IIS Management Console, click the Binding Settings section of the Site->Exchange Back End item and verify that Microsoft Exchange Certificate is selected for port 444.
Did you move the admin mailbox to Exchange 2019?

@TAE YOUN ANN hi, thanks, my SAN cert was bound to port 444 so i changed it back to the "Microsoft exchange" cert that setup created and i did an iisreset....that did not help.

hi, i have not moved the admin mailbox....do i have to do that in order for ecp and owa to work?
hi, can you point me to an article on how to do that...when i search for that, i get swamped with hits on how to move mailboxes...but not the admin mail box.
thanks

ok, for anyone out there struggling with this , i have a small amount of help.  The reason you cannot find any info on how to move the "system mailbox" is because Microsoft does not use that term...they use the term "arbitration mailboxes"....when you search on that, you get a lot of hits like this one: https://www.alitajran.com/move-arbitration-mailboxes-in-exchange-server/ 

 

@TAE YOUN ANN 

so, now that i understand how to move the arbitration mailboxes, i have done so and can confirm they are moved to my new 2019 exchange server

.....however...

this has not fixed my issue...ug

 

i get the exact same behavior and warning in the event viewer as before......

 

any other suggestions would be appreciated.

thanks

@tonyguadagno 

Even move mailboxes that access the Exchange admin center!

@TAE YOUN ANN , 

i picked another admin user and did a move on their mailbox.  the move was successful however, they cannot login to either owa or ecp now that they are on the new exchange server.

 

any other suggestions would be appreciated.

thanks

best response confirmed by tonyguadagno (Copper Contributor)
Solution

ok, after spending $500, 3 weeks and 4 engineers, I finally have this fixed...i hope this will help you.

 

the moral of the story is pay attention to the warning messages.  In mine, you will see it referencing a cert thumbprint.  this thumbprint is the Microsoft Auth Certificate on my Exchange 2019 server.  I had found this article but it talks about your auth cert being expired...my auth cert was not expired so I dismissed it...and so did the Microsoft tech until they could not think of anything else to do....so they recommended we recreate the auth cert any...and this fixed my issue.

 

if you have this warning message, the issue is almost certainly the cert it references!

 

good luck

 

 

1 best response

Accepted Solutions
best response confirmed by tonyguadagno (Copper Contributor)
Solution

ok, after spending $500, 3 weeks and 4 engineers, I finally have this fixed...i hope this will help you.

 

the moral of the story is pay attention to the warning messages.  In mine, you will see it referencing a cert thumbprint.  this thumbprint is the Microsoft Auth Certificate on my Exchange 2019 server.  I had found this article but it talks about your auth cert being expired...my auth cert was not expired so I dismissed it...and so did the Microsoft tech until they could not think of anything else to do....so they recommended we recreate the auth cert any...and this fixed my issue.

 

if you have this warning message, the issue is almost certainly the cert it references!

 

good luck

 

 

View solution in original post