X-OWA-Error: Microsoft.Exchange.Diagnostics.ExAssertException and the Microsoft Exchange Server Auth

%3CLINGO-SUB%20id%3D%22lingo-sub-169321%22%20slang%3D%22en-US%22%3EX-OWA-Error%3A%20Microsoft.Exchange.Diagnostics.ExAssertException%20and%20the%20Microsoft%20Exchange%20Server%20Auth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169321%22%20slang%3D%22en-US%22%3E%3CP%3EI%20used%20to%20blog%20at%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fmspfe%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fmspfe%2F%3C%2FA%3E%20%2C%20but%20since%20that%20location%20has%20been%20deprecated%2C%20I%20want%20to%20share%20my%20learnings%20here%20%26nbsp%3Bin%20the%20TechCommunity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20week%20I%20was%20troubleshooting%20an%20issue%20on%20Exchange%20Server%202016%20CU8%20where%20OWA%20clients%20could%20not%20logon%20with%20error%3A%20X-OWA-Error%3A%20Microsoft.Exchange.Diagnostics.ExAssertException%3C%2FP%3E%0A%3CP%3EThe%20error%20message%20is%20kind%20enough%2C%20to%20list%20the%20front-end%20and%20back-end%20servers%20being%20used%20in%20the%26nbsp%3B%20request%20through%20the%20X-FEServer%20and%26nbsp%3B%20X-BEServer%20property.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUpon%20investigation%2C%20I%20realized%20that%20the%20%E2%80%9C%3CEM%3EMicrosoft%20Exchange%20Server%20Auth%20Certificate%E2%80%9D%20%3C%2FEM%3Ewas%20missing%20on%20the%20backend%20server.%20You%20can%20check%20if%20the%20certificate%20is%20available%20via%20this%20CmdLet%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGet-ExchangeCertificate%20(Get-AuthConfig).CurrentCertificateThumbprint%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20case%20the%20CmdLet%20returns%20empty%2C%20the%20required%20certificate%20is%20missing.%3C%2FP%3E%0A%3CP%3EThe%20back-end%20server%20in%20question%20was%20part%20of%20a%20whole%20bunch%20of%20servers%20in%20a%20new%20active%20directory%20site.%20All%20Exchange%20servers%20in%20this%20site%20were%20missing%20the%20%E2%80%9C%3CEM%3EMicrosoft%20Exchange%20Server%20Auth%20Certificate%E2%80%9D.%20%3C%2FEM%3EUsually%20the%20certificate%20deployment%20component%20in%20Exchange%20is%20responsible%20for%20copying%20the%20certificate%20over%20from%20other%20servers.%3C%2FP%3E%0A%3CP%3EThe%20first%20Exchange%202013%20or%202016%20server%20usually%20provides%20the%20self-signed%20%E2%80%9C%3CEM%3EMicrosoft%20Exchange%20Server%20Auth%20Certificate%E2%80%9D%20%3C%2FEM%3Eand%20it%20is%20replicated%20to%20other%20servers%20in%20the%20AD%20site%3CEM%3E.%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EWhen%20you%20deploy%20the%20first%20Exchange%202013%20or%202016%20server%20into%20a%20new%20AD%20site%2C%20this%20copy%20of%20the%20certificate%20does%20not%20happen.%3C%2FP%3E%0A%3CP%3EWithout%20checking%20for%20the%20root%20cause%2C%20it%20appears%20that%20the%20new%20server%20realizes%2C%20that%20a%20certificate%20is%20already%20available%20in%20the%20organization%20(This%20can%20be%20checked%20via%20Get-AuthConfig).%20Then%20the%20server%20is%20not%20able%20to%20copy%20the%20certificate%20over%20from%20another%20AD%20site.%3C%2FP%3E%0A%3CP%3EThe%20mechanism%20for%20fixing%20the%20missing%20%E2%80%9C%3CEM%3EMicrosoft%20Exchange%20Server%20Auth%20Certificate%E2%80%9D%20in%20general%20is%20explained%20here%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EExchange%20Troubleshooting%3A%20Federation%20or%20Auth%20certificate%20not%20found%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F34914.exchange-troubleshooting-federation-or-auth-certificate-not-found.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F34914.exchange-troubleshooting-federation-or-auth-certificate-not-found.aspx%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20the%20steps%20provided%20above%20configure%20a%20whole%20new%20Auth%20configuration%20in%20the%20organization.%3C%2FP%3E%0A%3CP%3EI%20believe%20it%20is%20much%20more%20elegant%20to%20just%20add%20the%20available%20%E2%80%9C%3CEM%3EMicrosoft%20Exchange%20Server%20Auth%20Certificate%E2%80%9D%20%3C%2FEM%3Eto%20the%20servers%20where%20it%20is%20missing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20just%20need%20to%20export%20the%20%E2%80%9C%3CEM%3EMicrosoft%20Exchange%20Server%20Auth%20Certificate%E2%80%9D%20via%20MMC%20%3C%2FEM%3Eincluding%20the%20private%20key%20and%20import%20it%20into%20the%20machine%20certificate%20store%20on%20only%20one%20of%20the%20mailbox%20servers%20in%20the%20new%20AD%20site%20where%20it%20is%20missing.%3C%2FP%3E%0A%3CP%3EWithin%20approximately%20an%20hour%2C%20the%20certificate%20deployment%20component%20will%20replicate%20it%20to%20the%20other%20Exchange%20servers%20in%20the%20new%20AD%20site%20and%20the%20problem%20will%20be%20solved.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%2C%20this%20is%20helpful%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-169321%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-315105%22%20slang%3D%22en-US%22%3ERe%3A%20X-OWA-Error%3A%20Microsoft.Exchange.Diagnostics.ExAssertException%20and%20the%20Microsoft%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-315105%22%20slang%3D%22en-US%22%3ESame%20here.%20The%20Auth%20certificate%20is%20available%20-%20did%20you%20found%20a%20solutions%20in%20your%20case%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-201687%22%20slang%3D%22en-US%22%3ERe%3A%20X-OWA-Error%3A%20Microsoft.Exchange.Diagnostics.ExAssertException%20and%20the%20Microsoft%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-201687%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Subin%2C%26nbsp%3Byou%20need%20to%20ensure%20that%20the%20Auth%20certificate%20is%20available%20on%20all%20Exchange%20servers%20in%20your%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-201603%22%20slang%3D%22en-US%22%3ERe%3A%20X-OWA-Error%3A%20Microsoft.Exchange.Diagnostics.ExAssertException%20and%20the%20Microsoft%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-201603%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20encountered%20with%20the%20same%20issue.%20But%20certificate%20is%20listed%26nbsp%3Bin%20my%20case.%3C%2FP%3E%3CP%3ECould%20you%20please%20suggest%20in%20here%20!%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9998%22%20target%3D%22_blank%22%3E%40Frank%20Plawetzki%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EThanks%2C%20you%20are%20welcome.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169693%22%20slang%3D%22en-US%22%3ERe%3A%20X-OWA-Error%3A%20Microsoft.Exchange.Diagnostics.ExAssertException%20and%20the%20Microsoft%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169693%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20you%20are%20welcome.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169416%22%20slang%3D%22en-US%22%3ERe%3A%20X-OWA-Error%3A%20Microsoft.Exchange.Diagnostics.ExAssertException%20and%20the%20Microsoft%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169416%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9998%22%20target%3D%22_blank%22%3E%40Frank%20Plawetzki%3C%2FA%3E%20very%20useful%20info!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

I used to blog at https://blogs.technet.microsoft.com/mspfe/ , but since that location has been deprecated, I want to share my learnings here  in the TechCommunity.

 

This week I was troubleshooting an issue on Exchange Server 2016 CU8 where OWA clients could not logon with error: X-OWA-Error: Microsoft.Exchange.Diagnostics.ExAssertException

The error message is kind enough, to list the front-end and back-end servers being used in the  request through the X-FEServer and  X-BEServer property.

 

Upon investigation, I realized that the “Microsoft Exchange Server Auth Certificate” was missing on the backend server. You can check if the certificate is available via this CmdLet:

 

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint

 

In case the CmdLet returns empty, the required certificate is missing.

The back-end server in question was part of a whole bunch of servers in a new active directory site. All Exchange servers in this site were missing the “Microsoft Exchange Server Auth Certificate”. Usually the certificate deployment component in Exchange is responsible for copying the certificate over from other servers.

The first Exchange 2013 or 2016 server usually provides the self-signed “Microsoft Exchange Server Auth Certificate” and it is replicated to other servers in the AD site.

When you deploy the first Exchange 2013 or 2016 server into a new AD site, this copy of the certificate does not happen.

Without checking for the root cause, it appears that the new server realizes, that a certificate is already available in the organization (This can be checked via Get-AuthConfig). Then the server is not able to copy the certificate over from another AD site.

The mechanism for fixing the missing “Microsoft Exchange Server Auth Certificate” in general is explained here:

Exchange Troubleshooting: Federation or Auth certificate not found

https://social.technet.microsoft.com/wiki/contents/articles/34914.exchange-troubleshooting-federatio...

 

However, the steps provided above configure a whole new Auth configuration in the organization.

I believe it is much more elegant to just add the available “Microsoft Exchange Server Auth Certificate” to the servers where it is missing.

 

You just need to export the “Microsoft Exchange Server Auth Certificate” via MMC including the private key and import it into the machine certificate store on only one of the mailbox servers in the new AD site where it is missing.

Within approximately an hour, the certificate deployment component will replicate it to the other Exchange servers in the new AD site and the problem will be solved.

 

Hope, this is helpful

5 Replies
Highlighted
Highlighted
Highlighted

Hi, I encountered with the same issue. But certificate is listed in my case.

Could you please suggest in here !


@Frank Plawetzki wrote:

Thanks, you are welcome.


 

Highlighted

Hi Subin, you need to ensure that the Auth certificate is available on all Exchange servers in your environment.

Highlighted
Same here. The Auth certificate is available - did you found a solutions in your case?