Mar 08 2018 05:40 AM
Mar 08 2018 05:40 AM
I used to blog at https://blogs.technet.microsoft.com/mspfe/ , but since that location has been deprecated, I want to share my learnings here in the TechCommunity.
This week I was troubleshooting an issue on Exchange Server 2016 CU8 where OWA clients could not logon with error: X-OWA-Error: Microsoft.Exchange.Diagnostics.ExAssertException
The error message is kind enough, to list the front-end and back-end servers being used in the request through the X-FEServer and X-BEServer property.
Upon investigation, I realized that the “Microsoft Exchange Server Auth Certificate” was missing on the backend server. You can check if the certificate is available via this CmdLet:
In case the CmdLet returns empty, the required certificate is missing.
The back-end server in question was part of a whole bunch of servers in a new active directory site. All Exchange servers in this site were missing the “Microsoft Exchange Server Auth Certificate”. Usually the certificate deployment component in Exchange is responsible for copying the certificate over from other servers.
The first Exchange 2013 or 2016 server usually provides the self-signed “Microsoft Exchange Server Auth Certificate” and it is replicated to other servers in the AD site.
When you deploy the first Exchange 2013 or 2016 server into a new AD site, this copy of the certificate does not happen.
Without checking for the root cause, it appears that the new server realizes, that a certificate is already available in the organization (This can be checked via Get-AuthConfig). Then the server is not able to copy the certificate over from another AD site.
The mechanism for fixing the missing “Microsoft Exchange Server Auth Certificate” in general is explained here:
Exchange Troubleshooting: Federation or Auth certificate not found
However, the steps provided above configure a whole new Auth configuration in the organization.
I believe it is much more elegant to just add the available “Microsoft Exchange Server Auth Certificate” to the servers where it is missing.
You just need to export the “Microsoft Exchange Server Auth Certificate” via MMC including the private key and import it into the machine certificate store on only one of the mailbox servers in the new AD site where it is missing.
Within approximately an hour, the certificate deployment component will replicate it to the other Exchange servers in the new AD site and the problem will be solved.
Hope, this is helpful
Mar 08 2018 08:22 AM
Thanks @Frank Plawetzki very useful info!
Jun 06 2018 08:03 PM
Hi, I encountered with the same issue. But certificate is listed in my case.
Could you please suggest in here !
@Frank Plawetzki wrote:
Thanks, you are welcome.
Jun 07 2018 01:04 AM
Hi Subin, you need to ensure that the Auth certificate is available on all Exchange servers in your environment.
Jan 15 2019 02:50 AM