Exchange 2016 OWA / ECP issue : ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length

Server Error in '/owa' Application. 
ASSERT: HMACProvider. 
Description: An the Of the current Please the Stack more informaEon the error it code 
Exception Details: Microsoft. Exchange.Oiagnostics.ExAssedException: ASSERT: 
Source Error: 
Stack Trace: 
[ExAssertException: ASSERT: +1ACProvider .GetCertificates 
Microsoft. Exchange. Diagnostics .ExAssert.AssertInterna1(String formatString, Object[] parameters) +235 
Microsoft. Exchange. Diagnostics .ExAssert.Retai1Assert(B001ean condition, String formatString, TI parameterl, 
Microsoft. Exchange. Clients. Common.hnacprovider .GetCertificates() +359 
Microsoft. Exchange. Clients. Common.HmacProvider .GetHmacProvider() +140 
Microsoft. Exchange. Clients.Common.HmacProvider messageArrays) +14 
Microsoft. Exchange.HttpProxy. FbaModu1e.SetCadataCookies(HttpApp1ication httpApplication) +1032 
T2 parameter2) +90 
Microsoft. Exchange.HttpProxy.FbaFormPostProxyRequestHand1er.Hand1eFbaFormPost(BackEndServer backEndServer) +3578 
Microsoft. Exchange. Httpproxy. FbaFormPostProxyRequestHand1er. ShouldContinueProxy() +20 
Microsoft. Exchange.HttpProxy.ProxyRequestHand1er.8eginProxyRequestOrReca1cu1ate() +256 
Microsoft. Exchange.HttpProxy.ProxyRequestHand1er.Interna10nCa1culateTargetBackEndCompleted(TargetCa1cuIationCa11backBeacon beacon) +1528 
Microsoft. +303 
.1LUti1.DoTryFi1terCatch(Action tryDe1egate, Func'2 filterDe1egate, Action-I catchDe1egate) +35 
Microsoft. Exchange. Common. IL 
Microsoft. Exchange.HttpProxy.ProxyRequestHand1er.Ca11ThreadEntranceMethod(Action method) +59 
[AggregateException: One or more errors occurred. ] 
Microsoft. Exchange.HttpProxy.ProxyRequestHand1er.EndProcessRequest(IAsyncResu1t result) +413 
System. Web. CallHand1erExecutionStep. InvokeEndHandler(IAsyncResu1t ar) +231 
System.Web. CallHand1erExecutionStep. OnAsyncHand1erCompIetion(IAsyncResuIt ar) +172

[Owa] An internal server error occurred. The unhandled exception was: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1 at Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) at Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() at Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() at Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) at Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) at Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass3f.b__3e()at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)

If you dit not prep your schema and AD before installing the CU you need to do it.

Go to the folder of the latest CU21 and run these commands.

setup.exe /Prepareschema /IAcceptExchangeServerLicenseTerms
setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms

Microsofts solutions can be found here https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired

check the status of your existing OAuth certificate

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

Create a new OAuth certificate 

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Set the new certificate for server authentication

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)

Set-AuthConfig -PublishCertificate

Set-AuthConfig -ClearPreviousCertificate

Restart the Microsoft Exchange Service Host Service

Either run the IISReset command to restart IIS or run the following commands 

Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

And now wait several hours.

In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD).

Leave a Reply

Your email address will not be published. Required fields are marked *