Exchange Server 2013/16 OWA/ECP not working after installing security update

After installing the July Security update access to ECP and OWA is broken. Mail Flow works, but accessing OWA or ECP returns the following error:

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

Server Error in '/owa' Application.
 ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
 Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
 Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
 Source Error:
 An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
 Stack Trace:
 [ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1]
    Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) +241
    Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert(Boolean condition, String formatString, T1 parameter1, T2 parameter2) +2694334
    Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() +363
    Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() +140
    Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) +14
    Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +1032
    Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +3581
    Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +20
    Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +257
    Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1528
    Microsoft.Exchange.HttpProxy.<>c__DisplayClass280_0.<OnCalculateTargetBackEndCompleted>b__0() +303
    Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate) +35
    Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method) +59
 [AggregateException: One or more errors occurred.]
    Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +414
    System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +231
    System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +172
 Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.8.4330.0 

An expired auth certificate will prevent you from accessing ECP and OWA, Outlook clients slow to start and not displaying the user’s calendar and so on…

You could follow the steps below to renew your auth certificate, which is recorded in Microsoft official document: Can’t sign in to Outlook on the web or EAC if Exchange Server OAuth certificate is expired

How to Check Auth Certificate?

Open up Exchange Management Shell as an administrator and run the following command;


or you can also check by navigating to IIS Manager -> Backend -> Bindings then select “Microsoft Exchange Server Auth Certificate” and click View

One you have found the Thumbprint now get details of the certificate by running the following command;

Get-ExchangeCertificate -Thumbprint <CB1E6xxxxxxxxxxxxxxxx> | fl

Let’s Generate a New Certificate

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Now setting up the newly generated certificate;

 Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
 Set-AuthConfig -PublishCertificate
 Set-AuthConfig -ClearPreviousCertificate

Restart Microsoft Exchange Host Service

Restart IIS Server by running the following command;

iisreset /noforce

wait for it to restart the service, if it fails then go to services.msc and look for World Wide Publishing Service, so it will take few more seconds wait and start it manually.

You are all set !

For Exchange Server Hybrid Environment you have to re-run Hybrid Configuration Wizard.