Frequently Asked Question

Can't sign into Exchange OWA (Outlook web access) or ECP/EAC if you certificate is expired.
Last Updated 2 years ago

Can't sign into Exchange OWA (Outlook web access) or ECP/EAC if you certificate is expired. This also appears to happen after patch KB5004780 or KB5004778 is installed. Following the below instructions should resolve this issue. 

Error Message:
HMACProvider.GetCertificates:protectionCertificates.Length


Step 1

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "[your domain here].com"

***copy thumbprint for use in next step**

__________________

Step 2

Set-AuthConfig -NewCertificateThumbprint [insert thumnprint] -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

Step 3

Restart the Microsoft Exchange Service Host Service.

Step 4

Run the following commands (Elevated) to recycle the Outlook on the web and EAC application pools

Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

Or run the IISReset command to restart IIS

Please Wait!

Please wait... it will take a second!