Exchange 2013/2016 Cumulative Update Issues

Can’t sign in to Outlook on the web or EAC if Exchange Server OAuth certificate is expired

Good Morning Folks!!

Hope this article finds you well. I have been recently working on upgrading Cumulative Updates on all Exchange Servers for all my clients, and came across this weird problem on one of their servers. The scenario was as follows:

  • Exchange Server 2013 (Article may possibly apply to Exchange Server 2016 as well)
  • Single Exchange Server Environment
  • Windows Server 2012
  • Upgrading to Cumulative Update 23 (July Version)


You are presented with the below error upon successfully signing in to either the OWA or the ECP:

Something went wrong

The above error coincided with the below error:

Event ID: 1003
Source: MSExchange Front End HTTPS Proxy
[Owa] An internal server error occurred. The unhandled exception was: System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)


Without conveying my struggles to you on how to resolve the above error, I finally managed to find out that the issue was related to the installation of the cumulative update whereby the Exchange Server Open Authentication (OAuth) has expired, not present or not configured correctly.


In order to check the status of your existing OAuth certificate, run the following command in the Exchange Management Shell

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

If the command returns an error, or the certificate has expired, use the following steps to create and deploy a new OAuth certificate to the Exchange server:

  • Create a new OAuth certificate by running the following command:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
  • Set the new certificate for server authentication. To do this, run the following commands:
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date) Set-AuthConfig -PublishCertificate Set-AuthConfig -ClearPreviousCertificate
  • Restart the Microsoft Exchange Service Host Service.
  • Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools:
Restart-WebAppPool MSExchangeOWAAppPool Restart-WebAppPool MSExchangeECPAppPool

I was forced into restarting the server for the issue to be resolved.

Thank you for taking the time to read the article, and you are more than welcome to go through more articles in my blog by clicking here.

Leave a Reply

Your email address will not be published. Required fields are marked *

PHP Code Snippets Powered By :