Sometime happen strange things. In the past days I faced a really weird issue with a migration from Exchange 2010 to Exchange 2016 for a customer.
I was at the point in which Exchange 2016 should be inserted as frontend server for all communications: all the load balancer Kemp (LAN and DMZ) was switched and all the checks was ok.
SMTP, ActiveSync, Outlook Anywhere, Autodiscover ECP and OWA was ok and the authentication between servers works fine. SMTP mail flow inbound and outbound moved to brand new servers. I also tested some mailbox migration and access to OWA and ECP.
That’s was fine, mailbox migration time! Customer’s IT responsible start to migrate some test mailbox before start a massive migration and after a couple of day they had problem to access to Outlook Web Access. It’s my turn to check which is the problem.
Unfortunately, this is an incredibly generic error that can be caused by a variety of different problems. After a brief reading of Event Viewer I found an ASP.NET and OAuth warning everytime I try to logon to OWA.
First of all I started with .NET error and I checked if WebConfig.xml and SharedWebconfig.xml was present into respectively folders: %ExchangePath%\FrontEnd\HttpProxy for SharedWebConfig.xml and %ExchangePath%\ClientAccess\owa for WebConfig.xml.
I also checked if the user ECP was ok and I was able to see the options for my mailbox, although OWA doesn’t work. Then I recycled ASP.NET OWA Pool and recreated OWA and ECP Virtual Directory but without any result.
Back to Event Viewer I got a clue: in the middle of ASP.NET Exception one line took my attention: no certificate configured to cypher the comunication. That’s it! Imoved to next warning and tested if OAuth had the right certificate assigned to the service
- Identify the certificate for which the authentication configuration is looking.
Get-AuthConfig | FL CurrentcertificateThumbPrint
- The thumbprint was, as expected, the same as that one in the warning, so verify that the certificate is available to Exchange
Gotcha! I didn’t found that certificate so, to solve, I need to assign a valid certificate to OAuth authentication. In my case I used the public SSL certificate from Geotrust CA, below the 3 step to do this:
Set-AuthConfig -NewCertificateThumbprint <Thumbprint> -NewCertificateEffectiveDate $date
If you want, you could also generate a self-signed certificate, to do this, run the following command
New-ExchangeCertificate -KeySize 2048 -SubjectName "cn= Microsoft Exchange ACS Certificate" -FriendlyName "Microsoft Exchange Server ACS Certificate" -PrivateKeyExportable $true -Services SMTP -DomainName domain.com
Then use the new created certificate thumbprint to Set-AuthConfig command above.