Share via


OWA and ECP doesn't Log In after Renewing Certificate

In Exchange Server, most of the services work with a secure channel. For this, you need to issue certificates. Unfortunately, the self-signed certificates are not enough to secure your web servers and ensure the authenticity of the company’s identity. So, you need to purchase a certificate from an authorized certificate authority. When this certificate expires (e.g. after a year), you need to renew and re-apply it on all the Exchange Server services.

After renewal of the certificate, you sometimes face an issue where you’re not be able to open the Outlook Web Access (OWA), Exchange Control Panel (ECP), or any other web interface.

After looking at the event viewer, you may find the following error with event number 1003:

[Owa] An internal server error occurred. The unhandled exception was: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication) at Microsoft.Exchange.HttpProxy.FbaModule.OnBeginRequestInternal(HttpApplication httpApplication) at Microsoft.Exchange.HttpProxy.ProxyModule.<>c__DisplayClass16_0.<OnBeginRequest>b__0() at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func2 filterDelegate, Action1 catchDelegate)

Users using Outlook would be able to access their emails. However, users using web access over Outlook Web Access (OWA) and other non-native application from mobile phones and other devices will not be able to access their emails since these rely on the external sites of the Exchange Server. This also includes Auto Discovery from external devices.

How to Fix the OWA and ECP doesn't Log In after Renewing Certificate Issue?

The first thing to do is restart the Exchange Services and the Internet Information Services (IIS) from the Services Management Console.

To restart IIS, you can use the following command as Administrator.

iisreset

If this doesn’t work, you need to check if the certificate has been applied correctly to the sites. Open the Internet Information Services (IIS) Manager, expand the server, and click on Server Certificates.

Here, you will have the list of the Certificates installed.

Open the installed certificate and confirm that the computer name corresponds, the certificate is showing as valid, the date of expiry, and you have a private key that matches the certificate.

Click on the Details tab to get a note of the thumbprint as this will be used to confirm the certificate on the Exchange Server configuration.

Now, you need to confirm that the certificate applies to the right virtual directories with the right bindings. Expand the Sites section and then expand the Default Web Site.

Right-click on Default Web Site and select Edit Bindings. This will show all the ports being used and their respective certificate binding.

Double-click and check the 443 ports or any other https entry. Then, check that the assigned certificate is the correct and valid one. If not, you need to assign the right certificate.

The same must be done on the Exchange Back End site. Here, most probably there will be only port 444. But it’s best that any https sites correspond the right certificate.

If the certificate is changed, it’s best to restart the IIS. If the right certificate doesn’t show in the list, there might be an issue with the import of the certificate or it was corrupted. It is recommended to remove the certificate and re-try to import it.

Now, you need to confirm that the certificate in Exchange Server corresponds with the one in IIS. For this, open the Exchange Management Shell (EMS) and run the following command.

Get-ExchangeCertificate

Check that the certificate you copied from the IIS corresponds with the one listed. Then, you need to get more information on each certificate by running the command as given below.

Get-ExchangeCertificate | FL

This will provide more information on the services being assigned to each certificate installed on the server.

You need to confirm that the certificate with the thumbprint from IIS has all the services assigned to it, i.e., IMAP, POP, IIS, and SMTP.

If not, you need to assign them accordingly (see the example below).

Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services <services>

After this, you need to restart the services to ensure that the certificate is assigned with the services. This should resolve the issue.

To Conclude

There are several reasons that might trigger the OWA and ECP doesn’t log in after renewing certificate issue. There could be underlying issues with the Exchange Server configuration or the schema. In such a case, you need to re-install the Exchange Server from scratch to ensure that the configuration and import of certificate would be as per Microsoft’s guidelines.