2nd December 2022

Microsoft Exchange Server 2010/2013/2016/2019 Versions – Unable to Connect to Owa/Ecp “Protectioncertificates.Length<1" Error and Solution

After installing security updates such as “KB5004778” installed on a server running Microsoft Exchange Server, Outlook Web Access (OWA) and Exchange Control Panel (ECP) applications stop working on the server. This error occurs when the security update “User Access Control (UAC)” is enabled but manually installed on a server without elevated permissions. Microsoft has published an article summarizing exactly this. OWA/ECP stops working when your OAuth certificate expires. To solve this problem, do the following.

KB5004778 error
KB5004778 error

 

We run the Exchange Management Shell tool with “run-as-administrator” authority. For this, we run the following command.

Note: Replace systemconf.com with your SMTP domain.

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "systemconf.com"

We note the “thumbprint” information in the output of the command below. We will need this for the next command. Now we run other commands.

Set-AuthConfig -NewCertificateThumbprint "Thumbprint" -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
Restart-Service MSExchangeServiceHost
Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

If there is a Load Balance in your environment for the problem of accessing OWA/ECP; when trying to login we get back to the main OWA page. If you have more than one Exchange server, you need to run the following commands on each one. However, you will have to wait for the new Exchange Auth Certificate to be copied to these servers first.

Restart-Service MSExchangeServiceHost
Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

It may take a few hours for this to reproduce, but then everything starts working again. If you want to verify that each server is aware of the new Auth configuration, you can run Get-AuthConfig. With “thumbprint” you can verify that the validity date matches your new certificate and the time you executed the first “Set-AuthConfig” command. If you have a Hybrid Exchange environment, you will need to update these changes in Azure Active Directory.

Get-ExchangeCertificate -thumbprint "Thumbprint" | New-ExchangeCertificate

Once this is done, we turn on the IIS service. We’re browsing the “Exchange Back End” site. We choose “Binding”. We change the certificate binding on your Exchange Server by editing the HTTPS binding to use the new certificate. It will have the same name as the old certificate. Therefore, be sure to click the “View” button to see the properties of your certificate. Pay attention to the expiry of the new certificate.

LEARN MORE  What is Mimikatz? Using Mimikatz in the Post-Abuse Process
Exchange Back End
Exchange Back End

 

Leave a Reply

Your email address will not be published. Required fields are marked *