7th December 2021

Microsoft Exchange Server 2010/2013/2016/2019 Versions – Unable to Connect to Owa/Ecp “Protectioncertificates.Length<1" Error and Solution

After installing security updates such as “KB5004778” installed on a server running Microsoft Exchange Server, Outlook Web Access (OWA) and Exchange Control Panel (ECP) applications stop working on the server. This error occurs when the security update “User Access Control (UAC)” is enabled but manually installed on a server without elevated permissions. Microsoft has published an article summarizing exactly this. OWA/ECP stops working when your OAuth certificate expires. To solve this problem, do the following.

KB5004778 error
KB5004778 error


We run the Exchange Management Shell tool with “run-as-administrator” authority. For this, we run the following command.

Note: Replace systemconf.com with your SMTP domain.

We note the “thumbprint” information in the output of the command below. We will need this for the next command. Now we run other commands.

If there is a Load Balance in your environment for the problem of accessing OWA/ECP; when trying to login we get back to the main OWA page. If you have more than one Exchange server, you need to run the following commands on each one. However, you will have to wait for the new Exchange Auth Certificate to be copied to these servers first.

LEARN MORE  What is the Windows 10 Sandbox Feature and How is it Used?

It may take a few hours for this to reproduce, but then everything starts working again. If you want to verify that each server is aware of the new Auth configuration, you can run Get-AuthConfig. With “thumbprint” you can verify that the validity date matches your new certificate and the time you executed the first “Set-AuthConfig” command. If you have a Hybrid Exchange environment, you will need to update these changes in Azure Active Directory.

Once this is done, we turn on the IIS service. We’re browsing the “Exchange Back End” site. We choose “Binding”. We change the certificate binding on your Exchange Server by editing the HTTPS binding to use the new certificate. It will have the same name as the old certificate. Therefore, be sure to click the “View” button to see the properties of your certificate. Pay attention to the expiry of the new certificate.

Exchange Back End
Exchange Back End


Leave a Reply

Your email address will not be published. Required fields are marked *