Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, July 8, 2017 6:09 PM
Hello!
I've got serious problems with Exchange 2016 CU6 right after installation tried installation on 2012-R2 inside AD with .local domain (two times) and on server 2016 inside AD with fqdn (internal.fqdn) domain
In both cases error-500 on any attempt to open /ecp/ or /owa/ right after valid login, only warning in app log is IIS's warning about absent cert, it fires every time error 500 is raised. In both cases cert is self-signed, browser has trust root cert installed, only way to get inside /ecp/ on 2012-r2 server is to disable ssl and set vasic auth for ecp and owa folders (but still no way inside owa), on 2016 ecp is accesible via http://localhost/ecp/ (and not accesible via http://ip_address/ecp). I tried to re-generate certs via cli and via ecp - no luck.
Here is warning from app log:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 08.07.2017 20:50:28
Event time (UTC): 08.07.2017 17:50:28
Event ID: 8b4bd43b25994e9da58071b8d8401bfa
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/2/ROOT/owa-5-131440098225190967
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\
Machine name: MAIL
Process information:
Process ID: 12444
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: TargetInvocationException
Exception message: Exception has been thrown by the target of an invocation.
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Encryption certificate is absent
at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
at Microsoft.Exchange.Clients.Owa2.Server.Core.notifications.SignalR.SignalRStartup.Configuration(IAppBuilder app)
Request information:
Request URL: https://mail.internal.<FQDN Removed For Privacy>:444/owa/languageselection.aspx?url=/ecp/default.aspx
Request path: /owa/languageselection.aspx
User host address: fe80::3c34:bd2a:285:195508.07.2017 20:50:28
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 27
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Custom event details:
All replies (8)
Wednesday, July 12, 2017 6:39 AM | 2 votes
Hi,
By default, Exchange generates Self-Signed certificates after installation. A certificate named "Microsoft Exchange" is assigned to IIS service. In IIS manager, if this certificate is not selected, then we can't login OWA/ECP/EMS etc. So if you want use this default certificate, then check the following settings in IIS -> Default Web Site/Exchange Back End -> Edit Bindings...
If you want to use the new re-generate cert, make sure that certificate is assigned to IIS certificate, and is selected in IIS.
Best Regards,
Lynn-Li
TechNet Community Support
Please remember to mark the replies as answers.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, July 12, 2017 9:28 AM | 1 vote
Certificate is bound, when i open /ecp/ or /owa/ browser can access certificate and shows all certificate properties (when redirected to login page), even more, when certificate is added to browser's keystore as trusted and as trusted root ca, browser (tried ie11, edge and latest chrome) shows that certificate passed all cheks
So https://fqdn/ecp/ redirects me to https://fqdn/owa/auth/ and shows me login page. If i input wrong username or password, login page, as expected, tells me about wrong credentials, but when i input valid ones, only than, i get error 500 and asp.net warning in log.
Sunday, July 16, 2017 11:11 AM
I have exact same issue after installing CU6. Have you resolve your problem ?
Monday, July 17, 2017 6:30 AM | 1 vote
Hi, orlovsn
Apologize for delay response.
About this issue, I reviewed error event that you post and found this error message "Encryption certificate is absent". The error can happen if the “Exchange Server Auth certificate”, which is used for OAuth signing, is missing from the Exchange Server. Run this command to check if the OAuth certificate is missing:
Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint
If the OAuth certificate is missing, we will consider to recreate it. Before recreating it, please let me know how many Exchange 2016 servers in your environment, if you have multiple Exchange servers, check if the certificate is present on other Exchange Servers, you can specify -Server parameter after Get-ExchangeCertificate to check.
Best Regards,
Lynn-Li
TechNet Community Support
Please remember to mark the replies as answers.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, July 17, 2017 6:56 AM | 1 vote
I confirm. The reason was in OAuth certificate.
This KB works for me
OWA is now working. But it is strange that it did not work right away, but only the next day.
Monday, July 17, 2017 12:47 PM
Ok, thanks everybody!
Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint was allways showing valid thumbprint, i've tried https://social.technet.microsoft.com/wiki/contents/articles/34914.exchange-troubleshooting-federation-or-auth-certificate-not-found.aspx before posting this question
I left servers alone with 500 error 08 july, nobody touched them, actually they were turned off, today i turned them on and ... CU6 is working now without any kind of 500 errors, both ecp and owa so i can login in management panel and outlook web client app
So i can confirm "But it is strange that it did not work right away, but only the next day." that there is something wrong with cert activation after fresh install (installation was on server with gmt +3 time zone)
Thursday, July 27, 2017 2:07 AM
So issue has been solved by rebooting Exchange Server?
Best Regards,
Lynn-Li
TechNet Community Support
Please remember to mark the replies as answers.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, July 27, 2017 10:26 AM
Server was rebooted 10+ times during troubleshooting without any result, so it's not reboot that fixed the problem, issue seems to be solved by pause - in my case it was one week, in Igor's case one day was enough