If you have Exchange 2016 CU6 installed you could get the issue, that you can’t access OWA or ECP anymore.
There will be a http 500 Error when trying to access OWA.

If you check your Event Log you well see two Warning Events in the application log:

  1. Event ID 2004, MSExchange OAuth

    Unable to find the certificate with thumbprint <thumbprint> in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.
  2. Event ID 1309, ASP.NET 4.0.30319.0

     

     

    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 21.01.2019 08:40:11
    Event time (UTC): 21.01.2019 07:40:11
    Event ID: 044a377259bd4049a10bb0f130becb34
    Event sequence: 2
    Event occurrence: 1
    Event detail code: 0

     

    Application information:
        Application domain: /LM/W3SVC/2/ROOT/owa-45-131925300034989041
        Trust level: Full
        Application Virtual Path: /owa
        Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\
        Machine name: MachineName

     

    Process information:
        Process ID: 21220
        Process name: w3wp.exe
        Account name: NT AUTHORITY\SYSTEM

     

    Exception information:
        Exception type: TargetInvocationException
        Exception message: Exception has been thrown by the target of an invocation.
       at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
       at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
       at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
       at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
       at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
       at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
       at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
       at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
       at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
       at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
       at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
       at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
       at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
       at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

     

    Encryption certificate is absent
       at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
       at Microsoft.Exchange.Clients.Owa2.Server.Core.notifications.SignalR.SignalRStartup.Configuration(IAppBuilder app)

     

    Request information:
        Request URL: https://localhost:444/owa/exhealth.check
        Request path: /owa/exhealth.check
        User host address: 127.0.0.1
        User: 
        Is authenticated: False
        Authentication Type: 
        Thread account name: NT AUTHORITY\SYSTEM

     

    Thread information:
        Thread ID: 80
        Thread account name: NT AUTHORITY\SYSTEM
        Is impersonating: False
        Stack trace:    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
       at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
       at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
       at Owin.Loader.DefaultLoader.<>c__DisplayClass12.<MakeDelegate>b__b(IAppBuilder builder)
       at Owin.Loader.DefaultLoader.<>c__DisplayClass1.<LoadImplementation>b__0(IAppBuilder builder)
       at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
       at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
       at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
       at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
       at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
       at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
       at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
       at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
       at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

Solution

  1. Create a new OAuth certificate:
    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "ACS"
  2. Set the OAuth certificate:
    Set-AuthConfig -NewCertificateThumbprint &amp;amp;lt;ThumbprintFromStep1&amp;amp;gt; -NewCertificateEffectiveDate (Get-Date)
    Set-AuthConfig –PublishCertificate
    Set-AuthConfig -ClearPreviousCertificate
  3. Restart Microsoft Exchange Service Host Service on each Exchange server
  4. Restart OWA and ECP Application Pool on each Exchange server
    Restart-WebAppPool MSExchangeOWAAppPool
    Restart-WebAppPool MSExchangeECPAppPool
  5. It could take some time now until OWA will be accessible again. I have read that it could be related to the time difference from your time zone to UTC. So if you change the certificate in UTC+1 time zone you have to wait one hour, if UTC+2 then two hours… in my case (UTC+1) after one hour OWA was working again.