Recently I could not access OWA and ECP after a new certificate was installed. Everything was fine with Basic and Windows authentication, but FBA was not working. FBA logon prompt appeared as usual but after the login an IIS error (ECP) or redirect loop (OWA) was shown.
The errors
In the browser when accessing ECP:
Server Error in ‘/ecp’ Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a “web.config” configuration file located in the root directory of the current web application. This <customErrors> tag should then have its “mode” attribute set to “Off”.
<!– Web.Config Configuration File –>
<configuration>
<system.web>
<customErrors mode=”Off”/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the “defaultRedirect” attribute of the application’s <customErrors> configuration tag to point to a custom error page URL.
<!– Web.Config Configuration File –>
<configuration>
<system.web>
<customErrors mode=”RemoteOnly” defaultRedirect=”mycustompage.htm”/>
</system.web>
</configuration>
The description for Event ID 1003 from source MSExchange Front End HTTP Proxy cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Owa
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)
at Microsoft.Exchange.HttpProxy.FbaModule.OnBeginRequestInternal(HttpApplication httpApplication)
at Microsoft.Exchange.HttpProxy.ProxyModule.<>c__DisplayClass16_0.<OnBeginRequest>b__0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate)
The handle is invalid.
In the browser when accessing OWA:
Can’t reach this page.
Make sure web address https://mailserver is correct
More information
There were too many redirections
Error Code: INET_E_REDIRECT_FAILED
In the Event Log:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange Front End HTTP Proxy" /> <EventID Qualifiers="49152">1003</EventID> <Level>2</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-11-01T12:16:38.928047700Z" /> <EventRecordID>368718</EventRecordID> <Channel>Application</Channel> <Computer>exchange.domain.ch</Computer> <Security /> </System> <EventData> <Data>Owa</Data> <Data>System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication) at Microsoft.Exchange.HttpProxy.FbaModule.OnBeginRequestInternal(HttpApplication httpApplication) at Microsoft.Exchange.HttpProxy.ProxyModule.<>c__DisplayClass16_0.<OnBeginRequest>b__0() at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate) </Data> </EventData> </Event>
Cause
The certificate was installed with PowerShell and the Provider was automatically set to “Microsoft Software Key Storage Provider” which uses a Key Storage Provider (KSP) for its private key storage through Cryptography Next Generation (CNG). Exchange does not support this. A Cryptographic Service Provider (CSP) must be used.
Resolution
The new certificate must be imported into a CSP:
certutil -csp "Microsoft RSA SChannel Cryptographic Provider" -importpfx "CertificateFilename"
This way you get a certificate which can be used with Exchange Server.
