In Exchange 2013 and 2016 after an upgrade you might get the following error after logging in. The URL with the error will look like this: owa/auth/errorFE.aspx?httpCode=500
This issue occurs if the Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly.
How to solve
To check the status of your existing OAuth certificate, run the following command in the Exchange Management Shell:
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List
If the command returns an error (like above), or the certificate has expired, use the steps below to create and deploy a new OAuth certificate to the Exchange server.
STEP 1: Create a new OAuth certificate by running the following command:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
STEP 2: Set the new certificate for server authentication. To do this, run the following commands, please make sure to add the thumbprint from above to the commands below.
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
To apply all changes you will need to restart the following services:
- Microsoft Exchange Service Host Service
- World Wide Web Publishing Service
After this be patient, it takes up more than 3 hours to start working again. Depending on the number of domains.