Exchange Server fix logon error

In Exchange 2013 and 2016 after an upgrade you might get the following error after logging in. The URL with the error will look like this: owa/auth/errorFE.aspx?httpCode=500


This issue occurs if the Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly.

How to solve

To check the status of your existing OAuth certificate, run the following command in the Exchange Management Shell:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

If the command returns an error (like above), or the certificate has expired, use the steps below to create and deploy a new OAuth certificate to the Exchange server.

STEP 1: Create a new OAuth certificate by running the following command:

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

STEP 2: Set the new certificate for server authentication. To do this, run the following commands, please make sure to add the thumbprint from above to the commands below.

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

To apply all changes you will need to restart the following services:

  • Microsoft Exchange Service Host Service
  • World Wide Web Publishing Service

After this be patient, it takes up more than 3 hours to start working again. Depending on the number of domains.

Add a Comment

Your email address will not be published. Required fields are marked *