OWA/ECP Breaks if “Microsoft Exchange Server Auth Certificate” is Expired


If the "Microsoft Exchange Server Auth Certificate" certificate isn't present on Exchange servers in the organization, follow these steps to create and deploy a new OAuth certificate to the Exchange server:

  1. Create a new OAuth certificate by running the following command:

    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "contoso.com"

    Note Change the value of the DomainName parameter in the example (contoso.com) to the SMTP domain that's used in your organization.

  2. Set the created certificate to be used for server authentication by running the following commands:

    Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
    Set-AuthConfig –PublishCertificate
    Set-AuthConfig -ClearPreviousCertificate

  3. Restart the Microsoft Exchange Service Host Service.

  4. Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle OWA and ECP Application pools:

    Restart-WebAppPool MSExchangeOWAAppPool
    Restart-WebAppPool MSExchangeECPAppPool

    Note In some environments, it may take an hour for the OAuth certificate to be published.


Comments (0)

Skip to main content