Exchange 2016 OWA & ECP HTTP Internal Error 500

A company contacted us because they had run into issues with Exchange 2016 Webmail/OWA and the Exchange Control Panel (ECP). Both threw an HTTP 500 error.

Exchange 2016 had not been updated since 2017 and was still running on Cumulative Update 4 (CU4).

HTTP 500 internal server error

On the Exchange server itself, we saw more detailed errors:

Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly.

The event log showed:
Event ID: 1003
Source: MSExchange Front End HTTPS Proxy
[Owa] An internal server error occurred. The unhandled exception was: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)

Microsoft Docs suggests the following PowerShell solution:

https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired

1)
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “cn=Microsoft Exchange Server Auth Certificate” -FriendlyName “Microsoft Exchange Server Auth Certificate” -DomainName “Your smtp domain here”

Take note of the certificate thumbprint!

2)
Set-AuthConfig -NewCertificateThumbprint -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

3)
Restart the server, or run IISreset. Then wait for a few hours.

Despite waiting almost 6 hours, the problem persisted.

Another forum post suggested setting the Exchange server time zone to GMT (+-0)

After setting the server time zone to GMT and running all the steps above again, OWA and ECP started working again, almost immediately

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>