none
Exchange 2016 OWA will not open in Firefox or Chrome.

    Question

  • Just upgraded from Exchange 2010 to Exchange 2016, now OWA in Exchange 2016 will not open in Firefox or Chrome, it will open in IE and Microsoft Edge.

    Here is the error I get in FireFox:


    Your connection is not secure

    The website tried to negotiate an inadequate level of security.

    my.domain.com uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.

    Error code: NS_ERROR_NET_INADEQUATE_SECURITY


    I have google this for 2 days now and have double check all SSL certs, permission settings etc, and I don't know how to fix this, if anyone has any ideas I would love to hear them. Thanks John


    John Zapf

    Sunday, October 16, 2016 7:51 PM

Answers

All replies

  • Hi

    As per my understanding you are using weak ciphers with your web server SSL which firefox is not accepting.

    Regards.

    H.Shakir

    Sunday, October 16, 2016 8:48 PM
  • Ok, so its defiantly something to do with HTTP/2

    when disabled:
    etwork.http.spdy.enabled.http2 preference to switch it from true to false in Firefox, the site works fine.

    But I am not going to do this in everyone browser so I need to figure out how to fix this in IIS 10/Exchange 2016


    John Zapf




    Sunday, October 16, 2016 9:40 PM
  • Well all fixed. I download and ran the IIS Crypto 2 tool, Clicked the best Practices button. it re-checked and uncheck boxes in each column, I hit apply, rebooted and all is fixed.

    https://www.nartac.com/Products/IISCrypto

    thank you so much for all you help,

    John


    John Zapf

    Sunday, October 16, 2016 10:37 PM
  • Great :)

    Monday, October 17, 2016 6:59 AM
  • Ufff same here...

    Shame I didn`t read your post here, I figured it out by myself in a hard way :)

    MS should really fix this with next CU.

    Friday, October 21, 2016 9:28 AM
  • CU4 same problem.

    You got to be kidding me :S

    Wednesday, December 14, 2016 9:18 AM
  • Today updated to CU4. The problem came back and solve it with the help of IISСripto does not work ...

    While disconnecting SPDY solved the problem:

    http://www.tecfused.com/2016/10/err_spdy_inadequate_transport_security-server-2016/

    There are other solutions?

    Monday, January 23, 2017 3:23 PM
  • I have the same problem with CU4, chrome and firefox did not work....

    Please help!!!

    Saturday, January 28, 2017 4:43 PM
  • A brute-force way to quickly fix this is to disable SPDY. To do this, open up the following registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Http\Paramaters

    Add the following two dword keys

    EnableHttp2Cleartext 0 EnableHttp2Tls 0

    I just helped this option!
    Monday, January 30, 2017 6:20 AM
  • Tears to my eyes!!!  I can't believe how well and fast this worked..  I knew it had to do with TLS & HTTP2, but I was working it from a web browser angle,, this tool fixed it at the IIS level for everybody...

    You deserve more than five points for that one :)

    Saturday, February 18, 2017 3:06 PM
  • https://www.nartac.com/Products/IISCrypto

    worked for me, without the registry editing.

    HOWEVER when the server rebooted, the network had gained an exclamation mark "no internet access". Ran the Diagnostics, which reset the TCP/IP stack, rebooted, had gone back to DHCP. Set back to static IP and all OK now.

    Tuesday, March 28, 2017 1:45 PM
  • Hello all,

    I see this problem in CU5... but I don't understand what the status of this issue is: is it a bug (and if so what MS recommends to solve it) or is it by design?

    Regards,

    Michael

    Wednesday, May 10, 2017 10:31 AM
  • P.S. ...and first of all I'd like to know who is the culprit for this issue - MS IIS or the third party browsers...

    As far as I see this problem exists starting from CU2 and since then MS hasn't even explained what's the cause of the issue and when (if) it will be fixed.

    This answer

    "Well all fixed. I download and ran the IIS Crypto 2 tool, Clicked the best Practices button. it re-checked and uncheck boxes in each column, I hit apply, rebooted and all is fixed."

    ...is marked as the answer by MS contingent staff - it means MS thinks it's normal to fix MS's bugs with third-party tools??? - utter nonsence...

    • Edited by MF47 Friday, May 12, 2017 7:58 AM
    Friday, May 12, 2017 7:47 AM
  • This Fixed it for me with CU5 installed
    Tuesday, May 23, 2017 12:16 AM
  • Well default install still same problem.

    Next week new CU to try :D

    Friday, June 23, 2017 8:37 AM
  • Same with CU6...
    Tuesday, July 04, 2017 1:22 PM
  • Same here with five customers.

    @Microsoft when comes an official workaround?

    Thursday, July 13, 2017 9:14 AM
  • Microsoft ???
    Sunday, August 13, 2017 9:05 PM
  • is your cert sha2? because from memory they phased out sha1 support.. hence the error. for firefox , it doesn't read Windows certificates.. you need to have the following:

    trustwincerts.js

    /* Allows Firefox reading Windows certificates */   
    pref("security.enterprise_roots.enabled", true);

    • Edited by iluciv Monday, August 14, 2017 2:47 AM
    Monday, August 14, 2017 2:45 AM
  • "when disabled:
    network.http.spdy.enabled.http2 preference to switch it from true to false in Firefox, the site works fine."

    https://www.ghacks.net/2014/02/08/enable-http-2-0-firefox/

    Im trying to open Azure AD Connect reports and the Error code: NS_ERROR_NET_INADEQUATE_SECURITY. shows everytime.

    After your solution i´m able to open the reports!

    Tks


    Christian Centeno - MCP / MCDST

    Tuesday, August 22, 2017 2:58 PM
  • It's the third party browsers. Their "Shellshock" and "Heartbleed" SSL encryption bug "repair" was just to blacklist the encryption levels they couldn't handle. Those vulnerabilities never affected Microsoft, so there's nothing to fix on the Microsoft side!

    The "fix" is to either remove the capability or reorganize the crypto on your Windows servers to not offer those higher levels to those browsers.

    The problem is so many of those browsers are also used in phones, so good luck trying to get ActiveSync working if your server is public facing! You could put a KEMP load balancer or something of the sort in front to mitigate the issue, but there you go!

    By the way, this also applies to SharePoint, or any other server you try to use a Nix based browser on.

    I know, it's called putting your head in the sand, and calling it "fixed"! GRRRRR


    CCIE, CISSP, MCSE: Communication (Lync 2013), MCITP: Lync 2010, Enterprise Admin & Messaging ************************************************************************************************************************ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

    • Proposed as answer by Luke Edson Wednesday, August 30, 2017 8:10 PM
    Wednesday, August 30, 2017 8:10 PM