none
Update EX2016 to CU8 / X-OWA-Error Microsoft.Exchange.Diagnostics.ExAssertException RRS feed

  • Question

  • Hello,

    we updated our Ex2016 to Cu8. Services seem to run fine. A few guys informed us About a Problem

    for Access to OWA. ECP is working fine, Login and wokring.

    Outlook Clients are syncing remotely without any Problems. After accessing OWA interface with your

    credetials you receive following message:

    X-ClientId: C204BB8A75274F80994B95CE0663FA50
    request-id c978436f-4c4f-452a-b5f5-4ac7f58ed560
    X-OWA-Error Microsoft.Exchange.Diagnostics.ExAssertException
    X-OWA-Version 15.1.1415.2

    Any ideas what can be done to solve this Problem? Cleared Event Log Looks fine.

    Here is the HTML Line Code:

    https://our.ip.go/owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.1.1415.2&be=DWEX16&ts=131588984982203626&ClientRequestId=636500216959576393&fe=DWEX16&reqid=a51c237e-454a-48a0-b984-6fe73ae33761&creqid=&cid=&rt=Form15&et=DefaultPage&tg=&MDB=fc2b2479-4b6b-4053-bf74-86a7d540d1ec&mbx=58fb682f-eab0-49b3-9149-217909f6b3ba&prem=0&pal=0&dag=DagNotFound&forest=dom.local&te=0&refurl=https%3a%2f%2fdwex16.dom.local%3a444%2fowa%2f%3fbO%3d1#authRedirect=true

    Would be great if someone has some ideas. Re-Install of CU8 din't solve the Problem. Testing Test-ExchangeServerHealth.ps1 was successfull.

    Edit: I checked UpdateCas.ps1 and UpdateConfigFiles.ps1 but Problem still exists after typing in the owa credentials. Another Thing I tried was:

    1. Go to the RUN window and type "ADSIEDIT.msc" 
    2. After opening ADSIEDIT, go to the Action navigation. Connect to and then navigate to  a."Select a Well known Naming Context" 
    
    3.Select Configuration and select OK. 
    4. Go to CN=Configuration then CN=Services then CN=Microsoft Exchange then CN=Your DOMAIN Name and navigate to CN-Client Access  
    5. Right-click 【CN=Client Access】and click Properties. Scroll down to look for values: a.msExchCanaryData0 
    b.msExchCanaryData1 
    c.msExchCanaryData2 
    d.msExchCanaryData3 
    
    6. Take a backup to be safe and clear all these values to <not set>. If Values are already set to <not set> then try to do Solution 1. 
    7.Open IIS Manager on your CAS server, go to "Application Pools", right-click MSExchangeOWAAppPool and click Recycle. 
    

    But solution is not working for me.

    Thursday, December 28, 2017 1:51 AM

Answers

  • Same problem after update from 2016 cu7 to cu8 on 2012 R2.

    ECP is working, Owa is not.

    Problem solved, the exchange auto certificate was deleted in cu8 update.

    Find the solution here: https://www.reddit.com/r/exchangeserver/comments/7l3hhm/exchange_2016_cu_8_owa_now_failing/

    and here: https://social.technet.microsoft.com/Forums/lync/en-US/6d67e5ef-555e-41a5-8de9-2a56cf95363a/missing-the-microsoft-exchange-server-auth-certificate?forum=exchangesvradmin
    • Edited by jmcm66 Thursday, December 28, 2017 7:16 PM found the solution
    • Marked as answer by Christian Wortmann Friday, December 29, 2017 12:20 PM
    Thursday, December 28, 2017 4:57 PM

All replies

  • I just installed a new Exchange 2016 server a few days ago from the CU8 media and migrated an Exchange 2013 server across to it. Everything seemed to be fine, including OWA (after initial install)

    After I finished setting it up and installing the proper external certificates, I decommissioned the old 2013 server. At some point it looks like OWA stopped working with this same error. For me ECP and activesync etc all seem to be working fine as well, it is only OWA that looks broken. I've only just noticed this today.

    I tried clearing the canarydata as well changing the 127.0.0.1 https binding, but it didn't help.


    Thursday, December 28, 2017 3:03 PM
  • Unfortunately that article did not help.

    Scenario1 : homeMDB is correct

    Scenario2: I've reset the apppool, rebooted the servers, cleared all browser cache/cookies, no luck

    Scenario3: Inheritance was already enabled, but I disabled and renenabled to just to be sure.

    I can log in to the ECP as the user with no issues, but OWA still fails.

    My environment is a single Exchange 2016 Server running on Windows Server 2016. Only had the Exchange 2013 server prior to this.


    Thursday, December 28, 2017 3:27 PM
  • Facing the same exact issues. after new exchange 2016 cu8 install on 2012 r2

    Satheshwaran Manoharan | Exchange 2003/2007/2010/2013 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you ------------- I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Thursday, December 28, 2017 3:30 PM
  • May be reset OWA Virtual Directory can help you.

    How to Recreate Virtual Directories OWA and ECP on Exchange 2016


    MCITP, MCSE. Regards, Oleg

    Thursday, December 28, 2017 4:52 PM
  • Same problem after update from 2016 cu7 to cu8 on 2012 R2.

    ECP is working, Owa is not.

    Problem solved, the exchange auto certificate was deleted in cu8 update.

    Find the solution here: https://www.reddit.com/r/exchangeserver/comments/7l3hhm/exchange_2016_cu_8_owa_now_failing/

    and here: https://social.technet.microsoft.com/Forums/lync/en-US/6d67e5ef-555e-41a5-8de9-2a56cf95363a/missing-the-microsoft-exchange-server-auth-certificate?forum=exchangesvradmin
    • Edited by jmcm66 Thursday, December 28, 2017 7:16 PM found the solution
    • Marked as answer by Christian Wortmann Friday, December 29, 2017 12:20 PM
    Thursday, December 28, 2017 4:57 PM
  • Thanks for your Feedback jmcm66, I just tried to create a new one and removed the old one.

    Restart iis with same procedure as described in the article, ECP is working, OWA fails after entering the credentials.

    UPDATE: After checking the eventlog once again I did the following commands again:

    UpdateCas.ps1
    and
    UpdateConfigFiles.ps1

    Then restarted the iis once again. Afterwards I refreshed the browser, cleared all cache and openend

    OWA again, now it's working fine again.

    Thursday, December 28, 2017 10:09 PM
  • Hi Christian,

    Gald to know it worked again, and thanks for feedback.

    If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

     

    Thanks for your understanding.


    Best Regards,

    Niko Cheng


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, December 29, 2017 9:01 AM
    Moderator
  • Originally I was following advice from here:
    https://www.reddit.com/r/exchangeserver/comments/7l3hhm/exchange_2016_cu_8_owa_now_failing/

    These are the things I did to try and fix the problem.

    1. I completely uninstalled Exchange 2016 CU8 & Reinstalled. Same problem.
    2. Installed Exchange 2016 CU7. At first I just got a blank page after signing in then found this article: https://support.microsoft.com/en-us/help/2971270/blank-page-after-login-exchange-eac-owa-ecp. HOWEVER. I DID NOT SELECT THE "Microsoft Exchange Certificate" This time. I selected the "Microsoft Exchange Server Auth Certificate"
    3. I then moved a mailbox from Exchange 2010 server we have to the newley Installed Exchange 2016 CU7. I had done this before and kept getting the dreadful "X-OWA-Error Microsoft.Exchange.Diagnostics.ExAssertException" when the mailbox was moved. This time I was redirected to the Exchange 2010 OWA but the mailbox was open and loading. I then followed this: https://support.microsoft.com/en-us/help/2931385/exchange-server-2013-or-exchange-server-2016-redirects-to-exchange-201
    . You need to follow the articles every step and precisely. Check ADSI, Apply inheratence from ADSI. (which I think I was doing from Active Directory users and computers previously, that is wrong as it takes longer to apply via ADSI edit and you get a warning that it is going to replace some permissions)
    PROBLEM WAS FIXED FOR ME.

    However I am on CU7 & not CU8 now.

    But I have my suspicions that it was just the certificate on bindings in IIS for "Exchange Back End" that did the trick. Specifically the "Microsoft Exchange Server Auth Certificate" instead of the "Microsoft Exchange Certificate". This is documented here: https://technet.microsoft.com/en-us/library/dd351044(v=exchg.160).aspx.


    Microsoft Exchange Server Auth Certificate

    This Exchange self-signed certificate is used for server-to-server authentication and integration by using OAuth. For more information, see Integration with SharePoint and Lync.

    But no one on the forums talks specifically about that certificate and this article here: https://support.microsoft.com/en-us/help/2971270/blank-page-after-login-exchange-eac-owa-ecp. Incorrectly tells you to use the "Microsoft Exchange Certificate" according to above.

    I will also add that when I previously installed Exchange 2016 CU8 and moved the mailbox, I connected to the mailbox via Outlook because I was getting the 'X-OWA-Error" and tried sending an email. The email was never sent and when I uninstalled Exchange 2016 CU8 i got warning about messages being stuck in the queue and would be deleted without sending. When I finally got Exchange 2016 CU7 up and running and connected to OWA, i sent an email and the email was sent without problems. Also related to the certificate as far as I am aware.

    I have my suspicions that Exchange 2016 CU8 was released too close to christmas, most of the dev team are probably on holidays and the real world testing and problems are surfacing like this but no one is around to address them, that is why there is a lack of info on the internet.

    Good Luck, hope my hours of work saves someone.

    I also believe that UpdateCas.ps1 and UpdateConfigFies.ps1 will only work if the bindings are correct in IIS, as I tried this as a fix when CU8 was running without luck.

    Friday, December 29, 2017 8:34 PM
  • Should the FQDN that is used be the internal hostname (servername.localdomain.com) or the external facing name (webmail.internetname.com)... or should do I specify multiple as a SAN?

    I'm a bit confused now. I still had the server auth cert (mine wasn't deleted) and now I have two. Should I manually delete them both from the cert store and ecp, then start over? Should "ClearPreviousCertificate" have removed the old one?

    Saturday, December 30, 2017 12:19 AM
  • check below. just the domain name. careexchange.in .

    i have spent enough time on this . i have documented what i have done.

    http://www.careexchange.in/outlook-web-app-x-owa-error-exassertexception/


    Satheshwaran Manoharan | Exchange 2003/2007/2010/2013 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you ------------- I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.


    Sunday, December 31, 2017 9:12 AM
  • Finally got some time to look at this agian and the update...ps1 scripts look like they did the trick for me as well.
    Thursday, January 4, 2018 2:52 PM

  • Thanks, 

    This works for upgraded to CU8 / New installed CU8 and getting 

    X-OWA-Error Microsoft.Exchange.Diagnostics.ExAssertException for Web logins
    Thursday, February 8, 2018 8:34 AM
  • Hi Christian Wortmann,

    Thanks, I tried your solution, followed steps carefully and waited for 12 hours. Now, my issue resolved and I'm able to login to Exchange 2016 OWA.

    Friday, February 16, 2018 5:43 AM
  • I got it working to using the steps to recreate a auth certificate, the updatecas script and the updateconfigfiles script. But only after rebooting and waiting about an hour... 
    Monday, February 26, 2018 1:59 PM
  • Same problem for me  after update from 2013 cu22 to cu13 on Windows server 2016.

    ECP is working, Owa is not.

    i solved issue by going to iis then Exchange backend then owa then authentication and  enable Windows Authentication.

    then go to advanced setting for Windows Authentication and make sure the extended protection is off and remove check box from enable Kernal-mode authentication as below  :

      

    Friday, September 20, 2019 10:14 AM