Pages

Saturday, July 1, 2017

Exchange 2016 EAC displays a blank page upon login after updating SSL certificates

Problem

You’ve recently updated the certificates for your Exchange 2016 servers:

image

You notice that the ECP / EAC page no longer load properly upon successfully logging in after reassigning the new certificate, deleting the old certificate and restarting the server:

image

Reviewing the event logs show the following error constantly logged on the Exchange server(s):

image

Log Name: System

Source: HttpEvent

Event ID: 15021

Level: Error

An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.

image

Solution

The error above could be caused by the port 444 SSL certificate binding continuing to reference the old deleted certificate.  To determine whether this is the case, start the command prompt and execute the following command:

netsh http show sslcert

The command should list the SSL certificate bindings for the server similar to the following:

C:\>netsh http show sslcert

SSL Certificate bindings:

-------------------------

IP:port : 0.0.0.0:443

Certificate Hash : d0da0b35cf91c55b91a10755c0b4b11dfb1d3ff9

Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}

Certificate Store Name : My

Verify Client Certificate Revocation : Enabled

Verify Revocation Using Cached Client Certificate Only : Disabled

Usage Check : Enabled

Revocation Freshness Time : 0

URL Retrieval Timeout : 0

Ctl Identifier : (null)

Ctl Store Name : (null)

DS Mapper Usage : Disabled

Negotiate Client Certificate : Disabled

Reject Connections : Disabled

IP:port : 0.0.0.0:444

Certificate Hash : c71d3d6f9673dcec57d8c76602562d58bd69d9b9

Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}

Certificate Store Name : My

Verify Client Certificate Revocation : Enabled

Verify Revocation Using Cached Client Certificate Only : Disabled

Usage Check : Enabled

Revocation Freshness Time : 0

URL Retrieval Timeout : 0

Ctl Identifier : (null)

Ctl Store Name : (null)

DS Mapper Usage : Disabled

Negotiate Client Certificate : Disabled

Reject Connections : Disabled

IP:port : 0.0.0.0:8172

Certificate Hash : 403a6eac00d494c03288a1df779aeae7a131886f

Application ID : {00000000-0000-0000-0000-000000000000}

Certificate Store Name : MY

Verify Client Certificate Revocation : Enabled

Verify Revocation Using Cached Client Certificate Only : Disabled

Usage Check : Enabled

Revocation Freshness Time : 0

URL Retrieval Timeout : 0

Ctl Identifier : (null)

Ctl Store Name : (null)

DS Mapper Usage : Disabled

Negotiate Client Certificate : Disabled

Reject Connections : Disabled

IP:port : 127.0.0.1:443

Certificate Hash : d0da0b35cf91c55b91a10755c0b4b11dfb1d3ff9

Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}

Certificate Store Name : My

Verify Client Certificate Revocation : Enabled

Verify Revocation Using Cached Client Certificate Only : Disabled

Usage Check : Enabled

Revocation Freshness Time : 0

URL Retrieval Timeout : 0

Ctl Identifier : (null)

Ctl Store Name : (null)

DS Mapper Usage : Disabled

Negotiate Client Certificate : Disabled

Reject Connections : Disabled

C:\>

image

The output we’re interested in are as follows:

IP:port : 0.0.0.0:444

Certificate Hash : c71d3d6f9673dcec57d8c76602562d58bd69d9b9

-------------------------------------------------------------------------------------------------------------------

Also make a note of the following information which we will need later:

Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}

-------------------------------------------------------------------------------------------------------------------

Confirm that the IP:port : 0.0.0.0:444 is indeed referencing the old certificate by reviewing the thumbprint of the old deleted certificate with the Certificate Hash:

image

Note that the thumbprint in the screenshot above matches the certificate hash generated above.  Once confirmed that the IP:port : 0.0.0.0:444 is indeed referencing the old certificate, proceed to delete the binding by executing the following command:

netsh http delete sslcert ipport=0.0.0.0:444

image

Execute netsh http show sslcert to confirm that the binding has been deleted:

image

Proceed with creating the binding with the new certificate by executing a command that references the Application ID that we made a note of earlier:

Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}

… and obtaining the thumbprint of the new certificate that we’ll be using:

image

Use the information above to execute the following command:

netsh http add sslcert ipport=0.0.0.0:444 certhash=d0da0b35cf91c55b91a10755c0b4b11dfb1d3ff9 appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}"

image

The errors written in the event logs should now be corrected.  Proceed to repeat these steps on all of the affected Exchange servers.

No comments: