Managing certificates in Microsoft Exchange Server is critical to ensure uninterrupted access to core services such as OWA (Outlook Web App) and ECP (Exchange Control Panel). When OAuth certificates expire, users may face access issues, and errors like “ASSERT: HMACProvider.GetCertificates: protectionCertificates.Length<1” might appear in windows event logs. This blog provides a detailed guide to resolving such issues.
Symptoms
When the OAuth certificate in Exchange Server expires, you may encounter the following issues:
- Users cannot access OWA or ECP.
- Errors related to OAuth authentication appear in the Event Viewer.
- The following error may show up in event logs:
ASSERT: HMACProvider.GetCertificates: protectionCertificates.Length<1
Root Cause
The issue arises because Exchange Server relies on OAuth certificates for authentication and secure communications. If the OAuth certificate expires or becomes invalid, the server cannot process authentication requests properly, leading to service disruptions.
Resolution
Follow these steps to resolve the issue:
1. Verify the Current OAuth Certificate
Run the following command in the Exchange Management Shell (EMS) to check the status of the OAuth certificate:
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

Check the Thumbprint, ExpirationDate, and Services columns:
- Ensure that an OAuth certificate exists.
- Confirm the certificate is valid and not expired. NotAfter confirms this expiration date.
If the certificate is expired or missing, proceed to the next step.
2. Create a New Self-Signed Certificate for OAuth
If the OAuth certificate is expired, you need to create a new one. Use the following command to generate a new self-signed certificate:
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()
This command creates a new certificate and enables it for OAuth authentication.
3. Assign the New Certificate to OAuth
Once the new certificate is created, update the Exchange OAuth configuration to use the new certificate:
Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
Replace <Thumbprint_of_New_Certificate>
with the actual thumbprint of the newly created certificate without <>.
4. Restart Microsoft Exchange Service Host Service
Restart the necessary services to apply the changes:
- Restart the Microsoft Exchange Service Host Service. This can be done through windows services

- Or this service can also be restarted by using the following command:
Restart-Service MSExchangeServiceHost
5. Reset IIS pool or Restart IIS
Either run the IISReset command to restart IIS or run the following commands (in elevated mode) to recycle the Outlook on the web and EAC application pools:
Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool
6. Verify OAuth Configuration
Ensure that the new OAuth configuration is applied correctly:
Get-AuthConfig
Check that the CurrentCertificateThumbprint
matches the new certificate’s thumbprint.
Preventive Measures
To avoid similar issues in the future:
- Monitor Certificate Expiry: Regularly monitor certificate expiration dates using PowerShell or third-party tools.
- Automate Renewals: Automate the renewal process for self-signed or CA-issued certificates.
- Keep Exchange Updated: Ensure your Exchange Server is updated with the latest Cumulative Updates (CU) and Security Updates (SU) from Microsoft.
Conclusion
OAuth certificate expiration can disrupt key Exchange Server functionalities, but with the steps outlined above, you can quickly resolve these issues and restore access to OWA and ECP. Regular maintenance and proactive monitoring of certificates can help prevent such disruptions in the future.