[solved] How to install/update the expired OAuth certificate on the On-Prem hybrid Exchange 2013 server.


The Exchange ECP hybrid portal can break if the OAuth certificate is expired or if the servers gets patched with new Exchange updates and will display the following message when trying to access the portal using https://localhost/ecp on the local server.


You can validate the On-Premise hybrid Exchange version by running the command on the On-Premise hybrid Exchange server. The On-Prmeise hybrid Exchange sever is always a source of authority in an hybrid environment

” Get-Exchangeserver | Sort Site,Name | FT Name,ServerRole,AdminDisplayVersion,Site -AutoSize -Wrap ”


The Exchange management page https://localhost/ecp does not work, so if you go the web page remotely using https://servername/ecp, the page will load and display the login page

After the adding credentials, the page breaks with the 500 backend error message. see below


  1. First step is to generate a new OAuth certificate with using Exchange management shell using the command below.

“New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “cn=Microsoft Exchange Server Auth Certificate” -FriendlyName “Microsoft Exchange Server Auth Certificate” -DomainName “”

2. This will generate a new certificate and once generated we will need to thumbprint form the new certificate by running the “Get-ExchangeCertificate | FL” and copying the thumbprint to notepad for the later command

3. Now you will need to set the AuthConfig to the new certificate by running the following command and replacing the thumbprint with the one you copied into the notepad.

“Set-AuthConfig -NewCertificateThumbprint “E999999912066666D7″ -NewCertificateEffectiveDate (Get-Date)”

4. Now you will need to publish the certificate by using the following command

“Set-AuthConfig -PublishCertificate”

5. Lastly you will need to clear the old certificate by using the following command

“Set-AuthConfig -ClearPreviousCertificate”

6. Now that all the configurations have been applied, all you need now to do is reset.

Run the “cmd” and type IISREST to stop and start the IIS service.

Launch the ECP portal and you should be able to login now.






Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button