Exchange 2016 when starting exchange administrative service i get an server error in '/owa' application Assert: JMACProvider.getCertificates:protectionCertificates.length<1

Question

Exchange 2016 when starting exchange administrative service i get an server error in '/owa' application Assert: JMACProvider.getCertificates:protectionCertificates.length<1

Mike Page 0

Server Error in '/owa' Application. ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1 Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1 Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1] Microsoft.Exchange.Diagnostics.ExAssert.AssertInternal(String formatString, Object[] parameters) +235 Microsoft.Exchange.Diagnostics.ExAssert.RetailAssert(Boolean condition, String formatString, T1 parameter1, T2 parameter2) +90 Microsoft.Exchange.Clients.Common.HmacProvider.GetCertificates() +359 Microsoft.Exchange.Clients.Common.HmacProvider.GetHmacProvider() +140 Microsoft.Exchange.Clients.Common.HmacProvider.ComputeHmac(Byte[][] messageArrays) +14 Microsoft.Exchange.HttpProxy.FbaModule.SetCadataCookies(HttpApplication httpApplication) +1032 Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.HandleFbaFormPost(BackEndServer backEndServer) +3579 Microsoft.Exchange.HttpProxy.FbaFormPostProxyRequestHandler.ShouldContinueProxy() +20 Microsoft.Exchange.HttpProxy.ProxyRequestHandler.BeginProxyRequestOrRecalculate() +257 Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalOnCalculateTargetBackEndCompleted(TargetCalculationCallbackBeacon beacon) +1528 Microsoft.Exchange.HttpProxy.<>c__DisplayClass281_0.<OnCalculateTargetBackEndCompleted>b__0() +303 Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate) +35 Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method) +59 [AggregateException: One or more errors occurred.] Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result) +413 System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +231 System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +172

1 answer

Your answer

Answer 1

Hi @Mike Page

Thanks for reaching out to the Microsoft Q&A forum.

Based on my research, this error message, Assert: JMACProvider.getCertificates:protectionCertificates.length<1 usually appears when the Exchange Server OAuth certificate has expired or is no longer present on the system. To confirm its current status, you can run the PowerShell command below:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

If it shows that the OAuth certificate is missing or expired, you can generate a new one using:

New-ExchangeCertificate -KeySize 2048 ` 
-PrivateKeyExportable $true ` 
-SubjectName "cn=Microsoft Exchange Server Auth Certificate" ` 
-FriendlyName "Microsoft Exchange Server Auth Certificate" ` 
-DomainName @()

After creating the certificate, assign it for OAuth authentication:

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromAboveCMD> -NewCertificateEffectiveDate (Get-Date).ToUniversalTime() 
Set-AuthConfig -PublishCertificate 
Set-AuthConfig -ClearPreviousCertificate

When the configuration is complete, restart the Microsoft Exchange Service Host. You can then refresh IIS by running IISReset or recycle the OWA and EAC application pools:

Restart-WebAppPool MSExchangeOWAAppPool  
Restart-WebAppPool MSExchangeECPAppPool

For your reference, you can review: Can't access OWA/EAC with expired OAuth certificate - Exchange | Microsoft Learn

You can also review a similar case reported by another user in Exchange Server error in '/owa' application | Microsoft Community Hub

I hope this information helps you move forward. If you have any updates, please feel free to share.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Vergil-V 10,340 Reputation points Microsoft External Staff Moderator

2026-03-03T23:06:10.09+00:00

Hi @Mike Page
I just wanted to kindly follow up to see if you’ve had a chance to review my previous response.

I would greatly appreciate any updates you may be able to provide, particularly regarding the usefulness of the information I shared. Your feedback is essential to my ongoing efforts to enhance the quality of my support.

Thank you again for your time, and I look forward to hearing from you.
Vergil-V 10,340 Reputation points Microsoft External Staff Moderator

2026-03-06T03:13:37.11+00:00

Hi @Mike Page

Hope you're having a good day.

May I ask if there have been any updates since our last exchange?

Have you had a chance to review the responses shared so far?

I’d appreciate any updates you can provide, and please let me know if there’s anything further I can do to assist.

Share via

Exchange 2016 when starting exchange administrative service i get an server error in '/owa' application Assert: JMACProvider.getCertificates:protectionCertificates.length<1

1 answer

Your answer