?
Solved

Resolving Exchange 2013 FBA logon page "loop"

Posted on 2016-10-14
1
Medium Priority
?
135 Views
Last Modified: 2016-11-01
My customer is affected by the Forms-based authentication problem described in this TechNet blog article:

https://blogs.technet.microsoft.com/jasonsla/2015/01/15/the-one-with-the-fba-redirect-loop/

Specifically, installing a new SHA-2 based certificate causes OWA and ECP logins to 'loop' back to the login prompt even when correct credentials are supplied. The customer is running a single instance of Exchange 2013 CU 10 (build 15.0.1130.7).

I confirmed we're affected by the issue described because running certutil -store my [certificateSerialNumber] against the new cert receives a reply of "Provider = Microsoft Software Key Storage Provider", when in fact what Exchange supports is "Provider = Microsoft RSA SChannel Cryptographic Provider".  In other words, it's a KSP-based certificate, and apparently Exchange 2013 FBA expects CSP-based ones.

Here's what doesn't make sense.  We use an SSL certificate supplied by a third party CA (NameCheap/Comodo). That being the case:

1) Does his solution require us to go back to our third party provider, and get a reissued certificate?  If so, what do I ask for?  

2) Or can I use certutil as he describes, to "import the certificate into a CSP"?  In other words, does running certutil -csp "Microsoft RSA SChannel Cryptographic Provider" -importpfx <CertificateFilename> work if you're NOT running your own in-house CA, and using a third party provider like Namecheap/Comodo/GoDaddy?

3) Will that command work against .cer files, or do they need to be in another format?

4) Is there a simpler solution to this, e.g. installing the latest cumulative update, which is CU 14? Or does Exchange 2013 FBA still not support KSP certificates?
0
Comment
Question by:AA-in-CA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41844471
1. Possibly.
2. You can *try* this by Exporting your Exchange certificate to a .PFX file using the following command:
Export-ExchangeCertificate -Thumbprint <thumbprint> -FileName <path to store the file> -BinaryEncoded -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

Open in new window

Once you have the PFX export of the cert you're using, you can then delete the certificate in IIS and reboot, then run the certutil command using the .pfx file you exported. That *should* successfully migrate the certificate, but be aware that you may be locked into using a KSP because the certificate was generated to require KSP use. If this solution doesn't work, you will need to generate a new certificate.
3. No. Only PFX files, but you can export any certificate as a PFX file as long as it was configured to allow export when originally installed.
4. KSP is still not supported, so no.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question