Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

HMA EvoSTS certificate rollover causes authentication prompts due to stalled key on worker process spawn (warmup phase) in Exchange Server 2019 and 2016


View products that this article applies to.

Symptoms

EvoSTS certificates are managed by Azure Active Directory (Azure AD) and regularly updated individually per tenant, which happens more frequently for some users. The certificate rollover or its schedule is not transparent to the user. It turns out that such a rollover is creating service outages for users running Hybrid Modern Authentication (HMA). The problem occurs when a worker process gets started or recycled or when a machine is brought back from maintenance and diverging key material is present in AD. Upon initialization of any worker process, the first request containing bearer authentication data will load the OAuth libraries and initiate the key material by reading the information from the AuthServer object in AD. After this, the worker process can authenticate the request containing bearer authentication data. However, if the key material in Azure AD (EvoSTS) had been rolled over, it can't authenticate those requests due to invalid message security (key material does not match) as the signature diverges. After a random interval (timer max 30 minutes), the worker process will look up and fetch the key material online via the published metadata endpoint.

If new or diverging keys are found, those will be added and loaded into the process (instance) for the lifetime of the worker process and authentication will work from now on. Since the new key data is never written back to AD, the same iteration starts again for any worker process spawning a new instance.

↑ Back to the top


Resolution

To fix this issue, install one of the following updates:

For Exchange Server 2019, install the Cumulative Update 6 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019.​

For Exchange Server 2016, install the 
Cumulative Update 17 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.

↑ Back to the top


References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top


Keywords: CI118718, kbHotfixAuto, kbqfe, kbfix, kb, HMA evosts cert rollover causes auth prompts

↑ Back to the top

Article Info
Article ID : 4549689
Revision : 8
Created on : 6/16/2020
Published on : 6/16/2020
Exists online : False
Views : 288