Today I installed two new Exchange 2016 servers at one of my customers. They are going to migrate from a classic Exchange 2010 CAS+Mailbox setup.
When I tried to login at the ECP when the first Exchange server was up and running I was thrown out directly in a matter of seconds.
The first thing I did was to create a completely new Active Directory User with only the Organization Management group as permission, no mailbox either.
That didn’t solve the problem. The next step was to reset the OWA and ECP Virtual Directories (
New-OWAVirtualDirectory) but as I expected no success.
How to Reset Client Access Virtual Directories
So I turned to my favorite search engine and stumbled upon this Technet thread.
In short the problem is related to the signing of the certificate used by the Exchange IIS Service.
The signing is done with “Microsoft Software Key Storage Provider” which makes the login to loop back. To make it work you need a certificate signed by “Microsoft RSA SChannel Cryptographic Provider”.
The solution is to request a certificate with signing mechanism “Microsoft RSA SChannel Cryptographic Provider”. A more complete deep dig for this is already done by Jason Slaughter at Microsoft, “The One With The FBA Redirect Loop“.
Another nice thing I found while searching was how to change the display language on a EAC Administrator account who does not have mailbox.
Add ?mkt=EN-us after ECP. Example: https://mail.contoso.com/ecp?mkt=EN-us