Share via

OWA to stop loading after an Exchange Server 2019 cumulative update

Holmes Shanquaneta 80 Reputation points
2025-11-13T03:17:55.4566667+00:00

After installing the latest cumulative update on Exchange Server 2019, both ECP (Exchange Control Panel) and OWA (Outlook Web App) stopped working.

When I try to access https://mail.contoso.com/ecp or https://mail.contoso.com/owa, the browser shows a blank page or an HTTP 500 error. All Exchange services appear to be running, and mail flow between mailboxes is still functioning normally. Only the web management and webmail interfaces are affected.

Event Viewer shows the following application log entries after IIS restarts:

Event ID 15021 - An error occurred while binding to SSL port.
Event ID 1309 - ASP.NET application error in /ecp

Environment details:

Exchange Server 2019 CU14 (freshly updated)

Windows Server 2019 Standard

Single server environment (Mailbox + Client Access roles on same machine)

Using self-signed certificate for internal access

Need help

Exchange | Exchange Server | Development
0 comments
Answer accepted by question author
  1. Hani-Ng 5,790 Reputation points Microsoft External Staff Moderator
    2025-11-13T06:31:44.71+00:00

    Hi Holmes Shanquaneta

    Thank you for posting your question in the Microsoft Q&A forum regarding the issues related to SSL binding and IIS configuration after a recent Exchange update. Based on my research, I would like to provide some information from my side, which I hope proves useful and kindly let me know if I’m mistaken.

    Event ID 15021 - SSL Binding Failure 

    The error message usually looks like: An error occurred while binding to SSL port 443. The certificate hash is not valid or has expired. This typically occurs when Exchange Cumulative Updates (CUs) reset IIS bindings or when the SSL certificate thumbprint used in IIS is invalid or expired. 

    You can verify the current SSL certificate by running the following in PowerShell and confirming that the certificate is valid and assigned to the IIS service

    Get-ExchangeCertificate | fl FriendlyName,Thumbprint,Services,NotAfter 

    (Get-ExchangeCertificate (ExchangePowerShell) | Microsoft Learn)

    Then, Rebind SSL to IIS:

    • Check current HTTPS bindings: netsh http show sslcert
    • If missing or incorrect, remove and re-add the binding: netsh http delete sslcert ipport=0.0.0.0:443
    • Then re-add the certificate: netsh http add sslcert ipport=0.0.0.0:443 certhash=<Thumbprint> appid={<GUID>}

    You can use {00112233-4455-6677-8899-AABBCCDDEEFF} as a placeholder GUID; it just needs to be unique.

    (Note: CU updates sometimes affect IIS bindings when self-signed certificates are configured)

    Event ID 1309 – ASP.NET / ECP errors: ASP.NET errors in /ecp generally mean IIS virtual directories could not start, often due to misconfigured application pool identity or a corrupted web.config after a CU install.

    • Check application pools: Open IIS Manager → Application Pools and check MSExchangeECPAppPool and MSExchangeOWAAppPool:
      • Status: Started
      • Identity: should be NetworkService
    • Recycle the pools, and if still failing, please try to reset them.
    • Restart the pools, you can run:  
    Restart-WebAppPool MSExchangeECPAppPool  
Restart-WebAppPool MSExchangeOWAAppPool 
    • Reset IIS 
    iisreset /noforce 

    Recreate Virtual Directories (if needed) 

    • Backup current settings:  
    Get-OwaVirtualDirectory | fl Name,Identity,InternalUrl,ExternalUrl  
Get-EcpVirtualDirectory | fl Name,Identity,InternalUrl,ExternalUrl 
    • Remove and recreate 
    Remove-OwaVirtualDirectory -Identity "Owa (Default Web Site)"  
New-OwaVirtualDirectory -OwaVersion Exchange2019  
Remove-EcpVirtualDirectory -Identity "ECP (Default Web Site)"  
New-EcpVirtualDirectory -EcpVersion Exchange2019 

    (please restart IIS after changes) 

    Get-OwaVirtualDirectory (ExchangePowerShell) | Microsoft Learn

    Get-EcpVirtualDirectory (ExchangePowerShell) | Microsoft Learn

    • Confirm .NET and ASP.NET setup: Exchange 2019 CU14 depends on .NET Framework 4.8. Without it, ASP.NET pages will not function. Please ensure ASP.NET 4.8 is properly registered in IIS: %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i

    Additionally, I would like to share some common CU14 issues that self-signed certificates may be removed from IIS after CU installation, and permissions on C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess sometimes get reset. To avoid problems, please always run the CU as Administrator and restart the server after installation

    Moreover, according to the Q&A Assist mentioned above regarding the browser showing a blank page or an HTTP 500 error, you can find detailed information here:

    Fix failed Exchange Server updates

    OWA or ECP stops working after you install a security update

    I hope these suggestions provide some helpful ideas. If you need further assistance, feel free to ask via comments section.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-13T03:18:10.9333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It seems that after installing the cumulative update on your Exchange Server 2019, you're encountering issues with both the Exchange Control Panel (ECP) and Outlook Web App (OWA), specifically HTTP 500 errors and blank pages. The Event Viewer logs indicating an SSL binding error (Event ID 15021) and an ASP.NET application error (Event ID 1309) suggest that there may be issues with the SSL configuration or the application itself.

    Here are some steps you can take to troubleshoot and potentially resolve the issue:

    1. Check SSL Certificate: Since you are using a self-signed certificate, ensure that it is correctly configured and bound to the appropriate sites in IIS. You may need to rebind the certificate to the SSL port.
    2. Reinstall the Cumulative Update: Sometimes, the update may not install correctly. You can try reinstalling the cumulative update using elevated permissions. Here’s how:
      • Open Command Prompt as an administrator.
      • Run the installer for the cumulative update again.
      • After the installation, restart the server.
    3. Check Application Pools: Ensure that the application pools for ECP and OWA are running in IIS. You can restart these application pools to see if it resolves the issue.
    4. Review IIS Configuration: Make sure that the IIS configuration for the Exchange virtual directories is correct. You can use IIS Manager to verify the settings.
    5. Run Exchange Management Shell Scripts: After reinstalling the update, run the following scripts in Exchange Management Shell:
      • .\in\UpdateCas.ps1
      • .\in\UpdateConfigFiles.ps1
      • Then run iisreset to restart IIS.
    6. Check Event Viewer Logs: Continue to monitor the Event Viewer for any additional errors that may provide more context on the issue.

    If these steps do not resolve the issue, you may want to consider restoring from a backup or reaching out to Microsoft support for further assistance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.