After a clean successful installation of Exchange 2016 CU20 and reboot on completion of the installation. I was presented with the following error when trying to login to the ECP and OWA.

###########################################################

Now this was a unique scenario. There were two Exchange 2013 production servers patched to the highest level and each Exchange 2013 server had a certificate issued from an internal certificate authority, the certificate included all of the required subject alternate names, but the certificate was also acting as the Microsoft Exchange Server Auth server on the Exchange 2013 servers and included .local domain names.

The design decision to introduce Exchange 2016 to the environment was purely to act as an Exchange Hybrid and not touch the production Exchange 2013 servers.

I installed Exchange 2016 CU20 with April 2021 security patches and got the errors listed above. Exchange Management Shell access was fine. I decided to install an additional Exchange 2016 CU19 server to see if CU20 was buggy. But unfortunately I received the same error on the fresh build of Exchange 2016 CU19 server.

The Exchange 2016 servers did not have rights to the private key of the certificate issued by the internal certificate authority that was in use by the Exchange 2013 servers as the Microsoft Auth Server certificate and the Exchange 2016 servers picked up this cert by default as it was in use in the existing Exchange organisation.

So how did i resolve this issue??

Firstly I created a new Microsoft Server Auth certificate with the following commands

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “CN= Microsoft Exchange Server Auth Certificate” -DomainName “*.contoso.com” -FriendlyName “Microsoft Exchange Server Auth Certificate” -Services SMTP

$date = Get-Date

Set-AuthConfig -NewCertificateThumbprint <certificate_thumbprint> –NewCertificateEffectiveDate $date

Set-AuthConfig –PublishCertificate

Set-AuthConfig -ClearPreviousCertificate

IISRESET

Powershell Commands Ref this article

The next thing was to export the newly created certificate and import the certificate into the computer trusted root certification authorities location on each Exchange server.

Next we need to review and run the commands described in this Microsoft KB

Next we rename the sharedwebconfig file in the following directories to sharedwebconfig.bak.
C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy

Then follow the steps in this Microsoft KB

But replace the environmental variable in the two commands specified in the article ‘%ExchangeInstallPath%’ with the actual install path as the install path can change from the default locations defending on the Exchange build and the environmental variable ‘%ExchangeInstallPath%’ may not resolve in the Exchange management shell.

Run the commands and then restart the server and all should be fine , at this point you can import a trusted certificate like DigiCert and assign IIS & SMTP services to the certificate.

And run a health check on the Exchange 2016 server and – Get-ServerComponentState