1. Home
    2. »
  2. How To
    3. » How to Fix Exchange SE ECP 401 Error After Upgrading from Exchange 2019

How to Fix Exchange SE ECP 401 Error After Upgrading from Exchange 2019

- Posted in How To by - Permalink

So you've upgraded from Exchange 2019 to Exchange SE, and now your Exchange Admin Center (ECP) is throwing HTTP 401 errors. Meanwhile, OWA works fine. Fun times.

Here's what happened to us and how we fixed it.

The Setup

We were running Exchange 2019 with Microsoft Hybrid Modern Authentication (OAuth) already properly configured and working. Everything was fine.

Then we did an in-place upgrade to Exchange SE.

The Symptoms

Post-upgrade:

  • ECP (Exchange Admin Center): HTTP 401 Unauthorized errors
  • OWA (Outlook Web App): Working perfectly
  • Other Exchange services: No issues

The Weird Part

When we checked the virtual directory authentication settings, OAuth was still showing as enabled. The configuration looked correct in PowerShell. But ECP still wouldn't authenticate.

Temporarily enabling Forms Authentication on ECP made it accessible again, which told us something was wrong with the OAuth authentication configuration.

The Fix

To resolve this, we had to disable and re-enable OAuth authentication to force Exchange to properly apply the settings. Here's the exact sequence we used:

Step 1: Temporarily Enable Forms Authentication

Get-OwaVirtualDirectory -Server YOUR-SERVER-NAME | Set-OwaVirtualDirectory -FormsAuthentication $true
Get-EcpVirtualDirectory -Server YOUR-SERVER-NAME | Set-EcpVirtualDirectory -FormsAuthentication $true

Step 2: Disable OAuth Authentication

Get-OwaVirtualDirectory -Server YOUR-SERVER-NAME | Set-OwaVirtualDirectory -OAuthAuthentication $false
Get-EcpVirtualDirectory -Server YOUR-SERVER-NAME | Set-EcpVirtualDirectory -OAuthAuthentication $false

Step 3: Restart IIS

net stop was /y
net start w3svc

Step 4 Re-Enable OAuth Authentication

Get-OwaVirtualDirectory -Server YOUR-SERVER-NAME | Set-OwaVirtualDirectory -OAuthAuthentication $true
Get-EcpVirtualDirectory -Server YOUR-SERVER-NAME | Set-EcpVirtualDirectory -OAuthAuthentication $true

Step 5: Disable Forms Authentication

Get-OwaVirtualDirectory -Server YOUR-SERVER-NAME | Set-OwaVirtualDirectory -FormsAuthentication $false
Get-EcpVirtualDirectory -Server YOUR-SERVER-NAME | Set-EcpVirtualDirectory -FormsAuthentication $false

Step 6: Restart IIS Again

net stop was /y
net start w3svc

Step 7: Test

Wait about 30 seconds for everything to initialize, then try accessing ECP. The 401 errors should be resolved.

For Clustered Environments

If you're running a cluster, repeat these steps for each server in your environment, replacing YOUR-SERVER-NAME with each server's name.

Final Notes

The Exchange SE upgrade can leave OAuth authentication settings in a state where they show as enabled but don't actually work. Simply re-applying the same settings (by disabling and re-enabling them) fixed the issue for us. Interestlingy this only affected ECP not OWA (which was great, as this mean normal users are not affected). But still if you're planning an upgrade from Exchange 2019 to SE, add "verify ECP authentication" to your post-upgrade checklist. Even if OAuth shows as enabled in PowerShell, test that you can actually log into ECP.

Tags:

Related posts

»