Sign in
 
HomeOnline20132010Interop ProgramsLibraryForumsGalleryLync Blogs
TechCenter >
Lync OAuth failure

Locked Lync OAuth failure

  • Friday, August 03, 2012 2:12 PM
     
     
    Sign In to Vote
    0

    Hi,


    i created a exchange partner application but it dont work. when i try to:

    Test-CsExStorageConnectivity -SipUri "sip:barr.adam@test.local" -Binding "NetNamedPipe" -Verbose


    VERBOSE: Using NetNamedPipeBinding.
    VERBOSE: Try to open a connection to storage service using the specified
    binding. This can take several minutes before timing out.
    VERBOSE: Create message.
    VERBOSE: Execute Exchange Storage Command.
    VERBOSE: Processing web storage response for ExCreateItem Failure.,
    result=ErrorIncorrectExchangeServerVersion, reason=GetUserSettings failed,
    smtpAddress=Barr.Adam@test.local, Autodiscover
    Uri=https://server-c.test.local/autodiscover/autodiscover.svc,
    Autodiscover WebProxy=<NULL>, activityId=00000000-0000-0000-0000-000000000000.
    VERBOSE: Unhandled response Microsoft.Rtc.Internal.Storage.StoreResponse.
    VERBOSE: Is command successful: False.
    Test failed.


    and in the evt log i have the message:

    Storage Service had an OAuth authentication failure.

    CreateAppActAsToken failed, ex=OAuthConfigException: code=ErrorConfigOAuthCertPrivateKey, reason=Certificate with <SerialNumber, 5f0000000ab2fa5a2dcf6c4b6400000000000a> by <IssuerName, CN=TEST-CA, DC=test, DC=local> does not have private key or it is inaccessible or not RSA, ex=System.Security.Cryptography.CryptographicException: Keyset does not exist

       at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

       at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

       at Microsoft.Rtc.Internal.Storage.Security.OAuthTokenProcessor.FindAndValidateCert(StoreContext ctx, String certSN, String certIssuer) ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

       at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

       at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

       at Microsoft.Rtc.Internal.Storage.Security.OAuthTokenProcessor.FindAndValidateCert(StoreContext ctx, String certSN, String certIssuer)

       --- End of inner exception stack trace ---

       at Microsoft.Rtc.Internal.Storage.Security.OAuthTokenProcessor.FindAndValidateCert(StoreContext ctx, String certSN, String certIssuer)

       at Microsoft.Rtc.Internal.Storage.Security.OAuthTokenProcessor.GetOAuthCertificate(StoreContext ctx)

       at Microsoft.Rtc.Internal.Storage.Security.OAuthTokenProcessor.CreateAppActAsToken(StoreContext ctx, Guid tenantId, String smtpAddress, String userSid, String userUpn, String destinationAppId, String realmFromChallenge, String destinationHost, OAuthIssuerMetadata[] trustedIssuersFromChallenge)

       at Microsoft.Rtc.Internal.Storage.Security.OAuthTokenProcessor.CreateAppActAsToken(StoreContext ctx, Guid tenantId, String smtpAddress, String userSid, String userUpn, String destinationAppId, String realmFromChallenge, String destinationHost, String trustedIssuersFromChallenge)

       at Microsoft.Rtc.Internal.Storage.Security.OAuthCredential.Authenticate(HttpAuthenticationChallenge challenge, WebRequest webRequest)

    Cause: Bad input data, configuration, or runtime errors.

    Resolution:

    Check event details.  If problem persists, notify your organization's support team with the event details.

     


    the certificate is from a windows 2012 AD enterprise CA, (Webserver template)

     

    any ideas

    thanks

     

       

    All Replies

    • Friday, August 03, 2012 2:31 PM
       
       
      Sign In to Vote
      0

      Hello,

      What version of Exchange is it, and/or what O/S is it running on?

      Reason I ask is 7th line from the top: "result=ErrorIncorrectExchangeServerVersion, reason=GetUserSettings failed,"

      There have been some "unexplained difficulties" in other areas as when when using Server 2012 RC/Preview. While I don't know, that (Server 2012) might be a contributing factor.

      Good luck with your issue.

      Stu

         
      • Friday, August 03, 2012 6:12 PM
         
         
        Sign In to Vote
        0

         all systems are win 2012 RC, Exchange 2013 Preview

           
        • Tuesday, August 07, 2012 6:26 AM
          Moderator
           
           Answered
          Sign In to Vote
          0

          You can run the command Get-CsCertificate -Type OAuthTokenIssuer to check the certificate information from the Lync Server 2013 Preview Management Shell.

          If the certificate is ok, then run the command Get-CsPartnerApplication to verify the exchange partner application has been enabled.

             
          • Friday, August 10, 2012 7:18 PM
             
             Answered
            Sign In to Vote
            1

            Hello,

            Guessing either private key is missing from personal certificate imported into Lync Front End’s machine store, and/or “Network Service” hasn’t been granted permissions to access the private key. 

            You can enable access from certificate manager MMC snap-in.  Open MMC, add "Certificates" snapin (Local Computer), drill down to Personal Certificates, right click on the Certificate being used for OAuth, within the context menu, select "All Tasks" --> "Manage Private Keys", then grant permissions to “Network Service”.

            Regards,

            Aaron

            aaronse

               
            • Friday, August 31, 2012 3:56 PM
               
               
              Sign In to Vote
              0

              Aaron, thank you for that tip!

              I had the same issue and the problem was that the "Network Service" did not have permission to access the certificate (private key).  After granting access everything started working.

              I documented that problem and several other issues I encountered while configuring the the Lync Server 2013 Preview integration with Exchange Server 2013 Preview here: http://blog.insidelync.com/2012/08/the-lync-2013-preview-unified-contact-store-ucs/.

              Curtis

              www.insideLync.com