Remove From My Forums

Lync Server 2013 RTM - cannot assign OAuth Certificate

Question

Trying to install Lync Server 2013 into existing organization which has Lync Server 2010 installed.

Problem is, when I try to create and assign a certificate for OAuthTokenIssuer certificate, it won't work, and won't give me any error. It says certificate assigned OK, but when I run "Get-CsCertificate -type OAuthTokenIssuer" in PowerShell, it returns empty, and there's no "ok" sign in Certificate Wizard, so I cannot go further.

When I check the certificate status in mmc / Certificates, the certificate status is OK. I've tried to redo the certificate many times, adding SAN names, giving more permissions for NETWORK SERVICE / LOCAL SERVICE to the certificate private key permissions, but nothing helps.

Online CA is running Windows Server 2008 R2 Std and works OK. I've used default templates which is Webserver I think.

Shortly after I try to assign the certificate, I receive error in Event Viewer:

The replication of certificates from the central management store to the local machine failed due to a problem with certificate processing or installation on the local machine Microsoft Lync Server 2013, Replica Replicator Agent will continuously attempt to retry the replication. While this condition persists, the certificates on the local machine will not be updated.

Exception: Microsoft.Rtc.Management.Common.Certificates.CertificateException: Keyset does not exist
 ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at Microsoft.Rtc.Management.Common.Certificates.CertAccessRule.CAPIModifyAccessRule(X509Certificate2 certificate, AccessRule rule, Boolean addRule)
   --- End of inner exception stack trace ---
   at Microsoft.Rtc.Management.Common.Certificates.CertAccessRule.CAPIModifyAccessRule(X509Certificate2 certificate, AccessRule rule, Boolean addRule)
   at Microsoft.Rtc.Management.Common.Certificates.CertAccessRule.ModifyAccessRule(X509Certificate2 certificate, AccessRule rule, Boolean addRule)
   at Microsoft.Rtc.Management.Common.Certificates.CertUtils.AddCertificateToStore(X509Certificate2 cert, StoreName storeName, IManagementReporter reporter)
   at Microsoft.Rtc.Management.Deployment.Core.Certificate.ImportFromPinnedArray(PinnedByteArray pfx, Boolean allowSelfSigned)
   at Microsoft.Rtc.Management.Deployment.Core.Certificate.ReplicateCMSCertificates(IScopeAnchor scope)
   at Microsoft.Rtc.Internal.Tools.Bootstrapper.Bootstrapper.ReplicateCMSCertificates().
Cause: The certificate provisioned in the central management store is invalid or cannot be handled on the local machine.
Resolution:
Ensure that certificates provisioned in the central management store are valid, have all needed issuer certificates included or installed on the local machine, and can be used with cryptographic providers available on the local machine.

I've been scratching my head for hours with this.. any suggestions?

Friday, November 2, 2012 1:47 PM

Answers

0

Sign in to vote
My problem has been resolved by installing a certificate published by a public certification authority. I should have done this a long ago, bought a cheap single name certificate with only "domain.com" name and Lync accepted it. So it was a problem with the internal certification authority, which I cannot understand why, because the certificates seemed OK (and I also installed another internal CA on Server 2012, which didn't work either).

Well, it works now so I'm happy.
- Marked as answer by tomppah Monday, December 3, 2012 2:08 PM
Monday, December 3, 2012 2:08 PM

All replies

0

Sign in to vote

Are you including the SIP domain as an entry in the certificate Subject Name or SAN fields? (e.g. "contoso.com", simply including "sip.contoso.com" is not the same thing.) This is required for the OAuth certificate.
Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

Saturday, November 3, 2012 3:34 AM
0

Sign in to vote

Yes I am. It lets me assign the certificate OK (Powershell returns "certificate assigned OK") but second later it's no longer assigned.

Saturday, November 3, 2012 1:06 PM
0

Sign in to vote
Hello,

It appears you are in a production environment, so I'm not sure this would be appropriate for you, or even if it would help your issue.

However, in my test (non-production) environment, I had problems with requesting/assigning certs (Default and OAuth) unless I entered the SE FE (also pool) FQDN in the Configure Additional Subject Alternative Name field. For example, Lyncfe.contoso.com not just contoso.com nor sip.contoso.com (as Jeff pointed out).

I had this issue in the Preview release, not the RTM because I just entered the SE FE FQDN as an Additional SAN by default because I remembered I had to do it in the Preview.

I have no idea what the impact, if any, is of entering the FE server FQDN as an Additional SAN, other than in my test environment, it just seems to work.

Good luck with your issue.
Stu
- Marked as answer by Kent-Huang Tuesday, November 27, 2012 6:41 AM
- Unmarked as answer by Kent-Huang Tuesday, November 27, 2012 6:42 AM
Saturday, November 3, 2012 4:49 PM
0

Sign in to vote

Thanks for suggestions but unfortunately didn't help. I tried "contoso.com" + SAN names sip.contoso.com, lyncfe.contoso.local, but same problem. Server is running on Windows Server 2012 RTM, FWIW.

Sunday, November 4, 2012 1:01 PM
0

Sign in to vote

Hmm.

My server running the DC, DNS and CA was running Windows Server 2008 R2 Datacenter for the Preview release.

I upgraded the server (DC, DNS, CA) to Windows Server 2012 Datacenter RTM, and my Lync Server is running on Windows Server 2012 Datacenter RTM.

Is your CA the same CA you used/are using for Lync 2010? Have you used this CA successfully in the past for Lync Server 2010/2013 Preview?

Your CA is an Enterprise CA, right? Even though the O/S is Standard Edition? I'm pretty sure that the CA must be an Enterprise CA, and I can't remember if you can do an Enterprise CA on Standard edition of WS2008 R2.

Also, the user running the Cert Wizard on the Lync FE has permissions to issue certs in the CA? CA MMC -> Properties -> Security Tab -> the user running the Cert Wizard is listed and has all 4 perms?

Something about replication (from your error) is ringing a bell, but I can't remember what it is (if anything).

Other than that, I got nothing else. Sorry, and good luck.
Stu

Sunday, November 4, 2012 4:07 PM
0

Sign in to vote
Hi,

The OAuthTokenIssuer certificate is a global certificate. When you assign this certificate, it is replicated via the CMS and is assigned to all of the Lync Server 2013 servers that require OAuth. So please also check if the CMS replication is working properly. You can run Get-CsManagementStoreReplicationStatus to check it.

Regards,

Kent Huang

TechNet Community Support ************************************************************************************************************************ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
- Edited by Kent-Huang Monday, November 5, 2012 7:05 AM
Monday, November 5, 2012 6:55 AM
0

Sign in to vote
Thanks guys for suggestions,

Stu7s: the CA is Enterprise CA and I have used it with the production Lync Server 2010 without problems. Permissions are OK as well.

PS > Get-CsManagementStoreReplicationStatus

UpToDate           : True
ReplicaFqdn        : lync2010-fe.contoso.local
LastStatusReport   : 4.11.2012 15:00:11
LastUpdateCreation : 4.11.2012 15:00:08
ProductVersion     : 4.0.7577.0

UpToDate           : True
ReplicaFqdn        : lync2010edge.contoso.local
LastStatusReport   : 4.11.2012 15:00:11
LastUpdateCreation : 4.11.2012 15:00:08
ProductVersion     : 4.0.7577.0

UpToDate           : False
ReplicaFqdn        : lync2010-groupchat.contoso.local
LastStatusReport   :
LastUpdateCreation : 5.11.2012 10:01:36
ProductVersion     :

UpToDate           : True
ReplicaFqdn        : lync2013-fe.contoso.local
LastStatusReport   : 4.11.2012 15:00:11
LastUpdateCreation : 4.11.2012 15:00:08
ProductVersion     : 5.0.8308.0

> Assign Certificate Set-CSCertificate -Identity Global -Type OAuthTokenIssuer -Thumbprint C5E23FEC65E916CADAF445396377B22E984BF67E -Confirm:$false -Report "C:\Users\adminuser\AppData\Local\Temp\Set-CSCertificate-[2012_11_05][10_42_28].html" The following certificate was assigned for the type "OAuthTokenIssuer": OAuthTokenIssuer: C5E23FEC65E916CADAF445396377B22E984BF67E contoso.com 11.04.2014 CN=contosoCA, DC=contoso, DC=local 2834FF68000000000039 > Export Global Configuration Store Export-CSConfiguration -FileName "C:\Users\adminuser\AppData\Local\Temp\CSConfigData-2012_11_05-10_42_28.zip" > Import Local Configuration Store Import-CSConfiguration -LocalStore -FileName "C:\Users\adminuser\AppData\Local\Temp\CSConfigData-2012_11_05-10_42_28.zip" > Replicate-CsCmsCertificates Logging status to: C:\Users\adminuser\AppData\Local\Temp\ReplicateCMSCertificates-[2012_11_05][10_42_28].html

Assigning certificate is a success, but second later, it's no longer assigned and I cannot go forward.
- Edited by tomppah Monday, November 5, 2012 8:53 AM typo
Monday, November 5, 2012 8:49 AM
0

Sign in to vote
Hi tomppah,

Looks like others are having difficulties also with the OAuth cert at:

http://social.technet.microsoft.com/Forums/en-US/lyncserverpreview/thread/e4da6231-f6a7-4774-b0bf-6a4a503e8be8

At this point, I'm going to step aside on this one, becuase I have no idea what your issue is.

If it was my issue, I'd be suspicious of:

1. The WS2008R2 CA and Server 2012 FE combination (that's why I upgraded my CA to WS2012, but that might not be an option for you.)

2. The Lync 2010 and Lync 2013 FE Servers in the same domain

3. I'd be tempted to rule out the CA and focus on the 2013 SE FE , since it works for Lync 2010, except for the fact the CA is 2008 R2 and the FE is 2012. That has been problematic in the past for me (and I believe others).

If it were me, in my safe comfy test-environment, I'd probably upgrade the CA to Server 2012 (I did) and flatten the Lync 2013 FE server and start over. But, again, you say you are in a real-world production environment, and I certainly am not.

Stu
- Marked as answer by Kent-Huang Tuesday, November 27, 2012 6:41 AM
- Unmarked as answer by tomppah Wednesday, November 28, 2012 6:49 PM
Monday, November 5, 2012 4:36 PM
0

Sign in to vote

Well I'm no longer wasting time on this, I'm doing everything by the documentation and it doesn't work so I'm going to have to delay Lync 2013 deployment until Lync product team releases a fix for this.

This is what you get for being an early bird :-)

Tuesday, November 6, 2012 10:42 AM
0

Sign in to vote
Well,

I cant say it was pretty but I got the oathtokenissuer to give me the green check. So I did the following:

1. Remove the Edge Server from the topology - republish

2. Generated a manual certificate request for a web cert from IIS (with private key)

3. Imported the private key to the DC root store and personal store on lync FE server

4. Started at the top of the depolyment wizzard and ran "install local configuration store" even though it says complete.

5. San setup or remove Lync Server Components again

6. Ran request, install, or assign Certificates.

7 selected my self signed cert with the name of "lyncfe.domain.com"

8. assigned it to the oauthTokenIssuer.

I dont know if steps 2 and three were altogher necessary, however, these are exactly the steps I followed. Feel free to please post if the oath req will succeed. I have a feeling it will.

Thats it! Oath seem to be working and I dont get the oauth certificate usages are not assigned error and i can now start the lync services.

Louis
- Proposed as answer by loureeves Saturday, November 24, 2012 3:03 PM
- Marked as answer by Kent-Huang Tuesday, November 27, 2012 6:41 AM
- Unmarked as answer by tomppah Wednesday, November 28, 2012 6:48 PM
Saturday, November 24, 2012 3:03 PM
0

Sign in to vote

Thank you for your suggestions, tried all these, but unfortunately no go. I actually even reinstalled the whole server to 2008 R2 which didn't help, exactly same problem.

Tried to give permissions for the private key, tried duplicating WebServer template. Everytime the certificate assigns OK but I can't get the green check box. Really getting out of ideas..

Wednesday, November 28, 2012 6:52 PM
0

Sign in to vote

Hi,

Sorry for any inconvenience caused. Please try the steps Rob Gora said in the following link:

http://social.technet.microsoft.com/Forums/en-US/lyncserverpreview/thread/e4da6231-f6a7-4774-b0bf-6a4a503e8be8
Kent Huang
TechNet Community Support

Friday, November 30, 2012 2:00 AM
0

Sign in to vote
My problem has been resolved by installing a certificate published by a public certification authority. I should have done this a long ago, bought a cheap single name certificate with only "domain.com" name and Lync accepted it. So it was a problem with the internal certification authority, which I cannot understand why, because the certificates seemed OK (and I also installed another internal CA on Server 2012, which didn't work either).

Well, it works now so I'm happy.
- Marked as answer by tomppah Monday, December 3, 2012 2:08 PM
Monday, December 3, 2012 2:08 PM
0

Sign in to vote

Hi,

I suspect if you were using a private certification authority the Root Certificate of your certificate authority was not in the trusted root certification authority container on your Lync Server. I was experiencing the same issue, albeit through the gui where no certificates were presented to assign. Simply adding the root certificate to the trusted root for both the user and computer accounts allowed the available certs to be displayed.

Hope this helps

Regards

Geraint
Geraint Pugh

Wednesday, December 12, 2012 10:11 AM
0

Sign in to vote
Hi,

thanks for your answer. As the Lync FE server is a member of the domain, the root certificates were pushed to the server automatically (to the trusted root certification authority container). Wished it was that simple, but I for sure had that double and even triple-checked that all certificates were there. The certificates were displayed in the Lync Server Deployment Wizard / Certificate Wizard, but the central management store didn't accept the certificate, although PowerShell returned "certificate assigned OK".
- Proposed as answer by Alcor Friday, December 28, 2012 6:25 AM
- Unproposed as answer by Alcor Friday, December 28, 2012 6:26 AM
Wednesday, December 12, 2012 10:22 AM
0

Sign in to vote
I tried everything proposed and unfortunately nothing worked. I think the cert export to file and then import might have worked but I got the error mentioned on import so that approach failed.

My config was a net new install of Lync 2013 RTM standard on a Windows Server 2012 with a Windows 2008 (not R2) DC.

What did work was to use use powershell to manually assign the previosly created OAuth cert to the local store rather than global (CMS).

I used this command:

set-CSCertificate -Identity Local -Type OauthTokenIssuer -Thumbprint f23f31f1313919319313e46e7fe778efe676e9

You can get the thumbprint of the cert from it's properties or the output of GUI based Assign cert output.

This allowed the green check mark to show up and to continue with the install.

This is a temporary fix that allows the cert to be assigned on the local Lync server as the root cause in my case seems to be related to replication of the CMS database which shows up in the event logs as error 3039 LS Replica Replicator Agent Service.
- Edited by Alcor Friday, December 28, 2012 6:44 AM
Friday, December 28, 2012 6:37 AM
0

Sign in to vote

As Kent mentioned earlier, the OAuthTokenIssuer certificate is a global certificate. When you assign this certificate, it is replicated via the CMS and is assigned to all of the Lync Server 2013 servers that require OAuth.

Because the certificate will be used by multiple servers, its private key must therefore be exportable.

It's possible that due to the cert being obtained from an internal PKI, the private key is not exportable and as such, the Lync 2013 deployment wizard will not recognise it as a cert suitable for OAuth.

Hope this helps....

Tuesday, January 8, 2013 5:43 PM
0

Sign in to vote

I just finished installing Lync 2013 and used the wizard all the way to certificates. Luckily I didn't encounter any error with OAuthToken Certificate. I just used "Send request Immediately" and then afterwhich, had it assigned automatically and all went well. I

DC: Windows Server 2008 R2 SP2 with CA

Lync: Windows Server 2012 with Lync 2013 STD

I checked the OAuth certificate generated and it has no SAN. Just contoso.com, well mine has mylabs.com

The issues I encountered here were

-installing .Net 3.5 (Windows Server 2012)

-unable to install database and needs to find another path (disk was not enough so increase diskpace)

All the best, Eman Lacuata

Tuesday, January 22, 2013 2:16 AM
0

Sign in to vote

I tried this but got:

set-CSCertificate : Command execution failed: "Tag:Local" is not a valid scope for certificate store. Identity parameter can only specify Global scope for the certificate storage in the Central Management store.

Monday, February 25, 2013 12:52 PM
0

Sign in to vote

Try this one, it helps me

Import-CsCertificate -Identity global -Type OAuthTokenIssuer -Path C:\Install\cert-lync.pfx -Password "qwertyuiop"

Thursday, July 4, 2013 9:42 AM
0

Sign in to vote

I am new on Lync and Windows Servers. I used a different certificate issued by my CA for the OAuthTokenIssuer, apparently that worked for me at this point.

Thursday, October 24, 2013 1:34 PM
0

Sign in to vote

I solved this issue by exporting the certificate from my certificate server as a .p7b and importing the certificate into the lync server instead of using the "process pending certificates" option. Not sure why this worked, but it makes about as much sense as the problem.

Tuesday, June 30, 2015 7:44 PM
0

Sign in to vote

I know this is a very old thread however we just started using Lync 2013. The funny thing is the new version released a month after. I ran into this exact same problem and your suggestion was the only thing that worked.

Import-CsCertificate -Identity global -Type OAuthTokenIssuer -Path C:\Install\cert-lync.pfx -Password "qwertyuiop"

Tuesday, June 28, 2016 8:52 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Lync Server 2013 RTM - cannot assign OAuth Certificate

Question

Answers

All replies