none
Missing the "Microsoft Exchange Server Auth Certificate" RRS feed

  • Question

  • Hi Everyone,

    I have a single Exchange box.    

    Was integrating my Lync and Exchange and noticed some issues after configuring my Lync pre-reqs: http://technet.microsoft.com/en-us/library/jj721919.aspx

    Following the line of communication and event logs, I quickly saw that the error was not on my Lync Server, but on my Exchange.  The "Microsoft Exchange Server Auth Certificate" that is created during Ex2013 install was missing.  It was not there to give out tokens for the Server to Server authentication required to integrate Lync, Exchange, and Sharepoint.

    Running Get-AuthConfig: http://technet.microsoft.com/en-us/library/jj215766(v=exchg.150).aspx pointed to a thumbprint that did not exist anymore.  

    I confirmed this by checking the local cert store (local computer>personal>certificates), looking in the ECP (servers>certificates), and also running Get-ExchangeCertificate

    In my Exchange Server event log, I found the following errors: 

    Log Name: Application

    Source: MSExchange Certificate Deployment

    Date: 6/8/2014 4:00:50 AM

    Event ID: 2005

    Task Category: General

    Level: Warning

    Keywords: Classic

    User: N/A

    Computer: server.domain.com

    Description:

    Federation or Auth certificate not found: ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites.

    Event Xml:

    2005

    3

    1

    0x80000000000000

    2391484

    Application

    server.domain.com

    ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3

    -----------------------------------------------------------------------------------------------------------------

    AND

    Log Name: Application

    Source: MSExchange OAuth

    Date: 6/8/2014 1:25:41 PM

    Event ID: 2004

    Task Category: Configuration

    Level: Warning

    Keywords: Classic

    User: N/A

    Computer: server.domain.com

    Description:

    Unable to find the certificate with thumbprint ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3 in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.

    Event Xml:

    2004

    3

    2

    0x80000000000000

    2397430

    Application

    server.domain.com

    ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3

    ---------------------------------------------------------------------------------------------------

    Googling has only produced one article that is about another issue that I would have found further down the line if I wasn't testing within the pre-reqs.  The solution is the same, but the article is somewhat poorly written and does not respond to all the comments enough to leave one feeling it's 100% correct.  

    http://blogs.technet.com/b/jenstr/archive/2012/11/22/getting-internal-server-error-500-when-creating...

    The broad strokes are clear:

    The fix is to create a new "Microsoft Exchange Server Auth Certificate" by using the following sequence of cmdlets In EMS on the MBX server:

    1. New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -Services smtp

    Do not accept to replace the SMTP certificate when prompted

    2. Note the thumbprint of the new certificate. Let us assume it is 7A39541F8DF58D4821967DD8F899B27410F7C081

    3. $a=get-date

    4. Set-AuthConfig -NewCertificateThumbprint 7A39541F8DF58D4821967DD8F899B27410F7C081 –NewCertificateEffectiveDate $a

    Accept to continue despite the fact that the certificate effective date is not 48 hours into the future

    5. Set-AuthConfig –PublishCertificate

    6. Make sure to remove any potential reference to the previous certificate (which might not exist anymore) by doing Set-AuthConfig -ClearPreviousCertificate.

    Remember to do iisreset on both CAS and MBX servers. Then finally, you can try to re-issue the New-CsPartnerApplication cmdlet.

    65 Million Dollar question:

    Is the syntax in part 1 correct?  Two people says to add the domain?  Jens responds, but it's vague.  What would the correct command look like?  I do not know where to add the -DomainName within the command and which name I should add?  The FQDN of the CAS?

    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services smtp

    Thank you everyone

    Sunday, June 8, 2014 7:34 AM

Answers

  • Hi,

    Yes, we need to specify a valid FQDN for either the Subject or the DomainName parameter. Please run the following command:

    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services smtp

    Then following the other steps in your posting to re-create the Microsoft Exchange Server Auth Certificate.

    Regards,


    Winnie Liang
    TechNet Community Support

    Monday, June 9, 2014 9:10 AM
    Moderator

All replies

  • Hi,

    Yes, we need to specify a valid FQDN for either the Subject or the DomainName parameter. Please run the following command:

    New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services smtp

    Then following the other steps in your posting to re-create the Microsoft Exchange Server Auth Certificate.

    Regards,


    Winnie Liang
    TechNet Community Support

    Monday, June 9, 2014 9:10 AM
    Moderator
  • I updated the certificates in Lync, and now the Oauth Exchange certificates still points to the thumbprint of the old Lync one. Can I just go to step 3 and then add the thumbprint of my new Lync cert (would that be the OAUth cert from Lync or my lync pool cert)?

    Thanks for responding!


    M.S.

    Monday, November 2, 2015 9:34 PM