What is Federation or Auth Certificate?

As part of Microsoft Exchange 2016 installation, a self-signed certificate called “Microsoft Exchange Server Auth Certificate” is created that is being used for server-to-server authentication and integration using OAuth in your Exchange organization. Exchange server-to-server authentication is being used for integration of Exchange 2016 with SharePoint or Skype for Business. This certificate can be viewed from local computer certificate store or from Exchange Admin Center > Servers > Certificate. More detail on Exchange Digital certificates and encryption in Exchange can be found on TechNet.

It’s a self-signed certificate and one of the important components of Exchange server. If for some reason this certificate is missing on your Exchange Server 2016, you will see the following warning messages in event viewer under application logs on Exchange 2016 server.

Troubleshoot Federation or Auth certificate not found Issue

Troubleshoot Federation or Auth certificate not found Issue

When you have a missing certificate, you'll see the following warning error message in application logs of event viewer.

Federation or Auth certificate not found: “Certificates-thumbprint”. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig.  The certificate may take time to propagate to the local or neighboring sites.

As described earlier, if we have missing certificates then it can cause issues with integration and server-to-server authentication. What will you do if you run into this issue? How do you fix it? Below are the steps that you need to perform to fix this issue.

Troubleshoot Federation or Auth certificate not found issue

Follow the instructions mentioned below to fix federation or Auth certificate not found issue in your Exchange 2013 or 2016 organization.

  • Login to Exchange Server and launch Exchange Management Shell
  • Create a new certificate using the EMS cmdlet.

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “CN= Microsoft Exchange Server Auth Certificate” -DomainName “*.DOMAINNAME.COM” -FriendlyName “Microsoft Exchange Server Auth Certificate” -Services SMTP

Troubleshoot Federation or Auth certificate not found Issue

  • You will be prompted to override the default SMTP certificate, answer “No” by typing “N” and hit enter
  • Copy the certificate thumbprint as you will be required to enter the certificate thumbprint later on
  • Save the current date to an object using the cmdlet

$date = Get-Date

  • Run the cmdlet to set authentication configuration for your exchange server. You will be prompted that the new certificate effective date is not at least “48” hours in the future and may not be deployed on all necessary servers. Ignore this prompt and type Yes to continue or hit Enter. The default answer is Yes.

Set-AuthConfig -NewCertificateThumbprint certificate_thumbprint –NewCertificateEffectiveDate $date

Troubleshoot Federation or Auth certificate not found Issue

  • Publish the new certificate using the following command:

Set-AuthConfig –PublishCertificate

  • If you have an old certificate, you need to run the following cmdlet to clear the previous certificate:

Set-AuthConfig -ClearPreviousCertificate

Troubleshoot Federation or Auth certificate not found Issue

  • Once the certificate configuration is completed in Exchange Management Shell, restart the IIS service and this will fix your certificate warning messages from event viewer.