Hi Everyone,
I have a single Exchange box.
Was integrating my Lync and Exchange and noticed some issues after configuring my Lync pre-reqs: http://technet.microsoft.com/en-us/library/jj721919.aspx
Following the line of communication and event logs, I quickly saw that the error was not on my Lync Server, but on my Exchange. The "Microsoft Exchange Server Auth Certificate" that is created during Ex2013 install was missing. It was not there to give out tokens for the Server to Server authentication required to integrate Lync, Exchange, and Sharepoint.
Running Get-AuthConfig: http://technet.microsoft.com/en-us/library/jj215766(v=exchg.150).aspx pointed to a thumbprint that did not exist anymore.
I confirmed this by checking the local cert store (local computer>personal>certificates), looking in the ECP (servers>certificates), and also running Get-ExchangeCertificate
In my Exchange Server event log, I found the following errors:
Log Name: Application
Source: MSExchange Certificate Deployment
Date: 6/8/2014 4:00:50 AM
Event ID: 2005
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: server.domain.com
Description:
Federation or Auth certificate not found: ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites.
Event Xml:
2005
3
1
0x80000000000000
2391484
Application
server.domain.com
ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3
-----------------------------------------------------------------------------------------------------------------
AND
Log Name: Application
Source: MSExchange OAuth
Date: 6/8/2014 1:25:41 PM
Event ID: 2004
Task Category: Configuration
Level: Warning
Keywords: Classic
User: N/A
Computer: server.domain.com
Description:
Unable to find the certificate with thumbprint ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3 in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.
Event Xml:
2004
3
2
0x80000000000000
2397430
Application
server.domain.com
ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3
---------------------------------------------------------------------------------------------------
Googling has only produced one article that is about another issue that I would have found further down the line if I wasn't testing within the pre-reqs. The solution is the same, but the article is somewhat poorly written and does not respond to all the comments enough to leave one feeling it's 100% correct.
The broad strokes are clear:
The fix is to create a new "Microsoft Exchange Server Auth Certificate" by using the following sequence of cmdlets In EMS on the MBX server:
1. New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -Services smtp
Do not accept to replace the SMTP certificate when prompted
2. Note the thumbprint of the new certificate. Let us assume it is 7A39541F8DF58D4821967DD8F899B27410F7C081
3. $a=get-date
4. Set-AuthConfig -NewCertificateThumbprint 7A39541F8DF58D4821967DD8F899B27410F7C081 –NewCertificateEffectiveDate $a
Accept to continue despite the fact that the certificate effective date is not 48 hours into the future
5. Set-AuthConfig –PublishCertificate
6. Make sure to remove any potential reference to the previous certificate (which might not exist anymore) by doing Set-AuthConfig -ClearPreviousCertificate.
Remember to do iisreset on both CAS and MBX servers. Then finally, you can try to re-issue the New-CsPartnerApplication cmdlet.
65 Million Dollar question:
Is the syntax in part 1 correct? Two people says to add the domain? Jens responds, but it's vague. What would the correct command look like? I do not know where to add the -DomainName within the command and which name I should add? The FQDN of the CAS?
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services smtp
Thank you everyone