Wednesday 27 June 2018

Test-OAuthConnectivity Error:Missing signing certificate.


Recently came across this issue where free/busy had stopped working from Exchange on-premises to Exchange Online in an Exchange 2013 Hybrid Environment. On-premises users could not see calendar free/busy information of a user in Exchange Online, but Exchange Online users could indeed see free/busy information for on-premises users and didn't have an issue.

First of all it's safe to say read this article, as free/busy issues can be a dark art to understand and resolve - however, in this instance there wasn't much information on this error so we had to work through it to find the resolution.

When running Test-OAuthConnectivity the following error presented itself:

Information:[OAuthCredentials:GetToken] start building a token for the user domain 'on-premisesdomain.com'
              Error:Missing signing certificate.
              
              Exchange Response Details:
              HTTP response message:
              Exception:
              System.Net.WebException: The request was aborted: The request was canceled. --->
              Microsoft.Exchange.Security.OAuth.OAuthTokenRequestFailedException: Missing signing certificate.



Now Exchange utilises an authconfig certificate which is installed by default when you install Exchange and is used for OAuth services. The default expiry of this certificate is 5 years from the installation date.

You can view the certificate in question by running this command:

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint |FL
 



What had happened in this instance, is that the certificate had expired 3 months into the Exchange Hybrid deployment.  So to resolve this issue we needed to generate a new cert firstly, and then apply this certificate as the new auth certificate which is performed with the following command:

Set-AuthConfig -NewCertificateThumbprint "Thumbprint of the new cert" -NewCertificateEffectiveDate XX/XX/XXXX


   

And then use Set-AuthConfig -PublishCertificate to make the change.

This command will push the certificate out to all CAS role servers so you don't have to push the cert out yourself.

Finally, re-run the Hybrid Wizard and once completed you will find on-premises users will be able to see the free/busy information for Exchange Online users once more.

Take care,
 @OliverMoazzezi

No comments: