This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 25%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I am trying to renew our S4B Oauth Certificate, but it fails both in the GUI and in PowerShell.
The certificate issues without problem but when it tries to assign (set-cscertificate) it throws this error:
Command execution failed: Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
Via Powershell:
Set-CsCertificate : Command execution failed: Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx). At line:1 char:1 + Set-CsCertificate -Identity Global -Type OAuth -Thumbprint 77eb8f26eecc8c3149d04 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ + CategoryInfo : InvalidOperation: (:) [Set-CsCertificate], FormatException + FullyQualifiedErrorId : ProcessingFailed,Microsoft.Rtc.Management.Deploy ment.SetCertificateCmdlet
Via GUI:
We have one Front-end, one Mediation and one Edge and Exchange 2013 On-Prem.
Skype for Business 2015 6.0.9319 (February 2021 CU)
Any ideas how to get it assigned?
Thanks!
For whom it may concern - here is how I solved it:
This will restore the corrupted AD objects.
New certificate is in place. If you have several Front-Ends - reboot them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 83%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Just for added info i had exact info and solution above worked for me, except i wasnt comfortable just deleting the objects in ADSI edit call me paranoid especially as i found that they were not easy to distinguish so deleting something i couldnt identify wasnt a risk i wanted to take
Below which sorted the issue, cobbled together from other bits of information from old Lync 2013 articles about possible AD sync issues
1) Removed the current Oauth Certificate that was about to expire via the GUI
2) Forced AD sync from DC via cmd: repadmin /syncall /AdeP
At the Front-End server Skype shell:
Enable-CsAdForest
Enable-CsAdDomain
3) Went to SFB GUI to assign my new Oauth certificate - requested a new one which assigned this time correctly with no error
4) New Certificate should then replicate from CMS to all other Front Ends on next replication run
To speed this up i ran an invoke-csmanagementstorereplication and then all certificate were allocated on the front end
5) You can also restart the Skype for Business replica service on Front Ends if needed
I believe the root of the problem is uncommitted AD objects in SFB hence the Enable ADForest and ADDomain commands
I was relived to sort this as there is not much info out there with this error and with SFB no longer in use as much, the various Blog articles on web are starting to become very thin on the ground
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 24%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hi @Sebastian
In this case, we firstly recommend you check if you select the correct CA in your Certificate Request page.
To restore the OAuth certificate, we simply need to restart the Lync/SfB Server Replica Replicator Agent. During start-up the Replica Replicator Agent, it will add the OAuth certificate again to the Computer Certificate Store:
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @JimmyYang-MSFT !
Thanks for your attention to this case, but that is not my problem.
It is our internal CA and as I say - the new certificate is being issued correctly and exists in the Certificate Store on the server, but I can't assign it.
Just before this task I succesfully renewed the "Server Default" and "Web services internal" through the GUI and it was assigned correctly.
The FE server was also rebooted prior to this task.
So the Oauth certificate is still present, but it's still the old one which is about to expire.
Hi @Sebastian
Perhaps, you could try to use set-certificate command to assign certificate.
Hi, I mention that I already tried cmdlet via PowerShell in my first sentence.
Sorry! I did not realize you have tried this cmdlet before.
Could you check if the CMS replication is working properly? You can run Get-CsManagementStoreReplicationStatus to check it?
In my experience, when you assign this certificate, it is replicated via the CMS and is assigned to all of the Lync Server 2013 servers that require OAuth.