question

MarkBolten-9632 avatar image
0 Votes"
MarkBolten-9632 asked SharonZhao-MSFT commented

Skype for Business 2015 Assigning Oaut certificate

When i try to assign a new oauth certificate i receive this error: Error: The specified directory service attribute or value does not exist.


 Error: The specified directory service attribute or value does not exist.  
 ▼ Details 
 └ Type: COMException 
 └ ▼ Stack Trace 
     └   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) 
 at System.DirectoryServices.DirectoryEntry.Bind() 
 at System.DirectoryServices.DirectoryEntry.get_IsContainer() 
 at System.DirectoryServices.DirectoryEntries.ChildEnumerator..ctor(DirectoryEntry container) 
 at Microsoft.Incubation.Crypto.GroupKeys.ADRepository.EnumerateKeys() 
 at Microsoft.Incubation.Crypto.GroupKeys.DKMBase.FindNewestKey() 
 at Microsoft.Incubation.Crypto.GroupKeys.DKMBase.GetCurrentKeyAndUpdate(KeyPolicy& keyPolicy) 
 at Microsoft.Incubation.Crypto.GroupKeys.DKMBase.Protect(MemoryStream plaintext) 
 at Microsoft.Rtc.Management.Internal.KeyManagement.GroupKeyWrapper.Encode(Byte[] inBytes) 
 at Microsoft.Rtc.Management.Deployment.Core.Certificate.SetCMSCertificate(IScopeAnchor scope, X509Certificate2 foundCert, X509Certificate2Collection certs, Nullable`1 effectiveTime, Boolean isRoll) 
 at Microsoft.Rtc.Management.Deployment.Core.Certificate.SetCMSCertificate(IScopeAnchor scope, String thumbprint, Nullable`1 effectiveTime, Boolean isRoll) 
 at Microsoft.Rtc.Management.Deployment.Tasks.SetCertificateTask.Action() 
 at Microsoft.Rtc.Management.Internal.Utilities.LogWriter.InvokeAndLog(Action action) 
     
     
    3/12/2021 2:12:23 PM   Error 
    
  └    Error: An error occurred: "System.Runtime.InteropServices.COMException" "The specified directory service attribute or value does not exist.


I have no clue what the issue is here. Can someone help me out? We are running Skype for Business server 2015 CU11.

office-skype-business-server-deployment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SharonZhao-MSFT avatar image
0 Votes"
SharonZhao-MSFT answered SharonZhao-MSFT commented

@MarkBolten-9632,

Do you mean that you are trying to renew the certificates in Skype for Business server 2015?

Do you check if the information is correct in Certificate Request page?
77566-image.png

If the OAuthTokenIssuer certificate is assigned properly in other servers, you just need to restart the “Skype for Business Server Replica Replicator Agent” service on other servers.


If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (36.2 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @SharonZhao-MSFT ,

Thanks for you reply.

no, the renewal was succesfull. But after that you assign the certificate and that process fails. I compared the old and the new certificate and they are exactly the same (Ecept the validity of course).

0 Votes 0 ·

@MarkBolten-9632,

Perhaps, you could try to use set-certificate command to assign certificate.

0 Votes 0 ·

@MarkBolten-9632
Do you have any update on this thread now?

0 Votes 0 ·
Sebastian-1981 avatar image
0 Votes"
Sebastian-1981 answered

Hi,

I have a similar error here: https://docs.microsoft.com/en-us/answers/questions/314771/assigning-skype-for-business-2015-outh-cert-fail.html

@MarkBolten-9632 - Did you manage to assign the Oauth cert?

I get the same (useless) suggestions in my thread as you do.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sebastian-1981 avatar image
0 Votes"
Sebastian-1981 answered SharonZhao-MSFT commented

This is how I solved it, this may help you as well. Just make sure you have a good backup in place, just in case.


  1. Removed the current Oauth Certificate that was about to expire via the GUI.

  2. Deleted all AD objects via ADSI Edit within the domain.local/Program Data/Microsoft/Distributed Keyman/
    This is where all Oauth certificates are stored (including present).

  3. Forced AD sync from DC via cmd: repadmin /syncall /AdeP

  4. At the Front-End server Skype shell:

    Enable-CsAdForest
    Enable-CsAdDomain

This will restore the corrupted AD objects.

  1. Went to the GUI to assign my new Oauth certificate (request a new one as well if you didn't do that before).

New certificate is in place. If you have several Front-Ends - reboot them.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Sebastian-1981,

Thanks for your kindly sharing.

@MarkBolten-9632,

Please try the solution of Sebasian-1981. If it works for you, please remember to accept this suggestion as answer. It will benefit many people in the same situation. Thanks for your understanding.

0 Votes 0 ·

@MarkBolten-9632
Do you have any update now?

0 Votes 0 ·