question

Sebastian-1981 avatar image
0 Votes"
Sebastian-1981 asked AnthonyMazzeo-6314 edited

Assigning Skype For Business 2015 Outh cert fail

I am trying to renew our S4B Oauth Certificate, but it fails both in the GUI and in PowerShell.

The certificate issues without problem but when it tries to assign (set-cscertificate) it throws this error:

Command execution failed: Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).

Via Powershell:

Set-CsCertificate : Command execution failed: Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx). At line:1 char:1 + Set-CsCertificate -Identity Global -Type OAuth -Thumbprint 77eb8f26eecc8c3149d04 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ + CategoryInfo : InvalidOperation: (:) [Set-CsCertificate], FormatException + FullyQualifiedErrorId : ProcessingFailed,Microsoft.Rtc.Management.Deploy ment.SetCertificateCmdlet

Via GUI:

77737-oauthfail.jpg


We have one Front-end, one Mediation and one Edge and Exchange 2013 On-Prem.

Skype for Business 2015 6.0.9319 (February 2021 CU)

Any ideas how to get it assigned?

Thanks!

office-skype-business-server-itpro-general
oauthfail.jpg (56.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sebastian-1981 avatar image
0 Votes"
Sebastian-1981 answered

For whom it may concern - here is how I solved it:


  1. Removed the current Oauth Certificate that was about to expire via the GUI.

  2. Deleted all AD objects via ADSI Edit within the domain.local/Program Data/Microsoft/Distributed Keyman/
    This is where all Oauth certificates are stored (including present).

  3. Forced AD sync from DC via cmd: repadmin /syncall /AdeP

  4. At the Front-End server Skype shell:

    Enable-CsAdForest
    Enable-CsAdDomain

This will restore the corrupted AD objects.

  1. Went to the GUI to assign my new Oauth certificate (request a new one as well if you didn't do that before).

New certificate is in place. If you have several Front-Ends - reboot them.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JimmyYang-MSFT avatar image
0 Votes"
JimmyYang-MSFT answered JimmyYang-MSFT edited

Hi @Sebastian-1981

In this case, we firstly recommend you check if you select the correct CA in your Certificate Request page.

78029-14.png

To restore the OAuth certificate, we simply need to restart the Lync/SfB Server Replica Replicator Agent. During start-up the Replica Replicator Agent, it will add the OAuth certificate again to the Computer Certificate Store:


78068-15.png



If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




14.png (22.1 KiB)
15.png (27.2 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JimmyYang-MSFT !

Thanks for your attention to this case, but that is not my problem.

It is our internal CA and as I say - the new certificate is being issued correctly and exists in the Certificate Store on the server, but I can't assign it.

Just before this task I succesfully renewed the "Server Default" and "Web services internal" through the GUI and it was assigned correctly.
The FE server was also rebooted prior to this task.

So the Oauth certificate is still present, but it's still the old one which is about to expire.

0 Votes 0 ·

Hi @Sebastian-1981

Perhaps, you could try to use set-certificate command to assign certificate.


0 Votes 0 ·

Hi, I mention that I already tried cmdlet via PowerShell in my first sentence.

0 Votes 0 ·
Show more comments
AnthonyMazzeo-6314 avatar image
0 Votes"
AnthonyMazzeo-6314 answered AnthonyMazzeo-6314 edited

Just for added info i had exact info and solution above worked for me, except i wasnt comfortable just deleting the objects in ADSI edit call me paranoid especially as i found that they were not easy to distinguish so deleting something i couldnt identify wasnt a risk i wanted to take

Below which sorted the issue, cobbled together from other bits of information from old Lync 2013 articles about possible AD sync issues


1) Removed the current Oauth Certificate that was about to expire via the GUI


2) Forced AD sync from DC via cmd: repadmin /syncall /AdeP

At the Front-End server Skype shell:

Enable-CsAdForest
Enable-CsAdDomain


3) Went to SFB GUI to assign my new Oauth certificate - requested a new one which assigned this time correctly with no error

4) New Certificate should then replicate from CMS to all other Front Ends on next replication run

To speed this up i ran an invoke-csmanagementstorereplication and then all certificate were allocated on the front end

5) You can also restart the Skype for Business replica service on Front Ends if needed

I believe the root of the problem is uncommitted AD objects in SFB hence the Enable ADForest and ADDomain commands

I was relived to sort this as there is not much info out there with this error and with SFB no longer in use as much, the various Blog articles on web are starting to become very thin on the ground

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.