OAuth Certifcate in Lync Server 2013


When requesting certificates in your Lync Server 2013 environment, you will notice that there is a new certificate type that needs to be requested, OAuthTokenIssuer.  What is OAuth and what do we use it for in Lync Server 2013?

OAuth (Open Authorization) is a protocol for server-to-server authentication and authorization.  With OAuth, user credentials and passwords are not passed from one computer to another.  Instead, authentication and authorization is based on the exchange of security tokens; these tokens grant access to a specific set of resources for a specific amount of time.  Lync Server 2013 supports three server-to-server authentication scenarios. With Lync Server 2013 you can:

  • Configure server-to-server authentication between an on-premise installation of Lync Server 2013 and an on-premises installation of Exchange 2013 and/or Microsoft SharePoint Server.
  • Configure server-to-server authentication between a pair of Office 365 components (for example, between Microsoft Exchange 365 and Microsoft Lync Server 365, or between Microsoft Lync Server 365 and Microsoft SharePoint 365.
  • Configure server-to-server authentication in a cross-premises environment (that is, server-to-server authentication between an on-premises server and an Office 365 component).

You can read more about OAuth and it’s uses in the Managing Server-to-Server Authentication (Oauth) and Partner Applications TechNet article.

As you complete the request for the OAuthTokenIssuer certificate and view the certificate, you’ll see that it looks something similar to:

One important thing to note about the OAuthTokenIssuer certificate, that is different from other certificates in Lync Server 2013, is that the OAuthTokenIssuer certificate is a global certificate:

So what does that mean?  It means that the same OAuthTokenIssuer certificate needs to be used by all of the Lync Server 2013 servers.  In order to assure this, when you assign this certificate, it is replicated via the CMS and is assigned to all of the Lync Server 2013 servers that require OAuth.  If you look in the directory where the Lync Server 2013 logs are stored (C:\Users\<username>\AppData\Local\Temp), you will see a log file similar to:

ReplicateCMSCertificates-[2012_07_31][11_49_20].html

If you open that log file it will look something similar to:

If you wait for replication to succeed and then look at another Lync Server 2013 server, you will see that the OAuthTokenIssuer certificate has been replicated and assigned to that server:

So what happens if I request an OAuthTokenIssuer certificate on multiple servers?  In that case whichever certificate is replicated to the CMS last will be used by all of the Lync Server 2013 servers.

 

So when requesting the OAuthTokenIssuer certificate in Lync Server 2013, remember to only request it once and sit back and let CMS replication take care of the rest!

Comments (33)

  1. Anonymous says:

    should the same Oauth cert be used while integrating with exchange server ?

  2. dodeitte says:

    @Anonymous

    The same OAuthTokenIssuer certificate would be used by Lync for integration with Exchange, SharePoint, etc., however it would be different that the certificate than what Exchange uses.

  3. dodeitte says:

    @cffit

    You should use a separate certificate. Yes, you will only see the SIP domain name(s) on the certificate.

  4. Anthony Caragol says:

    Still a great post, I just referenced it again to help someone out. Thanks!

  5. dodeitte says:

    @Ken Make sure that the certificate you want to use for OAuth contains the private key and that Windows has the certificate chain for that certificate.

  6. Anonymous says:

    Thanks for sharing

  7. dodeitte says:

    @Ken No, it’s not a requirement that the OAuth certificate to contain no SAN entries.

  8. dodeitte says:

    @shi

    You will need to generate a request for the OAuth certificate that has the private key marked as exportable.

  9. dodeitte says:

    @McGee

    Yes, the OAuth certificate should be signed by a valid CA. You can use Certificate Services provided by Windows or you can get a certificate from a public CA.

  10. Anonymous says:

    @Oludre

    While that might work, it’s not the best practice. You should use a separate certificate for the OAuth certificate.

  11. Anonymous says:

    @How to generate CSR

    You can use Step 3 in the Lync Server Deployment Wizard.

  12. Anonymous says:

    @Jakub

    The OAuth certificate isn’t renewed automatically. You will need to generate a new CSR, issue it, import it, and assign it in Step 3 of the Deployment Wizard.

  13. Anonymous says:

    @Keith

    You can use an internal CA if you have one available. The certificate only needs to be trusted by internal servers, so purchasing a certificate if you have an internal CA available would be unnecessary.

  14. Great, short and clear explanation 🙂 Thanks.

  15. Ken Braley says:

    You just made my life better. Thanks for the clarification.

  16. Anish Sebastian says:

    Thank you very much for sharing…

  17. Ramon says:

    Thank you so much for this awesome explanation!

  18. Ken says:

    I have a oAuth certificate . However, it is not available in the lync certificate store for me to assign the cert as an oAtuh cert..

  19. Ken says:

    @dodeitte : Thanks .Is it necessary that Oauth certs contain no SAN ?

  20. McGee says:

    @dodeitte: Thanks for the explanation, great job! :))

    I do have two questions:
    – Does the OAuth-Certificate has to be signed by a “valid” CA (like a Cert for https://)?
    – If it’s possible to self-sign the OAuth-Certificate – do I need to have the Windows-Certificate-Services installed on my Domain?

  21. shi says:

    error: the private ket is not marked portable and cannot be srored in CMS in lync.
    pliz help

  22. cffit says:

    Can you use the same cert that is used for the Default Certificate? If not, when I go through the wizard to create a new OAuth cert, it automatically just populates it with the entry “domain.com” instead of a full name. Is that what it is supposed to do?

  23. Rudi Zhuo says:

    about the OAuth Certificate. I got error like this.

    Command execution failed: Key object attributes are not valid.

    anyone can help me to figure it out ?

  24. How to generate CSR says:

    how to generate CSR for OAuth Certifcate?

  25. Oludre says:

    We run lnc server 2013 onpremise. We have multiple pools in our environment. We have used same Default certificates for OAuth certificates, what are the consequences of our action?

  26. Jakub says:

    Hi Doug,

    since OAuth token is typically signed by internal CA, is it renewed automatically ?
    Or should I generate new request, sign and and assign to proper interface manually ?

    Thanks !

  27. Jakub says:

    Thanks Dodeitte !

  28. Keith says:

    For the OAuth Cert, you should use an external CA like GoDaddy and the Default Cert, you can use an Internal CA?

  29. linus says:

    Thank you for the post was helpful

  30. nick says:

    I had before 2 front end servers running Lync 2010 and 2013 with exchange 2010.
    removed the 2010 lync front end server.
    my 0auth cert expired last week and I can not install the oauth cert get an error. is it because I have only 1 front end server, and or my exchange is 2010?

  31. Arti says:

    Thanks for sharing. I tested , but same certitificate is not updated by Pool2.
    for new pool, is a new certificate is needed?

  32. dodeitte says:

    @Arti

    The OAuth certificate is replicated via the CMS to all Front End Servers in the environment. Make sure that replication is working correctly.

  33. grahame says:

    Something which I can’t find clearly explained anywhere – what are the Subject Names of the certificates? Is this correct?:

    – Front End Servers require a default certificate with the FE Pool name as Subject Name
    – OAuth Certificate must have a subject name of the primary SIP domain

    Yes? Thanks