Issue with OAuth Certificate & Installing Multiple Lync Server 2013 Servers at the Same Time

I’ve run into this issue a couple times when deploying Lync Server 2013 in my lab and at customer sites.  Topology Builder makes it very easy to deploy your Lync servers quickly, but in Lync Server 2013, there’s one gotcha you need to be aware of when initially deploying multiple Lync Server 2013 servers at once.  And it has to do with the OAuth certificate used in Lync Server 2013.  I’ve previously written about OAuth and its role in Lync Server 2013 here: OAuth Certifcate in Lync Server 2013.

The gotcha is that you need to have the OAuthTokenIssuer certificate assigned before you can complete Step 3 in the Deployment Wizard and proceed to starting services.  If this is the first set of Lync Server 2013 servers you’re deploying, the OAuthTokenIssuer certificate was replicated to the CMS when you assigned it to the first Lync Server 2013 server.  The problem arises if you have already completed Step 1 in the Deployment Wizard on the other Lync Server 2013 servers that require the OAuthTokenIssuer certificate.

Part of Step 1 in the Deployment Wizard is to connect to the CMS and grab a copy of the current topology.  This copy of the topology doesn’t yet have the OAuthTokenIssuer certificate in it.

When you get to Step 3 in the Deployment Wizard, you will see that the OAuthTokenIssuer certificate hasn’t replicated to this Lync server…and it won’t.  This server is looking a the local copy of the CMS that was imported during Step 1.  That means that in order for this server to know that there’s an OAuthTokenIssuer certificate in the CMS that it’s supposed to use, you need to get the updated topology replicated to this server.  There are two ways to accomplish this.  The first way is to use the Export-CsConfiguration and Import-CsConfiguration with the -LocalStore parameter.  The second way is to just let CMS replication happen.  You will need to make sure that at least one Front End Server is operational in the pool configured to host the CMS.  Then on the other Lync Server 2013 servers that need the OAuthTokenIssuer certificate replicated to it, make sure that the Lync Server Replica Replicator Agent service is started:

Once the Lync Server Replica Replicator Agent service is started, you will be waiting for replication to happen and the following events to appear in the Lync Server event log:

Once you see Event ID 3038, the CMS has replicated the OAuthTokenIssuer certificate to the server.  You can also check Get-CsManagementStoreReplicationStatus and make sure that the server is up-to-date:

UpToDate           : True
ReplicaFqdn        :
LastStatusReport   : 11/24/2012 8:15:36 PM
LastUpdateCreation : 11/24/2012 8:08:05 PM
ProductVersion     : 5.0.8308.0

If you refresh the Certificate Wizard or run Step 3 from the Deployment Wizard again, you will now see the OAuthTokenIssuer certificate assigned to the server:

You can now complete Step 3 and continue on with Step 4 in the Deployment Wizard.


While Topology Builder makes it very easy to deploy your entire Lync Server 2013 environment in one shot, you just need to be aware of how and when the OAuthTokenIssuer certificate is replicated to your Lync Server 2013 servers.

Comments (9)

  1. dodeitte says:


    5.0.8308.0 is the RTM version of Lync Server 2013.

  2. Thank you very much.  I was looking for this information.

  3. Cecilia says:

    Is the lync server 2013 v 5.0.8308.0 RTM or RC???

  4. Rerunning Step1 on additional FE's, once replication of CMS has completed, will also import configuration and allow for Step 3 to be completed.

  5. Good Point to pin out, although many of us does the same that you do but without thinking abou it.

    Thank you,

  6. JP says:

    Thanks a lot, was looking for this…

  7. Bxw says:

    This is great information. Besides setting Lync from the ground up, I would like to renew the oauth certificate in an existing Lync environment, due to the switchover from the former sha1 algorithm to sha2. Knowing that the other Frontend servers were
    already configured from step 1 to 3, when we assign the first front end server a new oauth certificate, will the other front end servers also automatically update to the new oauth certificate? Are there additional steps to the oauth cert renewal – ie. export
    the new oauth cert from the first front end server and import it to the other frontend servers, following by assigning the new cert from the deployment wizard?

  8. kjstech says:

    How does this affect Exchange 2013 integration with Lync? After renewing my OAuth certificate to a new one that is sha2, every 30 minutes my Exchange 2013 server throws event ID 2008 from MSExchange OAuth. It says "When retrieving metadata from the url‘, different certificate(s) have been found."

    However things seem to be working ok. In OWA I can sign into IM and get presence information from lync users.

Skip to main content