Renewed my SfB on-prem
OAuth cert and started getting these errors
Log
Name: Lync Server
Source:
LS Storage Service
Event
ID: 32050
Storage Service had an
OAuth STS request failure.
#CTX#{ctx:{traceId:2107372237,
activityId:"db71b116-b4ea-430f-958f-12662b997bd4"}}#CTX#
Recv RST response,
failed,
sts=https://accounts.accesscontrol.windows.net/092a1ba4-a4fe-4172-970e-7ab3035e7c94/tokens/OAuth/2,
resource=00000002-0000-0ff1-ce00-000000000000/autodiscover-s.outlook.com@domain.com,
ex=The remote server returned an error: (401) Unauthorized….
You will also notice
that the Test-CsExStorageConnectivity command fails (Test-CsExStorageConnectivity -SipUri Test_User@domain.com)
Renew OAuth with new Cert
1. Export the new
OAuth cert from MMC>Certificates on FE using BASE-64 without private key
2. Create a session
with SfB online + MSOL
$msolcred = get-credential admin@domain.com
$session = New-CsOnlineSession -Credential $msolcred -OverrideAdminDomain "domain.onmicrosoft.com"
Import-PSSession $session -AllowClobber_
Connect-MsolService -credential $msolcred
3. Import and
assign cert
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$certificate.Import("C:\temp\Oauth_2017.cer")
$binaryValue = $certificate.GetRawCertData()
$credentialsValue = [System.Convert]::ToBase64String($binaryValue)
3. Get
current KeyIDs for Certs (enter 0 for ReturnKeyValues)
Get-MsolServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 #Lync
Get-MsolServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 #Exchange
get-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000
get-MsolServicePrincipalCredential -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000
5. Use the KeyIDs (that you got from above step) to remove current certs
Remove-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -KeyIds @("00000000-0000-0000-0000-000000000000")
Remove-MsolServicePrincipalCredential -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -KeyIds @("00000000-0000-0000-0000-000000000001")
6. Assign new
cert
New-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue
New-MsolServicePrincipalCredential -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue
7. Make sure
your edge servers are replicated (OAuth uses federation via them)
Get-CsManagementStoreReplicationStatus | ft
Invoke-CsManagementStoreReplication
8. Verify
Get-MsolServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000
Get-MsolServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000
Get-MsolServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 | select serviceprincipalnames -ExpandProperty serviceprincipalnames
Get-MsolServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 | select serviceprincipalnames -ExpandProperty serviceprincipalnames
Test-CsExStorageConnectivity –SipUri lync_tester1@domain.com # SfB on-prem user
Test-CsExStorageConnectivity –SipUri lync_tester2@domain.com # SfB online user
Cleared Log event (OAuth
successful)
Log
Name: Lync Server
Source:
LS Storage Service
Event
ID: 32052
Task Category: (4006)
Description:
OAuth STS was properly
configured for Storage Service.
#CTX#{ctx:{traceId:1596246623,
activityId:"77278542-b703-4f56-9655-9f40fe99c04b"}}#CTX#
GetAppToken succeeded
for request with
sts=https://accounts.accesscontrol.windows.net/092a1ba4-a4fe-4172-970e-7ab3035e7c94/tokens/OAuth/2
Additional (verbose)
references:
- http://www.ucprimer.com/tech-blog/provisioning-exchange-online-for-lync-hybrid-part-ii
- https://technet.microsoft.com/en-us/library/jj204990.aspx
I am trying to renew my oAuth cert and having issues since it looks like we need to now use the AzureAD module rather than the MSOL commands. When I try to do Connect-MsolService -credential $msolcred, I get an error could not load the file or assembly. Would be great if someone can update the commands with the new AzureAD module. This article had someone chime in on the similar items to use the AzureAD but I can't seem to get it to fully work switching it out with a command towards the bottom
ReplyDeleteNew-MsolServicePrincipalCredential `
-AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 `
-Type Asymmetric -Usage Verify -Value $credentialsValue
Thanks and hoping someone can help with this since I need to update the oAuth cert.