Lync 2013 to Exchange 2013 Oauth problem


I am having a problem getting OAuth to work from Exchange 2013 to Lync 2013.

I think the problem is to do with that the OAuth is configured for domanname.local but when exchange is trying to build a token for the user, the user domain is

I cannot figure this out

any ideas?



when I run:
Test-OAuthConnectivity -Service EWS -TargetUri https://exchserver2.domainname.local/ews/ -Mailbox "Jack"

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Test-OAuthConnectivity -Service EWS -TargetUri https://exchs
erver2.domainname.local/ews/ -Mailbox "Jack" |fl

RunspaceId  : 5e1096a3-c27c-49c4-b7eb-3c81d95db91c
Task        : Checking EWS API Call Under Oauth
Detail      : The configuration was last successfully loaded at 01/01/0001 00:00:00 UTC. This was 1059257506 minutes
              The token cache is being cleared because "use cached token" was set to false.
              Exchange Outbound Oauth Log:
              Client request ID: 9cdbfe81-9240-4c3a-80d7-793a9dfa8c1b
              Information:[OAuthCredentials:Authenticate] entering
              Information:[OAuthCredentials:Authenticate] challenge from
              'https://exchserver2.domainname.local/ews/Exchange.asmx' received: Bearer
              Information:[OAuthCredentials:GetToken] client-id: '00000002-0000-0ff1-ce00-000000000000', realm: '',
              trusted_issuer: '00000004-0000-0ff1-ce00-000000000000@domainname.local'
              Information:[OAuthCredentials:GetToken] start building a token for the user domain ''
              Information:[OAuthTokenBuilder:GetAppToken] start building the apptoken
              Information:[OAuthTokenBuilder:GetAppToken] checking enabled auth servers
              Error:[OAuthTokenBuilder:GetAppToken] unable to continue building token; no locally configured issuer
              was in the trusted_issuer list, realm from challenge was also empty. trust_issuers was
              Error:The trusted issuers contained the following entries
              '00000004-0000-0ff1-ce00-000000000000@domainname.local'. None of them are configured locally.

              Exchange Response Details:
              HTTP response message:
              System.Net.WebException: The request was aborted: The request was canceled. --->
              Microsoft.Exchange.Security.OAuth.OAuthTokenRequestFailedException: The trusted issuers contained the
              following entries '00000004-0000-0ff1-ce00-000000000000@domainname.local'. None of them are
              configured locally.
                 at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppToken(String applicationId, String
              destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String
                 at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppWithUserToken(String applicationId,
              String destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String
              userDomain, ClaimProvider claimProvider)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.GetToken(WebRequest webRequest,
              HttpAuthenticationChallenge challengeObject)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.Authenticate(String challengeString, WebRequest
              webRequest, Boolean preAuthenticate)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.OAuthAuthenticationModule.Authenticate(String
              challenge, WebRequest request, ICredentials credentials)
                 at System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials
                 at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials
                 at System.Net.HttpWebRequest.CheckResubmitForAuth()
                 at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
                 at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
                 at System.Net.HttpWebRequest.ProcessResponse()
                 at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
                 --- End of inner exception stack trace ---
                 at System.Net.HttpWebRequest.GetResponse()
                 at Microsoft.Exchange.Monitoring.TestOAuthConnectivityHelper.SendExchangeOAuthRequest(ADUser user,
              String orgDomain, Uri targetUri, String& diagnosticMessage, Boolean appOnly, Boolean useCachedToken,
              Boolean reloadConfig)

ResultType  : Error
Identity    : Microsoft.Exchange.Security.OAuth.ValidationResultNodeId
IsValid     : True
ObjectState : New

Open in new window

It appears to work fine from Lync 2013 to Exchange 2013.

When I run: Test-CsExStorageConnectivity -sipuri -Binding Nettcp -Verbose in Lync 2013 I get a successful outcome:

PS C:\Users\administrator.domainname> Test-CsExStorageConnectivity -sipuri ja -Binding Nettcp -Verbose
VERBOSE: Successfully opened a connection to storage service at localhost using
 binding: Nettcp.
VERBOSE: Create message.
VERBOSE: Execute Exchange Storage Command.
VERBOSE: Processing web storage response for ExCreateItem Success.,
result=Success, activityId=c2ae4446-bb4c-4a1e-a9e2-384f6b2bfcd2, reason=.
VERBOSE: Activity tracing:
2014/12/29 11:42:59.813 Autodiscover, send GetUserSettings request,, Autodiscover
Uri=, Web
2014/12/29 11:42:59.813 Autodiscover.EWSMA trace,
type=AutodiscoverRequestHttpHeaders, message=<Trace
Tag="AutodiscoverRequestHttpHeaders" Tid="9" Time="2014-12-29 11:42:59Z">
POST /autodiscover/autodiscover.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.00.0516.004


2014/12/29 11:42:59.826 Autodiscover.EWSMA trace, type=AutodiscoverRequest,
message=<Trace Tag="AutodiscoverRequest" Tid="9" Time="2014-12-29 11:42:59Z"
  <?xml version="1.0" encoding="utf-8"?>



2014/12/29 11:42:59.876 Autodiscover.EWSMA trace,
type=AutodiscoverResponseHttpHeaders, message=<Trace
Tag="AutodiscoverResponseHttpHeaders" Tid="9" Time="2014-12-29 11:42:59Z">
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Set-Cookie: ClientId=ADPZOZUUIDKUHDTEIYW; expires=Tue, 29-Dec-2015 11:42:59
GMT; path=/;
expires=Wed, 28-Jan-2015 11:42:59 GMT; path=/autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
request-id: 7a3bd9ca-a36f-4cec-9cb6-ae1198864b2d
X-CalculatedBETarget: exchserver2.domainname.local
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET,ARR/2.5
Date: Mon, 29 Dec 2014 11:42:59 GMT


2014/12/29 11:42:59.876 Autodiscover.EWSMA trace, type=AutodiscoverResponse,
message=<Trace Tag="AutodiscoverResponse" Tid="9" Time="2014-12-29 11:42:59Z"
  <s:Envelope xmlns:s=""
        <Response xmlns:i="">
          <ErrorMessage />
              <ErrorMessage>No error.</ErrorMessage>
              <RedirectTarget i:nil="true" />
              <UserSettingErrors />
                <UserSetting i:type="StringSetting">

                <UserSetting i:type="StringSetting">

                <UserSetting i:type="StringSetting">

2014/12/29 11:42:59.876 Autodiscover, received GetUserSettings response,
duration Ms=62, response=NoError
2014/12/29 11:42:59.881 Lookup user details,,,
sid=S-1-5-21-3691024758-535552880-811174816-1135, upn=jack@domainname.local,
VERBOSE: Items choice type: CreateItemResponseMessage.
VERBOSE: Response message, class: Success, code: NoError.
VERBOSE: Item: Microsoft.Rtc.Internal.Storage.Exchange.Ews.MessageType, Id:
change key: CQAAABYAAACSqIurRqgYSZwMhT/IBw89AACk3mHr, subject: , body: .
VERBOSE: Is command successful: True.
Test passed.
PS C:\Users\administrator.domainname>

Open in new window

Who is Participating?
jackbensonConnect With a Mentor Author Commented:
When I migrated to Skype  for Business 2015 this fixed itself
I would start with checking if both certificates are trusted on other server.
jackbensonAuthor Commented:
so ask a stupid question - how can I do that - I have been searching online for ages and could not find how to check that?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

jackbensonAuthor Commented:

I really would appreciate it if you could give me some more details as to how to check this.

I have wasted so many days trying to figure this out


to check the certs just use IE from each server.
So from the Lync server browse to all the URLS needs i.e. autodiscover and EWS

then from the exchange server browse back to the Lync server - just use the CSCP url as that cert should have all the name in for Lync

if you get a red cross fro IE then its not trusted and then go to more details from IE and it should say why its no trusted
jackbensonAuthor Commented:
yes - these are all fine. I thought you were referring to the trusted issuers that is mentioned in this part of the error message:

 Error:[OAuthTokenBuilder:GetAppToken] unable to continue building token; no locally configured issuer
 was in the trusted_issuer list, realm from challenge was also empty. trust_issuers was
 Error:The trusted issuers contained the following entries
 '00000004-0000-0ff1-ce00-000000000000@domainname.local'. None of them are configured locally.

Open in new window

all certificates are issued by my local CA

I use APP with the public certificates as my reverse proxy for people connecting from outside the network.

in Lync, the OAuthTokenIssuer certificate created through the Lync deployment wizard is issued to domainname.local (my primary sip domain) and the Subject Alternative names include

I then exported this certificate to the Exchange Server and use the Set-AuthConfig to use this certificate for OAuth.

from what I read this was what I was supposed to do.

is this correct?

I have tried so many things I don't know what do to next.

should the OAuth certificate in exchange be the one exported from Lync?

in Lync, should the OAuthTokenIssuer certificate include the servername or lyncserver.domainname.local or just be the domainname.local like it is at the moment?


Can you. You just confirm you have done these steps

I will be back in the office Monday do. I can double check my environment there where this is all set up and working
jackbensonAuthor Commented:
thanks for your reply.

I have only 1 Lync FE Server

thanks for your help

PS C:\Users\administrator.domainname> Get-CsCertificate -Type OAuthTokenIssuer

Issuer             : CN=domainname-CA, DC=domainname, DC=local
NotAfter           : 31/12/2016 10:02:22
NotBefore          : 01/01/2015 10:02:22
SerialNumber       : 3E0000010BBA52FBA562209ACA00000000010B
Subject            : CN=domainname.local, OU=London, O=Guide Clothing
                     Limited, L=London, S=London, C=GB
AlternativeNames   : {, domainname.local}
Thumbprint         : 8248116CC834129B43E6CDF160BA0E9AF69E55A3
EffectiveDate      : 01/01/2015 10:12:38
PreviousThumbprint :
UpdateTime         :
Use                : OAuthTokenIssuer
SourceScope        : Global

Open in new window

just looked through the OAAuth Cert is not installed anywhere but the lync front ends, the attributes match your cert
just to check it is 2048Bit?
jackbensonAuthor Commented:
thanks - its definitely 2048bit

on exchange - did you use your local CA to make the certificate for OAuth?

what is the Subject name of the certificate used ExchServerName.DomainName.Local? or just DomainName.Local



this is the result when I run Get-AuthConfig on the exchange Server - does it match yours:

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>get-AuthConfig
Creating a new session for implicit remoting of "Get-AuthConfig" command...

RunspaceId                    : 5438c877-b51b-48b1-b600-acacd955e95f
CurrentCertificateThumbprint  : 8248116cc834129b43e6cdf160ba0e9af69e55a3
PreviousCertificateThumbprint :
NextCertificateThumbprint     :
NextCertificateEffectiveDate  :
ServiceName                   : 00000002-0000-0ff1-ce00-000000000000
Realm                         : domainname.local
Name                          : Auth Configuration
AdminDisplayName              :
ExchangeVersion               : 0.20 (
DistinguishedName             : CN=Auth Configuration,CN=domainname,CN=Microsoft
Identity                      : Auth Configuration
Guid                          : b3e3768e-e0e0-40c3-91da-e3dda5886fb8
ObjectCategory                : domainname.local/Configuration/Schema/ms-Exch-Auth-Auth-Config
ObjectClass                   : {top, container, msExchContainer, msExchAuthAuthConfig}
WhenChanged                   : 01/01/2015 20:31:14
WhenCreated                   : 02/03/2014 13:44:51
WhenChangedUTC                : 01/01/2015 20:31:14
WhenCreatedUTC                : 02/03/2014 13:44:51
OrganizationId                :
Id                            : Auth Configuration
OriginatingServer             : DomServer2.domainname.local
IsValid                       : True
ObjectState                   : Unchanged

Open in new window

sorry i missed the reply.
Mine is issued from local CA

I can't do that command as that Exchange 2016 only.

glad the Skype4B upgrade has fixed
jackbensonAuthor Commented:
the problem resolved itself after an upgrade from Lync Server 2013 to Skype for Business Server 2015
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.