Issue with OAuth Certificate & Installing Multiple Lync Server 2013 Servers at the Same Time

I've run into this issue a couple times when deploying Lync Server 2013 in my lab and at customer sites.  Topology Builder makes it very easy to deploy your Lync servers quickly, but in Lync Server 2013, there's one gotcha you need to be aware of when initially deploying multiple Lync Server 2013 servers at once.  And it has to do with the OAuth certificate used in Lync Server 2013.  I've previously written about OAuth and its role in Lync Server 2013 here: OAuth Certifcate in Lync Server 2013.

The gotcha is that you need to have the OAuthTokenIssuer certificate assigned before you can complete Step 3 in the Deployment Wizard and proceed to starting services.  If this is the first set of Lync Server 2013 servers you're deploying, the OAuthTokenIssuer certificate was replicated to the CMS when you assigned it to the first Lync Server 2013 server.  The problem arises if you have already completed Step 1 in the Deployment Wizard on the other Lync Server 2013 servers that require the OAuthTokenIssuer certificate.

Part of Step 1 in the Deployment Wizard is to connect to the CMS and grab a copy of the current topology.  This copy of the topology doesn't yet have the OAuthTokenIssuer certificate in it.

When you get to Step 3 in the Deployment Wizard, you will see that the OAuthTokenIssuer certificate hasn't replicated to this Lync server...and it won't.  This server is looking a the local copy of the CMS that was imported during Step 1.  That means that in order for this server to know that there's an OAuthTokenIssuer certificate in the CMS that it's supposed to use, you need to get the updated topology replicated to this server.  There are two ways to accomplish this.  The first way is to use the Export-CsConfiguration and Import-CsConfiguration with the -LocalStore parameter.  The second way is to just let CMS replication happen.  You will need to make sure that at least one Front End Server is operational in the pool configured to host the CMS.  Then on the other Lync Server 2013 servers that need the OAuthTokenIssuer certificate replicated to it, make sure that the Lync Server Replica Replicator Agent service is started:

Once the Lync Server Replica Replicator Agent service is started, you will be waiting for replication to happen and the following events to appear in the Lync Server event log:

Once you see Event ID 3038, the CMS has replicated the OAuthTokenIssuer certificate to the server.  You can also check Get-CsManagementStoreReplicationStatus and make sure that the server is up-to-date:

UpToDate           : True
ReplicaFqdn        : LAB-LS15-DIR1.lab.deitterick.com
LastStatusReport   : 11/24/2012 8:15:36 PM
LastUpdateCreation : 11/24/2012 8:08:05 PM
ProductVersion     : 5.0.8308.0

If you refresh the Certificate Wizard or run Step 3 from the Deployment Wizard again, you will now see the OAuthTokenIssuer certificate assigned to the server:

You can now complete Step 3 and continue on with Step 4 in the Deployment Wizard.

 

While Topology Builder makes it very easy to deploy your entire Lync Server 2013 environment in one shot, you just need to be aware of how and when the OAuthTokenIssuer certificate is replicated to your Lync Server 2013 servers.

Comments

  • Anonymous
    January 01, 2003
    @Cecilia 5.0.8308.0 is the RTM version of Lync Server 2013.

  • Anonymous
    January 01, 2003
    Thank you very much.  I was looking for this information.

  • Anonymous
    January 01, 2003
    Thanks..

  • Anonymous
    November 26, 2012
    Is the lync server 2013 v 5.0.8308.0 RTM or RC???

  • Anonymous
    April 30, 2013
    The comment has been removed

  • Anonymous
    June 24, 2013
    Good Point to pin out, although many of us does the same that you do but without thinking abou it. Thank you,

  • Anonymous
    May 11, 2014
    Thanks a lot, was looking for this...

  • Anonymous
    December 15, 2014
    This is great information. Besides setting Lync from the ground up, I would like to renew the oauth certificate in an existing Lync environment, due to the switchover from the former sha1 algorithm to sha2. Knowing that the other Frontend servers were already configured from step 1 to 3, when we assign the first front end server a new oauth certificate, will the other front end servers also automatically update to the new oauth certificate? Are there additional steps to the oauth cert renewal - ie. export the new oauth cert from the first front end server and import it to the other frontend servers, following by assigning the new cert from the deployment wizard?

  • Anonymous
    January 06, 2015
    The comment has been removed