Dealing with a Missing Microsoft Exchange Server Auth Certificate that Causes “Federation or Auth certificate not found” Warnings
As part of Exchange Server 2013, a self-signed certificate called Microsoft Exchange Server Auth Certificate is created on the server. You can find this certificate in the local computer certificate store. This certificate is used for server-to-server authentication which is required to integrate Microsoft Exchange, Lync and SharePoint. Needless to say, this is an important certificate. If for some reason this certificate is missing on your Exchange Server 2013, you should see the following warning in the Event Viewer on your Exchange Server 2013.
Federation or Auth certificate not found: <Certificates_thumbprint>. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites.
SOLUTION
To fix the problem of missing certificate, use the following procedure. First you need to create a new Exchange certificate, use the Set-AuthConfig cmdlet to tell Exchange about this new certificate and then publish it.
- Start Microsoft Exchange Management Shell on your Exchange Server 2013.
- Create a new Exchange certificate using the following command. Replace the command in bold with your domain name, e.g. *.example.com.
WARNING! Do not remove the quotes around the domain name and do not overwrite the default SMTP certificate.
New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “cn= Microsoft Exchange Server Auth Certificate” -DomainName “*.yourdomain.com” -FriendlyName “Microsoft Exchange Server Auth Certificate” -Services SMTP - When prompted to overwrite the existing default SMTP certificate answer No.
- Copy the thumbprint of the newly created certificate. You will need that shortly.
- Type the following command and press ENTER. You will not see any output.
$a=get-date - Enter the following command. Replace the words your_certificate’s_thumbprint_goes_here with your certificate’s thumbprint that you copied int Step 4 above.
Set-AuthConfig -NewCertificateThumbprint your_certificate’s_thumbprint_goes_here –NewCertificateEffectiveDate $a - You will see a prompt that the new certificate effective date is not at least “48” hours in the future and may not be deployed on all necessary servers. Ignore this prompt and type Yes to continue. Because Yes is the default answer, you can also press ENTER to continue which means you are accepting the default answer.
- Publish the new certificate using the following command:
Set-AuthConfig –PublishCertificate - In case you have a previous certificate, you may want to run the following command to clear the previous certificate.
Set-AuthConfig -ClearPreviousCertificate - The last thing you need to do is run IISRESET command. Exchange Server 2013 has two roles: Client Access Server and Mailbox. Run IISRESET on all your CAS and mailbox servers.
You should no longer see the warnings in the Event Viewer on your Exchange Server 2013. In fact, it should fix several additional warnings/errors and hopefully your application log will look very clean.
Copyright © 2015 SeattlePro Enterprises, LLC. All rights reserved.
Perfect thanks a lot for this !!!
I had this warning after renewing a certificate and deleting the old one.
Hi, I am unable to connect to Exchange PowerShell because I deleted the certificate by mistake. Any idea?
Hi Ralph, are you unable to start the Exchange Management Shell (EMC) at all, even as an Administrator? If that’s the case you can use the 64-bit PowerShell ISE or the 64-bit PowerShell. Just make sure that you start the shell as an Administrator.
Hello, when I run command
Set-AuthConfig -ClearPreviousCertficate
A parameter cannot be found that matches parameter name ‘ClearPreviousCertficate’.
+ CategoryInfo : InvalidArgument: (:) [Set-AuthConfig], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-AuthConfig
+ PSComputerName : exchangeservername.domain.local (changed to protect the innocent)
Jeffrey, are you starting the PowerShell console with administrative credentials? Do you have a previous certificate? If yes, are you able to see it when you type Get-ExchangeCertificate?
I have completed your steps but in ECP there are now two auth certificates. Can I delete the old one or will this have a knock on effect for other services?
According to the Get-AuthConfig, the new certificate is now the CurrentCertificateThumbprint, so by rights I should be able to delete the old certificate from ECP. Is this correct?
Daivd, did you run the Set-AuthConfig -ClearPreviousCertficate in step 9? If you did, then obviously the old certificate is no longer in use. Normally, you can delete an old certificate that’s no longer in use because it just causes confusion. As a precaution, you can always backup (export) the certificate before deleting it.
Greetings,
I’m getting “could not grant network service access to the certificate with thumbprint”…. when I run the first step.
Please advise.
@Osama: Are you running McAfee antivirus? Disable your antivirus software and try again. They tend to cause issues at times. McAfee in particular is known to cause a lot of problems on computers so avoid using it.
Hi Zubair,
Which domain name do I specify? I host multiple external domain names in Exchange and have a child and root domain in AD. Such as abc,root and abc.main. Exchange servers belong to the main domain.
@Chris: Add your main domain to which the Exchange server belongs.
Hi Alexander
We have an Exchange Hybrid environment. The Skype around the corner see some AuthErrors because the default AuthCertificate is an self signed one. Do you ever had this issue? is it possible to create an 5 year certificate from an internal CA and change the Auth Service to this? You ever do this?
Best regards! Ronny
@Ronny: No, I haven’t run into this issue before. Please see this document related to Exchange and Skype for Business integration: https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/integrate-with-exchange/integrate-with-exchange. Skype for Business allows you to use any web server certificate for server-to-server authentication as long as it meets the requirements listed in the article I just mentioned.
Ran into this while migrating from 2010 to 2016 exchange. I’m guessing the cert is used to sync the two servers.
Help! I didnt see your post/website until I already answered “yes” to overwrite SMTP!
@Tamara: I don’t know what you’re trying to accomplish (i.e. your end goal) and I am also unfamiliar with your Exchange Server configuration. You may be fine, if you’re not using an Edge server. Here are a couple of posts that may be helpful:
https://blog.rmilne.ca/2021/04/26/should-i-overwrite-the-default-exchange-smtp-certificate/
https://community.spiceworks.com/topic/739888-restore-exchnage-2013-default-certificate
Thank you so much for publishing this – I’ve spent many hours trying to restore access to my exchange management console which was giving the very helpful ‘X-FE Server’ error message, and this was the answer 🙂 high-five from me.