Dealing with a Missing Microsoft Exchange Server Auth Certificate that Causes “Federation or Auth certificate not found” Warnings

As part of Exchange Server 2013, a self-signed certificate called Microsoft Exchange Server Auth Certificate is created on the server. You can find this certificate in the local computer certificate store. This certificate is used for server-to-server authentication which is required to integrate Microsoft Exchange, Lync and SharePoint. Needless to say, this is an important certificate. If for some reason this certificate is missing on your Exchange Server 2013, you should see the following warning in the Event Viewer on your Exchange Server 2013. Federation or Auth certificate not found: <Certificates_thumbprint>. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig.  The certificate may take time to propagate to the local or neighboring sites. SOLUTION To fix the problem of missing certificate, use the following procedure. First you need to create a new Exchange certificate, use the Set-AuthConfig cmdlet to tell Exchange about this new certificate and then publish it.

1. Start Microsoft Exchange Management Shell on your Exchange Server 2013.
2. Create a new Exchange certificate using the following command. Replace the command in bold with your domain name, e.g. *.example.com. WARNING! Do not remove the quotes around the domain name and do not overwrite the default SMTP certificate. New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -DomainName "*.yourdomain.com" -FriendlyName "Microsoft Exchange Server Auth Certificate" -Services SMTP
3. When prompted to overwrite the existing default SMTP certificate answer No.
4. Copy the thumbprint of the newly created certificate. You will need that shortly.
5. Type the following command and press ENTER. You will not see any output. $a=get-date
6. Enter the following command. Replace the words your_certificate's_thumbprint_goes_here with your certificate's thumbprint that you copied int Step 4 above. Set-AuthConfig -NewCertificateThumbprint your_certificate's_thumbprint_goes_here –NewCertificateEffectiveDate $a
7. You will see a prompt that the new certificate effective date is not at least "48" hours in the future and may not be deployed on all necessary servers. Ignore this prompt and type Yes to continue. Because Yes is the default answer, you can also press ENTER to continue which means you are accepting the default answer.
8. Publish the new certificate using the following command: Set-AuthConfig –PublishCertificate
9. In case you have a previous certificate, you may want to run the following command to clear the previous certificate. Set-AuthConfig -ClearPreviousCertificate
10. The last thing you need to do is run IISRESET command. Exchange Server 2013 has two roles: Client Access Server and Mailbox. Run IISRESET on all your CAS and mailbox servers.

You should no longer see the warnings in the Event Viewer on your Exchange Server 2013. In fact, it should fix several additional warnings/errors and hopefully your application log will look very clean.

---

Copyright © 2015 SeattlePro Enterprises, LLC. All rights reserved.