Doug Deitterick's Blog

Information about Microsoft Lync, OCS, and Exchange UM.

OAuth Certifcate in Lync Server 2013

OAuth Certifcate in Lync Server 2013

  • Comments 19
  • Likes

When requesting certificates in your Lync Server 2013 environment, you will notice that there is a new certificate type that needs to be requested, OAuthTokenIssuer.  What is OAuth and what do we use it for in Lync Server 2013?

OAuth (Open Authorization) is a protocol for server-to-server authentication and authorization.  With OAuth, user credentials and passwords are not passed from one computer to another.  Instead, authentication and authorization is based on the exchange of security tokens; these tokens grant access to a specific set of resources for a specific amount of time.  Lync Server 2013 supports three server-to-server authentication scenarios. With Lync Server 2013 you can:

  • Configure server-to-server authentication between an on-premise installation of Lync Server 2013 and an on-premises installation of Exchange 2013 and/or Microsoft SharePoint Server.
  • Configure server-to-server authentication between a pair of Office 365 components (for example, between Microsoft Exchange 365 and Microsoft Lync Server 365, or between Microsoft Lync Server 365 and Microsoft SharePoint 365.
  • Configure server-to-server authentication in a cross-premises environment (that is, server-to-server authentication between an on-premises server and an Office 365 component).

You can read more about OAuth and it's uses in the Managing Server-to-Server Authentication (Oauth) and Partner Applications TechNet article.

As you complete the request for the OAuthTokenIssuer certificate and view the certificate, you'll see that it looks something similar to:

One important thing to note about the OAuthTokenIssuer certificate, that is different from other certificates in Lync Server 2013, is that the OAuthTokenIssuer certificate is a global certificate:

So what does that mean?  It means that the same OAuthTokenIssuer certificate needs to be used by all of the Lync Server 2013 servers.  In order to assure this, when you assign this certificate, it is replicated via the CMS and is assigned to all of the Lync Server 2013 servers that require OAuth.  If you look in the directory where the Lync Server 2013 logs are stored (C:\Users\<username>\AppData\Local\Temp), you will see a log file similar to:


If you open that log file it will look something similar to:

If you wait for replication to succeed and then look at another Lync Server 2013 server, you will see that the OAuthTokenIssuer certificate has been replicated and assigned to that server:

So what happens if I request an OAuthTokenIssuer certificate on multiple servers?  In that case whichever certificate is replicated to the CMS last will be used by all of the Lync Server 2013 servers.


So when requesting the OAuthTokenIssuer certificate in Lync Server 2013, remember to only request it once and sit back and let CMS replication take care of the rest!

  • Thanks for sharing

  • Great, short and clear explanation :) Thanks.

  • You just made my life better. Thanks for the clarification.

  • Thank you very much for sharing...

  • Thank you so much for this awesome explanation!

  • should the same Oauth cert be used while integrating with exchange server ?

  • @Anonymous The same OAuthTokenIssuer certificate would be used by Lync for integration with Exchange, SharePoint, etc., however it would be different that the certificate than what Exchange uses.

  • I have a oAuth certificate . However, it is not available in the lync certificate store for me to assign the cert as an oAtuh cert..

  • @Ken Make sure that the certificate you want to use for OAuth contains the private key and that Windows has the certificate chain for that certificate.

  • @dodeitte : Thanks .Is it necessary that Oauth certs contain no SAN ?

  • @Ken No, it's not a requirement that the OAuth certificate to contain no SAN entries.

  • @dodeitte: Thanks for the explanation, great job! :))

    I do have two questions:
    - Does the OAuth-Certificate has to be signed by a "valid" CA (like a Cert for https://)?
    - If it's possible to self-sign the OAuth-Certificate - do I need to have the Windows-Certificate-Services installed on my Domain?

  • @McGee

    Yes, the OAuth certificate should be signed by a valid CA. You can use Certificate Services provided by Windows or you can get a certificate from a public CA.

  • error: the private ket is not marked portable and cannot be srored in CMS in lync.
    pliz help

  • @shi

    You will need to generate a request for the OAuth certificate that has the private key marked as exportable.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment