"Exchange OAuth authentication couldn't find the authorization certificate with thumbprint" error when you run the Hybrid Configuration wizard

PROBLEM
When you run the Hybrid Configuration wizard, OAuth authentication configuration fails, and you receive the following error message:
Exchange OAuth authentication couldn't find the authorization certificate with thumbprint <Thumbprint> in your on-premises organization. Run Get-AuthConfig cmdlet to verify the CurrentCertificateThumbprint information.
CAUSE
The OAuth authentication configuration looks for a specific certificate. However, this certificate either was removed or can't be accessed. 
SOLUTION
To fix this issue, follow these steps:
  1. Open the Exchange Management Shell.
  2. Identify the certificate for which the authentication configuration is looking. To do this, follow these steps:
    1. Run the following command:
      Get-AuthConfig |fl CurrentcertificateThumbPrint
    2. Examine the output, and then take one of the following actions:
      • If no value is returned for CurrentCertificateThumbPrint, go to step 3.
      • If a value is returned for CurrentCertificateThumbPrint, verify that the certificate is available to Exchange. To do this, run the following command:
        Get-ExchangeCertificate
        If a certificate that has a matching thumbprint is available in both locations, there should be no issues. You can run the Hybrid Configuration wizard again to set OAuth authentication. If the issue persists, go to step 3. 
  3. Create a new certificate. To do this, run the following command:
    New-ExchangeCertificate -KeySize 2048 -SubjectName "cn= Microsoft Exchange ACS Certificate" -FriendlyName "Microsoft Exchange Server ACS Certificate" -PrivateKeyExportable $true -Services SMTP -DomainName fabrikam.com
  4. Set the new certificate that you created to be used for OAuth authentication. To do this, run the following commands:
    1. $date=get-date
    2. Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep4A> -NewCertificateEffectiveDate $date
    3. Set-AuthConfig -PublishCertificate
MORE INFORMATION
If you experience issues with the Hybrid Configuration wizard, you can run the Exchange Hybrid Configuration Diagnostic. This diagnostic is an automated troubleshooting experience. Run it on the same server on which the Hybrid Configuration wizard failed. Doing this collects the Hybrid Configuration wizard logs and parses them for you. If you're experiencing a known issue, a message is displayed that tells you what went wrong. The message includes a link to an article that contains the solution. Currently, the diagnostic is supported only in Internet Explorer.

Still need help? Go to the Office 365 Community website or the Exchange TechNet Forums.
Properties

Article ID: 3089171 - Last Review: 02/25/2016 22:39:00 - Revision: 3.0

Microsoft Exchange Online, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • o365e o365m o365022013 o365 o365a hybrid KB3089171
Feedback