If Skype for Business, Exchange or Lync; Server to Server communication is Broken Where do I jump in to begin fixing it?

I ran into a case where the Server to Server communication (S2SC) was not working and I actually was at a disadvantage on how to go about repairing this, even though I had been at this for a few years.

And I didn’t get the steps together right away either. This can be a complex matter, depending on the situation. Let me try to break this down into a simple repair process.

When you need to fix S2SC you need two start with defining 2 URLs. Once is for the Exchange Server and the Other is for Lync/Skype 4 Business. Those commands are below. Run the top command on Exchange, and the bottom command on Lync FE:

get-clientaccessserver | fl fqdn, autodiscoverserviceinternaluri

Get-Cspool | where-object {$_.services –like “*UserServer*”} | fl site, fqdn


Now to build the two URLs, they should be the root from above, followed by /autodiscover/metadata/json/1 for Exchange, and /metadata/json/1 for Lync/SFB. The combined URL, based on the FQDN results above, should look something like this below:



Now before moving on, you need to test these URL values and see that they are accessible from both the Exchange Server and the Lync Server. This is where this article takes hold. What If one of the values is missing, and does not work? Well that is when your steps will not create  S2SC that is functional.


So we being here, First your Exchange URL is not showing up. What do I do? Well first take a breath and then just bring up the following on the Exchange server:



This is pretty simple, but I guarantee you will not find it when your looking for it. As in my case, I couldn’t find the shell command to show me how to verify the Oauth Certificate was assigned. So if you get information returned from this command, then you can verify the certificate is still in place ad that it is good. Troubleshoot the results of the output. So now you can remove-authserver and start over, or try to fix the broken certificate.

So your steps here will be:

Remove-AuthServer or Set-AuthConfig –ClearpreviousCertificate

Or you will try to fix before Deleting. So to fix before deleting, try along these lines:

1. $X=get-date

2. Set-AuthConfig -NewCertificateThumbprint numberfromyourcertstore –NewCertificateEffectiveDate $X

3. Set-AuthConfig –PublishCertificate


If you chose to Remove-AuthServer, then you have to take it from the top.

1. New-ExchangeCertificate -KeySize 2048 -domain domain.local -PrivateKeyExportable $true -SubjectName “cn= Microsoft Exchange Server Auth Certificate” -FriendlyName “Microsoft Exchange Server Auth Certificate” -Services smtp

*Do not accept to replace the SMTP  prompt

2. Note the thumbprint of the new certificate. Let say it is 9001

3. $X=get-date

4. Set-AuthConfig -NewCertificateThumbprint 9001 –NewCertificateEffectiveDate $X

5. Set-AuthConfig –PublishCertificate


So you put your Exchange url in and it now works. Now what about the SFB URL?

Well I think the instance when your SFB URL will not work will be less frequently. This is because the Oauth Certificate is created with the Lync Configuration Wizard. In fact, I would recommend recreating your Oauth Certificate from the sane Wizard, if you have problem with Oauth. however, I will repeat the related power shell command from TechNet here:

Manual process for re certificate the Oauth URL:

Remove-CsCertificate -Type OAuthTokenIssuer

Get-CsCertificate -Type OAuthTokenIssuer

Import-CsCertificate -Identity global -Type OAuthTokenIssuer -Path C:\Certificates\ServerToServerAuth.pfx  -Password “P@ssw0rd”

$x = (Get-CsCertificate -Type Default).Thumbprint
Set-CsCertificate -Identity global -Type OAuthTokenIssuer -Thumbprint $x
Now intead you can always try to just roll a new certificate . You can follow the steps below:

$x = (Get-CsCertificate -Type Default).Thumbprint
Set-CsCertificate -Identity global -Type OAuthTokenIssuer -Thumbprint $x -EffectiveDate “7/1/2015” –Roll


Once your Certificate is in place, your URL should now be accessible.


This articles would not be complete If I did not show you how to complete your OAUTH S2SC commands. These commands will allow each Product to talk to the other. Lync 2 Exchange and Exchange 2 Lync. Please run the two commands below. The Exchange Server will run a command, using the lync URL, ad the Lync command will use the Exchange URL. This is by design and this is what brings your Oauth 2 Life:

IN Exchange: Browse to the C:\Program Files\Microsoft\Exchange\V15\Scripts folder

Run this command:

.\Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl “https://pool01.domain.com/metadata/json/1” -ApplicationType Lync

Now in Lync or SFB, Run the following

New-CsPartnerApplication -identity Exchange -ApplicationTrustLevel Full -MetadataUrl https://autodiscover.domain.com/autodiscover/metadata/json/1

Andd the following, depending on weather you are doing the other possible integrations, which you will consult additional documentation for:

New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn exchangeserver.domain.com -Port 5199

New-CsTrustedApplicationPool -Identity exchangeserver.domain.com -Registrar lyncpool.domain.com -Site yoursite -RequiresReplication $False

And this, My Friends, completes the troubleshooting on Oauth or Server to Server authentication. you are now all clear to get your UCS contact store configured now.


I hope this has been helpful.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s