Medhacloud Logo

Medha Cloud
Medha Cloud Exchange Server Team
Exchange Database Recovery Team8 min read

A missing OAuth certificate in Exchange Server prevents server-to-server authentication, breaking OWA authentication, hybrid mail flow, and cross-premises free/busy sharing. This guide shows you how to verify, create, and configure OAuth certificates to restore full authentication functionality.

Our Exchange Authentication Support team regularly resolves OAuth certificate issues for on-premises and hybrid environments.

Error Overview: What OAuth Certificates Do

Exchange uses OAuth certificates for server-to-server authentication. The certificate signs authentication tokens that validate requests between Exchange servers, Microsoft 365, and client applications.

How OAuth Authentication Works
# OAuth Certificate Flow:
# 1. Client requests access token from Exchange
# 2. Exchange signs token with OAuth certificate private key
# 3. Receiving server validates signature with public key
# 4. If valid, request is authenticated

# Key components:
# - AuthConfig: Stores OAuth certificate thumbprint
# - Certificate Store: Holds the actual certificate
# - AuthServer: Defines trusted token issuers
# - PartnerApplication: Defines trusted applications

When the certificate is missing: Exchange cannot sign tokens, causing authentication failures for OWA (modern auth), EWS, hybrid mail flow, and cross-premises calendar sharing.

Symptoms & Business Impact

What Users Experience:

  • OWA login fails with "Something went wrong" or authentication loops
  • Outlook prompts for credentials repeatedly
  • Free/busy lookups to Microsoft 365 fail
  • Hybrid mail flow stops working
  • Mobile devices cannot sync via ActiveSync

What Admins See:

  • Event ID 1003 with OAuth token validation errors
  • Get-AuthConfig returns empty thumbprint
  • Hybrid Configuration Wizard fails
  • Test-OAuthConnectivity returns failures
Verify OAuth Certificate Status
# Check AuthConfig for current certificate
Get-AuthConfig | Select-Object CurrentCertificateThumbprint, PreviousCertificateThumbprint, ServiceName

# Check if the certificate exists in store
$authConfig = Get-AuthConfig
if ($authConfig.CurrentCertificateThumbprint) {
    $cert = Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint -ErrorAction SilentlyContinue
    if ($cert) {
        Write-Host "OAuth certificate found:" -ForegroundColor Green
        $cert | Select-Object Subject, Thumbprint, NotAfter, Services
    } else {
        Write-Host "ERROR: OAuth certificate thumbprint configured but certificate not found!" -ForegroundColor Red
    }
} else {
    Write-Host "ERROR: No OAuth certificate configured in AuthConfig!" -ForegroundColor Red
}

Common Causes of Missing OAuth Certificate

1. Certificate Expired and Removed (40%)

OAuth certificates are self-signed with 5-year validity. When they expire, administrators may delete them without creating replacements, or automated cleanup scripts remove expired certificates.

2. Incomplete Exchange Installation (25%)

Failed or interrupted Exchange installations may not create the initial OAuth certificate. This is common when setup encounters errors during certificate generation phase.

3. Certificate Store Corruption (20%)

Windows certificate store corruption after updates, restores from backup, or system crashes can cause certificates to become inaccessible even if they exist.

4. Server Migration Without Certificate (15%)

During Exchange migrations, the OAuth certificate was not exported from the old server or imported to the new server, breaking authentication continuity.

Quick Diagnosis

Step 1: Check AuthConfig Status
# Get complete auth configuration
Get-AuthConfig | Format-List *

# Expected output should show:
# CurrentCertificateThumbprint : ABC123... (valid thumbprint)
# ServiceName                  : 00000002-0000-0ff1-ce00-000000000000-0000-0ff1-ce00-000000000000

# If CurrentCertificateThumbprint is empty = certificate not configured
# If thumbprint exists but cert not found = certificate deleted/corrupted
Step 2: Search for Existing Auth Certificates
# Look for auth certificates in store
Get-ExchangeCertificate | Where-Object {
    $_.Subject -like "*Microsoft Exchange Server Auth*" -or
    $_.Subject -like "*Auth Certificate*"
} | Select-Object Subject, Thumbprint, NotBefore, NotAfter, Services

# Check Windows certificate store directly
Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.Subject -like "*Exchange*Auth*"
} | Select-Object Subject, Thumbprint, NotAfter
Step 3: Test OAuth Connectivity
# Test OAuth with Microsoft 365 (if hybrid)
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox admin@domain.com

# Test internal OAuth
$testMailbox = (Get-Mailbox | Select-Object -First 1).PrimarySmtpAddress
Test-OAuthConnectivity -Service EWS -TargetUri https://mail.domain.com/ews/exchange.asmx -Mailbox $testMailbox

Quick Fix (15-20 Minutes)

Important:

Creating a new OAuth certificate will temporarily break hybrid connectivity. Plan for a brief service disruption if you have a hybrid deployment.

Create and Configure New OAuth Certificate
# Step 1: Create new OAuth certificate
$newCert = New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -Services SMTP -FriendlyName "Microsoft Exchange Server Auth Certificate"

Write-Host "New certificate created: $($newCert.Thumbprint)"

# Step 2: Configure AuthConfig with new certificate
Set-AuthConfig -NewCertificateThumbprint $newCert.Thumbprint -NewCertificateEffectiveDate (Get-Date)

# Step 3: Publish the certificate
Set-AuthConfig -PublishCertificate

# Step 4: Clear previous certificate (optional, after verification)
# Set-AuthConfig -ClearPreviousCertificate-ClearPreviousCertificate

# Step 5: Restart IIS
iisreset /noforce

Write-Host "OAuth certificate configured successfully!"

Detailed Solutions

Solution 1: Create OAuth Certificate (No Hybrid)

Full OAuth Certificate Creation for On-Premises
# For on-premises Exchange without hybrid
# Step 1: Create the certificate
$authCert = New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -Services SMTP -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName $env:USERDNSDOMAIN

Write-Host "Certificate Thumbprint: $($authCert.Thumbprint)"
Write-Host "Certificate Expires: $($authCert.NotAfter)"

# Step 2: Configure as auth certificate
Set-AuthConfig -NewCertificateThumbprint $authCert.Thumbprint -NewCertificateEffectiveDate (Get-Date)

# Step 3: Publish to partner applications
Set-AuthConfig -PublishCertificate

# Step 4: Verify configuration
$authConfig = Get-AuthConfig
Write-Host "Current Certificate: $($authConfig.CurrentCertificateThumbprint)"

# Step 5: Restart services
Restart-Service MSExchangeOWAAppPool -Force
Restart-Service MSExchangeServiceHost -Force
iisreset /noforce

# Step 6: Test
Write-Host "Testing OAuth..."
Start-Sleep -Seconds 10
$testMailbox = (Get-Mailbox | Select-Object -First 1).PrimarySmtpAddress
Test-OAuthConnectivity -Service EWS -TargetUri "https://$($env:COMPUTERNAME)/ews/exchange.asmx" -Mailbox $testMailbox

Solution 2: Restore from Backup Certificate

Import Existing OAuth Certificate from PFX
# If you have a backup of the original certificate
$pfxPath = "C:\Backup\OAuthCert.pfx"
$pfxPassword = Read-Host "Enter PFX password" -AsSecureString

# Import the certificate
Import-ExchangeCertificate -FileName $pfxPath -Password $pfxPassword -PrivateKeyExportable:$true

# Get the imported certificate thumbprint
$importedCert = Get-ExchangeCertificate | Where-Object { $_.FriendlyName -like "*Auth*" } | Select-Object -First 1

# Configure as auth certificate
Set-AuthConfig -NewCertificateThumbprint $importedCert.Thumbprint -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate

# Restart services
iisreset /noforce

Solution 3: Fix Hybrid Deployment After New Certificate

Update Hybrid Configuration with New OAuth Certificate
# After creating new OAuth certificate in hybrid environment

# Step 1: Export new certificate public key for M365
$authConfig = Get-AuthConfig
$cert = Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint
Export-ExchangeCertificate -Thumbprint $cert.Thumbprint -FileName "C:\Temp\OAuth_PublicKey.cer" -BinaryEncoded

Write-Host "Certificate exported. Upload to Microsoft 365 or re-run HCW."-run HCW."

# Step 2: Re-run Hybrid Configuration Wizard-run Hybrid Configuration Wizard
# Download latest HCW from: https://aka.ms/HybridWizard
Write-Host "Download and run the Hybrid Configuration Wizard"
Write-Host "The wizard will automatically update Microsoft 365 with the new certificate"

# Step 3: After HCW completes, test hybrid connectivity
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox admin@domain.com

# Step 4: Test free/busy
Get-AvailabilityConfig | Format-List

Solution 4: Replicate Certificate to All Exchange Servers

Deploy OAuth Certificate to Multiple Servers
# Export certificate from source server
$authConfig = Get-AuthConfig
$thumbprint = $authConfig.CurrentCertificateThumbprint
$pfxPassword = Read-Host "Enter export password" -AsSecureString

Export-ExchangeCertificate -Thumbprint $thumbprint -FileName "C:\Temp\OAuthCert.pfx" -Password $pfxPassword -BinaryEncoded

# Copy PFX to each Exchange server and import
$exchangeServers = Get-ExchangeServer | Where-Object { $_.ServerRole -match "Mailbox" }

foreach ($server in $exchangeServers) {
    Write-Host "Processing $($server.Name)..."

    # Import on remote server (run from each server or use remoting)
    Invoke-Command -ComputerName $server.Name -ScriptBlock {
        param($pfxPath, $password)
        Add-ExchangeSnapin *Exchange* -ErrorAction SilentlyContinue
        Import-ExchangeCertificate -FileName $pfxPath -Password $password -PrivateKeyExportable:$true
    } -ArgumentList "C:\Temp\OAuthCert.pfx", $pfxPassword
}

Write-Host "Certificate deployed to all servers. Verify with:"
Write-Host "Get-ExchangeServer | ForEach-Object { Get-ExchangeCertificate -Server $_.Name | Where-Object { $_.Thumbprint -eq '$thumbprint' } }"-Object { Get-ExchangeCertificate -Server $_.Name | Where-Object { $_.Thumbprint -eq '$thumbprint' } }"

Verify the Fix

Comprehensive OAuth Verification
# Verify AuthConfig
Write-Host "=== AuthConfig ===" -ForegroundColor Cyan
Get-AuthConfig | Select-Object CurrentCertificateThumbprint, ServiceName | Format-List

# Verify certificate exists and is valid
Write-Host "=== Certificate Status ===" -ForegroundColor Cyan
$authConfig = Get-AuthConfig
$cert = Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint
$cert | Select-Object Subject, NotBefore, NotAfter, Services | Format-List

# Check certificate is not expired
if ($cert.NotAfter -lt (Get-Date)) {
    Write-Host "WARNING: Certificate is expired!" -ForegroundColor Red
} else {
    Write-Host "Certificate valid until: $($cert.NotAfter)" -ForegroundColor Green
}

# Test OAuth connectivity
Write-Host "=== OAuth Test ===" -ForegroundColor Cyan
$testMailbox = (Get-Mailbox | Select-Object -First 1).PrimarySmtpAddress
$oauthTest = Test-OAuthConnectivity -Service EWS -TargetUri "https://$env:COMPUTERNAME/ews/exchange.asmx" -Mailbox $testMailbox
$oauthTest | Select-Object ResultType, ResultDescription

# Check for errors in event log
Write-Host "=== Recent OAuth Errors ===" -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    ProviderName = 'MSExchange*'
    Level = 2
    StartTime = (Get-Date).AddHours(-1)
} -MaxEvents 5 -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -like "*OAuth*" -or $_.Message -like "*Auth*" } |
    Select-Object TimeCreated, Message

Prevention Tips

Certificate Management Best Practices

  • Monitor OAuth certificate expiration (5-year default validity)
  • Export and backup OAuth certificate with private key
  • Document certificate thumbprint in runbooks
  • Set calendar reminders 90 days before expiration
  • Test OAuth connectivity after any certificate changes
Monitoring Script for OAuth Certificate
# Add to scheduled monitoring
$authConfig = Get-AuthConfig
$cert = Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint -ErrorAction SilentlyContinue

if (-not $cert) {
    Write-Host "CRITICAL: OAuth certificate missing!" -ForegroundColor Red
    # Send alert
} elseif ($cert.NotAfter -lt (Get-Date).AddDays(90)) {
    Write-Host "WARNING: OAuth certificate expires in less than 90 days!" -ForegroundColor Yellow
    Write-Host "Expiration: $($cert.NotAfter)"
    # Send warning
} else {
    Write-Host "OK: OAuth certificate valid until $($cert.NotAfter)" -ForegroundColor Green
}

When to Escalate

Contact Exchange specialists if:

  • Certificate creation fails with cryptographic errors
  • Hybrid Configuration Wizard fails after certificate replacement
  • OAuth test continues to fail after configuration
  • Multiple Exchange servers have certificate sync issues
  • Complex federation or partner application setup is involved

Need Expert Help?

Our Exchange Certificate Team specializes in OAuth and federation certificate management. We ensure seamless hybrid connectivity.

Frequently Asked Questions

The OAuth (Open Authorization) certificate is used by Exchange Server to authenticate server-to-server requests, including hybrid deployments with Microsoft 365, OWA authentication, and EWS requests. It is a self-signed certificate with the friendly name "Microsoft Exchange Server Auth Certificate".

Related Exchange Server Errors

Event ID 1003

Event ID 1003: OAuth Certificate Expired - Fix Guide 2025

OAuth certificate expiration preventing OWA authentication. Renew certificate, restore web access.

Read Fix Guide
OAuth Certificate Expiration

OAuth Certificate Expiration in Exchange - Fix Guide 2025

OAuth certificate about to expire. Proactively renew, prevent authentication failures, maintain hybrid.

Read Fix Guide
Event ID 12025

Event ID 12025: Certificate Expired - Fix Guide 2025

SSL/TLS certificate expiration disrupting Exchange services. Renew certificate, update bindings, restore security.

Read Fix Guide
View All Exchange Services

Still Stuck? We Can Help

Our Exchange Server experts have resolved thousands of issues just like yours.

  • Remote troubleshooting in 95 minutes average
  • No upfront commitment or diagnosis fees
  • Fix-it-right guarantee with documentation
Get Expert Help
95 min
Average Response Time
24/7/365 Availability
Medha Cloud

Medha Cloud Exchange Server Team

Microsoft Exchange Specialists

Our Exchange Server specialists have 15+ years of combined experience managing enterprise email environments. We provide 24/7 support, emergency troubleshooting, and ongoing administration for businesses worldwide.

15+ Years ExperienceMicrosoft Certified99.7% Success Rate24/7 Support
Contact TeamFollow on LinkedIn