This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 16%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
The following two event log entries are appearing once or twice a month seemingly at random. They will spam us with hundreds of warnings for about a day and then stop. It has happened on 10/14/2020, 10/6/2020 and 9/15/2020 – 9 /16/2020. It has happened a couple other times also, but I don’t have the dates. They started after we configured our Exchange Organization in a hybrid configuration and enabled OAuth. Our Microsoft Exchange Server Auth Certificate is valid.
Log Name: Application
Source: MSExchange OAuth
Date: 10/14/2020 10:42:30 AM
Event ID: 2008
Task Category: Configuration
Level: Warning
Keywords: Classic
User: N/A
Computer: <Exchange_Server>
Description:
When retrieving metadata from the url 'https://login.windows.net/<Our_Domain_Name>/federationmetadata/2007-06/federationmetadata.xml', different certificate(s) have been found.
Log Name: Application
Source: MSExchange OAuth
Date: 10/14/2020 10:42:30 AM
Event ID: 2008
Task Category: Configuration
Level: Warning
Keywords: Classic
User: N/A
Computer: <Exchange_Server>
Description:
When retrieving metadata from the url 'https://accounts.accesscontrol.windows.net/<Our_Domain_Name>//metadata/json/1', different certificate(s) have been found.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 71%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELZ%3C/text%3E%3C/svg%3E)
Do you have other partner applications that have the certificate imported? You may have to remove the partner application and re-configure it.
Get-PartnerApplication
Remove-PartnerApplication <application name>
.\Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl '<url>' -ApplicationType <type>
Here are similar issues for your reference:
Exchange 2016 / Skype for Business - MSExchange OAuth Error,
Exchange 2013 Partner Applications and Error 2008.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Just checking in to see if above information was helpful.
If you have any questions or need further help on this issue, please feel free to post back.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I'm not sure what values go in the .\Configure-EnterprisePartnerApplication.ps1 command. When I run Get-PartnerApplication | fl * I don't see any value listed in the AuthMetadataUrl field and I don't see the ApplicationType field at all. I believe that this Partner App is added by the Exchange Hybrid Wizard, but I can't find anything about it online. Everything I find concerning partner applications has to do with Skype for Business.
To be honest I don't fully understand the relationship between these partner applications and Auth Servers that are appearing in the error messages. I believe the partner application was created by the Hybrid wizard, I know I created the Auth Servers are part of configuring OAuth (https://learn.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help), but I am uncertain how everything is working or what certificates are being reported as different.
Do you mean there are partner applications related to Skype for Business. Then it should be the same situation as the blogs I provided above. To create a partner application for Skype for Business, "https://<serverfqdn>/metadata/json/1" is used for AuthMetadataUrl, and ApplicationType is Lync. We can see the example from Configure-EnterprisePartnerApplication.ps1 file:
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
We also can get more information from:
OAuth authentication,
Configure OAuth authentication with a partner application.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
No we don't use Skype for Business. I was saying that in regards to Partner Applications and Auth Servers with Exchange Online, I haven't found a whole lot. It always seems to be how to configure a partner application for Skype. It is also very possible that of what I have read, I don't fully comprehend it. I did verify that our On-premises Authorization Certificate matches the one uploaded to the Azure Active Directory Access Control Service match, although I am uncertain that this is the certificate that the event log entries are complaining about being different.
And users have never complained right? Thats the thing. I hate to even say it, but I suspect its another "noise" event and doesnt really signify an problem... :(
II think you are right. Exchange just has so many of these types of events. I guess I'll just add it to our list of ignorable events.
Well, since everything works well in your organization, you can ignore them now.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
If it's convenient, you can accept the useful answer. This will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I want to try a few more things the next time the issue occurs before I mark it answered. Based on my previous experience, it should happen again in the next couple weeks.
That's OK. If you have any updates to share, you're welcomed to post here.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Allen Terry
I see this all the time and now just ignore them. There doesnt seem to be an actual issue.
Sometimes this clears it for awhile and its perfectly safe to run:
Get-Federationtrust | Set-FederationTrust –RefreshMetadata
Others have seen this as well:
Yeah I've come across that article too. I was hoping that this was not yet another instance of an ignorable Exchange Warning or Error. The messages had already stopped by the time I could run your command, but when I run it, it says that the command completed successfully, but no settings of 'Microsoft Federation Gateway' have been modified.