Share via

Help with UpdateNonceCertificate error when setting up OIDC on SharePoint Subscription Editon

Carlson, Eric 0 Reputation points
2025-06-11T13:26:28.88+00:00

I am working through step 2 on Set up OIDC authentication in SharePoint Server with Microsoft Entra

Our SharePoint server environment is patched up to May 2025 and has Feature Preference set to "Early Release".

I have copied and customized the script for getting the farm set up to work with OIDC.

# Set up farm properties to work with OIDC 
# Create the Nonce certificate 
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert" 
# Import certificate to Certificate Management 
$certPath = "C:\scripts\nonce.pfx" 
$certPassword = ConvertTo-SecureString -String "P@SsW0Rds Ch4ngD 4 N0W." -Force -AsPlainText 
Export-PfxCertificate -Cert $cert -FilePath $certPath -Password $certPassword 
$nonceCert = Import-SPCertificate -Path $certPath -Password $certPassword -Store "EndEntity" -Exportable:$true 
# Update farm property 
$farm = Get-SPFarm  
$farm.UpdateNonceCertificate($nonceCert,$true)

The script runs and creates the file, but on the last line that says UpdateNonceCertificate, I am getting an error:

	PS C:\scripts> .\nonce.ps1
		
	    Directory: C:\scripts
		
	Mode                 LastWriteTime         Length Name
	----                 -------------         ------ ----
	-a----         5/23/2025   2:08 PM           2697 nonce.pfx
	Exception calling "UpdateNonceCertificate" with "2" argument(s): "An object of the type
	Microsoft.SharePoint.Administration.SPServerCertificateDeploymentJobDefinition named "Provisioning Certificate _e3916e26-9876-4772-9f9c-423e845e9f8a"
	already exists under the parent Microsoft.SharePoint.Administration.SPTimerService named "SPTimerV4".  Rename your object or delete the existing object."
	At C:\scripts\nonce.ps1:16 char:1
	+ $farm.UpdateNonceCertificate($nonceCert,$true)
	+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
	    + FullyQualifiedErrorId : SPDuplicateObjectException
	
	PS C:\scripts>

I also see that the cert is appearing in Central Administration:

User's image

I don't know what is up with that last line "UpdateNonceCertificate" failing to update the farm.

Any ideas?

Microsoft 365 and Office | SharePoint Server | Development
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jack-Bu 5,490 Reputation points Microsoft External Staff Moderator
    2025-06-11T15:14:19.47+00:00

    Hi Carlson, Eric

    Good day! Thank you for posting your question in the Microsoft Q&A forum. 

    I am understanding that when you tried running the script to configure OIDC authentication in SharePoint Server, you encountered an error on the UpdateNonceCertificate line. Interestingly, when checking the certificate in Central Administration, it appears to be present, which understandably causes confusion. 

    This issue is most likely due to SharePoint attempting to create a timer job to deploy the nonce certificate, but a job with the same name already exists. This can happen if a previous attempt to run UpdateNonceCertificate was interrupted or failed, leaving the timer job behind. 

    You can refer to the official documentation on Timer job reference for SharePoint Server – Microsoft Learn to understand about timer jobs and how to manage them via SharePoint Central Administration. Specifically, navigate to Central Administration > Monitoring > Timer Jobs to check the Timer Job Status and Job Definitions pages. These pages allow you to see if a timer job with the same name is already scheduled or running. 

    Suggested Solutions: 

    • If the job is still running or queued, you might just need to wait a few minutes and try running the script again. 
    • To manually remove the existing timer job, you can use the following PowerShell script: 

    $timerService = Get-SPTimerService 

    $existingJob = $timerService.JobDefinitions | Where-Object { $_.Name -like "Provisioning Certificate*" } 

    if ($existingJob) { 

        $existingJob.Delete() 

        Write-Host "Deleted existing timer job: $($existingJob.Name)" 

    } else { 

        Write-Host "No existing timer job found." 

    After deleting the job, re-run your UpdateNonceCertificate script. Make sure to start the SharePoint Management Shell as a farm administrator to ensure you have the necessary permissions to execute these commands. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".         

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.   

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.