Keep your Exchange Federation Trust up-to-date

Monday, July 8, 2019
From time to time, Microsoft refreshes the certificate used by the Microsoft Federation Gateway service in Office 365. They just did this again on July 5, 2019. The MFG is the trust broker used by hybrid organizations and by other on-premises orgs that share free/busy information between them. Most Exchange configurations will update the federation trust metadata automatically, but if your on-premises org is running Exchange 2010 or Exchange 2013 on Windows Server 2008 you will need to update this manually.

Begin by testing to see if the metadata is up-to-date in your org by running the Test-FederationTrust cmdlet in EMS from one of your Exchange servers. The cmdlet normally does not require any switches to run.

Exchange will check AD to confirm that the Federation Trust configuration object exists and is valid, the Token Issuer certificate is valid, and then request a delegation token from the MFG. Here's what a good test looks like in Exchange 2010:

Test-FederationTrust from Exchange 2010
Exchange 2013+ performs a few more detailed tests using a built-in test account:

Test-FederationTrust from Exchange 2013
If you see any validation errors, such as the following error, you will need to update your MFG refresh token manually:
Id : TokenValidationType : ErrorMessage : Failed to validate delegation token.
You can update AD with the latest Microsoft Federation Gateway certificate one time by running the following cmdlet from EMS on any Exchange server in your org:
Get-FederationTrust | Set-FederationTrust –RefreshMetadata 
Once updated, run the Test-FederationTrust cmdlet again to confirm the validation and delegation token is valid.

If you want to automate this process, you can create a scheduled task on one of your Exchange servers to update the federation trust once per day. Nothing will actually update in your environment unless Microsoft updates their MFG certificate. Run the following from an elevated CMD prompt or EMS window to create the scheduled task:
Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010;$fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata" /ru System
Remember, you will only need to do this if your organization runs Exchange 2010 or Exchange 2013 on Windows Server 2008. Later versions of Windows allows Exchange to update the federation trust certificate automatically.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.