Begin by testing to see if the metadata is up-to-date in your org by running the Test-FederationTrust cmdlet in EMS from one of your Exchange servers. The cmdlet normally does not require any switches to run.
Exchange will check AD to confirm that the Federation Trust configuration object exists and is valid, the Token Issuer certificate is valid, and then request a delegation token from the MFG. Here's what a good test looks like in Exchange 2010:
|Test-FederationTrust from Exchange 2010|
|Test-FederationTrust from Exchange 2013|
Id : TokenValidationType : ErrorMessage : Failed to validate delegation token.You can update AD with the latest Microsoft Federation Gateway certificate one time by running the following cmdlet from EMS on any Exchange server in your org:
Get-FederationTrust | Set-FederationTrust –RefreshMetadataOnce updated, run the Test-FederationTrust cmdlet again to confirm the validation and delegation token is valid.
If you want to automate this process, you can create a scheduled task on one of your Exchange servers to update the federation trust once per day. Nothing will actually update in your environment unless Microsoft updates their MFG certificate. Run the following from an elevated CMD prompt or EMS window to create the scheduled task:
Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010;$fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata" /ru SystemRemember, you will only need to do this if your organization runs Exchange 2010 or Exchange 2013 on Windows Server 2008. Later versions of Windows allows Exchange to update the federation trust certificate automatically.