During my day to day work as a part of support organization, I work with and help troubleshoot Hybrid Configuration Wizard (HCW) failures. One of the more common causes of HCW failures is the Federat...
Updated May 05, 2025
Version 5.0
Blog Post
10 MIN READ
How to address Federation Trust issues in Hybrid Configuration Wizard (HCW)
This is great, but the struggle I'm having is that may exchange 2010 server wants to use an old proxy server to access the internet. Here's what I've tried:
1. I made sure it was removed from internet options
2. Run the netsh proxy reset command (It shows direct connection)
3. Removed it from the HKLU registry for all users on the box
4. Searched all exchange/IIS .config files for any trace of the proxy server name.
5. Browsed to the nexus federation metata file without an issue.
6. Rebooted the server
Any other thoughts? When I run the command:
New-FederationTrust -Name 'Microsoft Federation Gateway' -Thumbprint 1E60F7D21795D75F0CC51CA22644251BFD4D1CDA -Verbose, here's what I get:
VERBOSE: [21:08:01.167 GMT] New-FederationTrust : Active Directory session settings for 'New-FederationTrust' are: View Entire Forest: 'False', Default Scope: 'mydomain.local', Configuration Domain Controller: 'mydc.mydomain.local', Preferred Global
Catalog: 'mydc.mydomain.local', Preferred Domain Controllers: '{ mydc.mydomain.local}'
VERBOSE: [21:08:01.167 GMT] New-FederationTrust : Runspace context: Executing user: mydomain.local/Users and Groups/Network Admins/Admin, Executing user organization: , Current organization: , RBAC-enabled: Enabled.
VERBOSE: [21:08:01.167 GMT] New-FederationTrust : Beginning processing &
VERBOSE: [21:08:01.167 GMT] New-FederationTrust : Instantiating handler with index 0 for cmdlet extension agent "Admin Audit Log Agent".
VERBOSE: [21:08:01.183 GMT] New-FederationTrust : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s):
{}, Exclusive Configuration Scope(s): {} }
VERBOSE: [21:08:01.183 GMT] New-FederationTrust : Processing object "Microsoft Federation Gateway".
VERBOSE: [21:08:01.183 GMT] New-FederationTrust : Searching the local certificate store for a certificate with thumbprint "1E60F7D21795D75F0CC51CA22644251BFD4D1CDA".
VERBOSE: [21:08:01.198 GMT] New-FederationTrust : Admin Audit Log: Entered Handler:Validate.
VERBOSE: [21:08:01.198 GMT] New-FederationTrust : Admin Audit Log: Exited Handler:Validate.
VERBOSE: Creating new Federation Trust "Microsoft Federation Gateway" for federation partner "LiveId". Federation certificate has thumbprint "1E60F7D21795D75F0CC51CA22644251BFD4D1CDA".
VERBOSE: [21:08:01.198 GMT] New-FederationTrust : Resolved current organization: .
VERBOSE: [21:08:01.198 GMT] New-FederationTrust : Requesting Federation Metadata from https://nexus.passport.com/FederationMetadata/2006-12/FederationMetadata.xml.
VERBOSE: [21:08:22.212 GMT] New-FederationTrust : Failed to retrieve Federation Metadata from the Microsoft Federation Gateway. This operation will be retried in a few seconds. Last error: System.Net.WebException: Unable to connect to the
remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
10.50.10.50:1050
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Management.FederationProvisioning.PartnerFederationMetadata.GetFederationMetadataXPathDocument(Uri partnerFederationMetadataEpr).
VERBOSE: [21:08:48.248 GMT] New-FederationTrust : Failed to retrieve Federation Metadata from the Microsoft Federation Gateway. This operation will be retried in a few seconds. Last error: System.Net.WebException: Unable to connect to the
remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
10.50.10.50:1050
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Management.FederationProvisioning.PartnerFederationMetadata.GetFederationMetadataXPathDocument(Uri partnerFederationMetadataEpr).
VERBOSE: [21:09:14.269 GMT] New-FederationTrust : Admin Audit Log: Entered Handler:OnComplete.
VERBOSE: [21:09:14.285 GMT] New-FederationTrust : Admin Audit Log: Exited Handler:OnComplete.
Unable to access the Federation Metadata document from the federation partner. Detailed information: "Unable to connect to the remote server".
+ CategoryInfo : MetadataError: (:) [New-FederationTrust], FederationMetadataException
+ FullyQualifiedErrorId : B77AC03F,Microsoft.Exchange.Management.SystemConfigurationTasks.NewFederationTrust
VERBOSE: [21:09:14.285 GMT] New-FederationTrust : Ending processing &
Please note: We do not have a proxy server.
What service actually handles the call to the federation? (Hoping to dive deeper with process explorer). Any other thoughts?