Blog Post

Exchange Team Blog
2 MIN READ

Keep your Federation Trust up-to-date

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jan 22, 2021

Updated on 2/10/2021

Microsoft periodically refreshes certificates in Office 365 as part of our effort to maintain a highly available and secure environment. From Jan 23rd, 2021, we are making a certificate change on our Microsoft Federation Gateway that could affect some customers as detailed in this knowledge base article. Please note that the certificate might be rolled at any time (more information can be found here) which will further enhance security of the environment. The good news is you can easily avoid any disruption.

Who is affected?

This certificate change can affect any customer that is using the Microsoft Federation Gateway (MFG). If you are in a hybrid configuration that relies on a Federation Trust established with MFG in the Exchange on-premises organization or if you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker, you need to take action.

When will the change occur?

The change is scheduled to occur at any time going forward. You must take action to avoid any disruptions.

What type of issues will you face if no action is taken?

If you don't take action, you won't be able to use services that rely on the Microsoft Federation Gateway. For example:

  • A cloud user might not be able to see free/busy information for an on-premises user and vice versa.
  • MailTips might not work in a Hybrid configuration.
  • Cross-premises free/busy might stop working between organizations that have organization relationships in place.

Additionally, if you run the Test-FederationTrust cmdlet, you might receive an error message that indicates that the Delegation token has validation issues. For example, you receive an error message that resembles the following:

Id : TokenValidation
Type : Error
Message : Failed to validate delegation token.

And, you might receive one of the following error messages in the Exchange Web Services (EWS) responses:

An error occurred when processing the security tokens in the message
Autodiscover failed for email address User@contoso.com with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message

What action should you take?

You can use the following command on your Exchange Server to create a scheduled task to run the update process daily. This is how we recommend you keep your Federation Trust constantly updated. This will prevent you from being negatively affected by future metadata changes.

Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010; $fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata

If you prefer to not use a scheduled task, you can manually run the command at any time to refresh the metadata. This is not recommended due to refresh frequency, and manually updating this would be quite cumbersome.

Get-Federationtrust | Set-FederationTrust –RefreshMetadata

Please note that we have seen some situations where this command should be run twice to ensure it is successful.

The Exchange Hybrid Team

Updated Feb 10, 2021
Version 8.0
hybrid
tips 'n tricks
troubleshooting

25 Comments

Show More
  • kuglidani's avatar
    kuglidani
    Copper Contributor
    Jan 25, 2021

    Hi,

     

    Running the scheduled task (Windows Server 2016) results in 4294901760 code (0xFFFF0000). As a workaround, I pasted the commands to a ps1 file and modified the action to run the ps1 script - it appears to be working.

  • Neil_Flanagan's avatar
    Neil_Flanagan
    Brass Contributor
    Jan 25, 2021

    Be careful of using the scheduled task creation command listed here and in https://docs.microsoft.com/en-US/exchange/troubleshoot/calendars/freebusy-lookups-stop-working. On our Exchange 2019 server the command line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010" gives you "Version v2.0.50727 of the .NET Framework is not installed and it is required to run version 2.0 of Windows PowerShell." If you cut out the "-version 2.0" it works fine.

  • DavidH38's avatar
    DavidH38
    Copper Contributor
    Jan 25, 2021

    Hi

     

    Can this be run in two data centres as the same time to help with DR ?

  • Mirela_Buru's avatar
    Mirela_Buru
    Icon for Microsoft rankMicrosoft
    Jan 25, 2021

    Shmeker ,that is correct. If IntraOrganization Connectors are present and enabled on both sides and having the required domains set on them, then Hybrid F/B requests will be using IOCs / OAuth between on-premises and cloud.  However, there are other (Hybrid) functionalities that rely on the Federation Trust and Organization Relationships (mailtips, cross-premises archive access in OWA) and cross-premises Free/Busy for Exchange Organizations that are federated with MFG and using Organization Relationships for it. 

  • Shmeker's avatar
    Shmeker
    Copper Contributor
    Jan 25, 2021

    Probably a stupid question, but I would like to confirm - if the organization has hybrid connection and utilizes the intra-organization connector (IOC) for the free/busy information - is this organization impacted by the information in this article?

     

    I would assume its not affected, because as described in this article in case IOC is used then the on-prem Exchange goes to Azure ACS OAuth Endpoint to get the delegation token. In that case I would not need to setup the scheduled task suggested here.

    In case organization relationships are being used and IOC is not used then on-prem Exchange goes to MFG and then the organization would be impacted by the information of this article.

    Please confirm if this assumption is correct. Thank you.