Note: for latest development on this subject, please see our new post with the same name.
Microsoft periodically refreshes certificates in Office 365 as part of our effort to maintain a highly available and secure environment. On September 23, 2014, we are making a certificate change on our Microsoft Federation Gateway that could affect some customers as detailed in knowledge base article 2928514. The good news is, you can easily avoid any disruption.
Who is affected?
This certificate change can affect any customer that is using the Microsoft Federation Gateway. If you are in a hybrid configuration orif you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker, you need to take action.
When will the change occur?
The change is scheduled to occur on September 23, 2014. You must take action before then to avoid any disruption.
What type of issues will you face if no action is taken?
If you don't take action, you won't be able to use services that rely on the Microsoft Federation Gateway. For example:
- A cloud user won't be able to see free/busy information for an on-premises user and vice versa.
- MailTips will not work in a Hybrid configuration.
- Cross-premises free/busy will stop working between organizations that have organization relationships in place.
What action should you take?
If you’re using Exchange Server 2013 SP1 or later no action is required. This is a common task in Exchange 2013 SP1, it happens automatically. Installing the latest version of Exchange Server 2013 will make this an automated task for you.
Update: if you are running Windows Server 2008 with Exchange 2013, the automatic update feature will not work (it will only work with Windows Server 2012). Therefore, you should instead follow the below instructions to update your metadata.
If you are not running Exchange 2013 SP1 or later, you can create a scheduled task to keep your Federation Trust up-to-date. You can use the following command on your Exchange Server to create a scheduled task to run the update process periodically. This is how we recommend you keep your Federation Trust constantly updated. This will prevent you from being negatively affected by future metadata changes.
Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010;$fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata" /ru System
If you prefer to not use a scheduled task, you can manually run the command at any time to refresh the metadata. If you choose a manual option, it is still best practice to update Federation information at least monthly.
Get-Federationtrust | Set-FederationTrust –RefreshMetadata
Jim Lucey
You Had Me at EHLO.