Blog Post

Exchange Team Blog
2 MIN READ

Keep your Federation Trust up-to-date

The_Exchange_Team's avatar
Sep 10, 2014

Note: for latest development on this subject, please see our new post with the same name.

Microsoft periodically refreshes certificates in Office 365 as part of our effort to maintain a highly available and secure environment. On September 23, 2014, we are making a certificate change on our Microsoft Federation Gateway that could affect some customers as detailed in knowledge base article 2928514. The good news is, you can easily avoid any disruption.

Who is affected?

This certificate change can affect any customer that is using the Microsoft Federation Gateway. If you are in a hybrid configuration orif you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker, you need to take action.

When will the change occur?

The change is scheduled to occur on September 23, 2014. You must take action before then to avoid any disruption.

What type of issues will you face if no action is taken?

If you don't take action, you won't be able to use services that rely on the Microsoft Federation Gateway. For example:

  • A cloud user won't be able to see free/busy information for an on-premises user and vice versa.
  • MailTips will not work in a Hybrid configuration.
  • Cross-premises free/busy will stop working between organizations that have organization relationships in place.

What action should you take?

If you’re using Exchange Server 2013 SP1 or later no action is required. This is a common task in Exchange 2013 SP1, it happens automatically. Installing the latest version of Exchange Server 2013 will make this an automated task for you.

Update: if you are running Windows Server 2008 with Exchange 2013, the automatic update feature will not work (it will only work with Windows Server 2012). Therefore, you should instead follow the below instructions to update your metadata.

If you are not running Exchange 2013 SP1 or later, you can create a scheduled task to keep your Federation Trust up-to-date. You can use the following command on your Exchange Server to create a scheduled task to run the update process periodically. This is how we recommend you keep your Federation Trust constantly updated. This will prevent you from being negatively affected by future metadata changes.

Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010;$fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata" /ru System

If you prefer to not use a scheduled task, you can manually run the command at any time to refresh the metadata. If you choose a manual option, it is still best practice to update Federation information at least monthly.

Get-Federationtrust | Set-FederationTrust –RefreshMetadata

Jim Lucey

Updated Feb 10, 2021
Version 3.0
  • If I Refresh Metadata today will we be fine after the switch?

    Or do we need to wait until after the update and then run it?

  • I had issues with the scheduled task -- it failed to run due to the fact that the $fedTrust object was $null and thus failed to access the .Name property. I'm not sure why, but it just doesn't seem to pass along the $fedTrust object created. I modified

    it as follows and it seems to work properly --


    Schtasks /create /sc Daily /tn FedRefresh /tr "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010;Set-FederationTrust -Identity (Get-FederationTrust).Name -RefreshMetadata"

    /ru System

  • Does this operation have to carry it out with all Hybrid servers?
  • Schedule of September 23, 2014 is American time? Do you have any idea of excact what time it willbe schedule on?
  • We've got a Hybrid configuration where we have federation trust between o365 and our on-premise Exchange 2010 Standard Edition. I just tried running the command you've provided above but I am getting the error saying Access is Denied. Please help !!
  • We run Exchange 2010 but Federate with 2 sites. I just want to understand, does it matter when myself and these 2 other sites (also running Exchange 2010) refresh metadata, as long as all 3 of us do it before 9/23 ?
  • Hello, is there regular schedule MS will update certificate on Fed GW for example each 23 of a month or it can happen any day of the month or even several times a month?
  • So, what is the correct (new) version after refreshed the metadata? How can I check if I ran the command correctly?