Federation Trust in Hybrid Exchange

%3CLINGO-SUB%20id%3D%22lingo-sub-2538485%22%20slang%3D%22en-US%22%3EFederation%20Trust%20in%20Hybrid%20Exchange%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2538485%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Ewe%20have%20a%20Hybrid%20Exchange%20environment%20in%20'Full%20Hybrid'%20configuration.%20The%20on-premises%20setup%20consists%20of%20one%20Exchange%202016%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20noticed%20several%20recurring%20errors%20in%20the%20application%20log%20of%20the%20on-premises%20exchange%20server.%3CBR%20%2F%3Esource%3A%26nbsp%3BMSExchange%20Common%2C%20event%20id%26nbsp%3B401%2C%20level%3A%20error%3C%2FP%3E%3CP%3E%3CEM%3EThe%20organization%20certificate%20named%20'618F92187B527A8EDEA1C4C763F8B8BA0CAFE413'%20in%20the%20Federation%20Trust%20object%20'Microsoft%20Federation%20Gateway'%20cannot%20be%20found%20in%20the%20computer's%20certificate%20store.%20Please%20review%20the%20Federation%20Trust%20properties%20and%20the%20certificates%20present%20in%20the%20certificate%20store%20of%20the%20server.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eas%20well%20as%3A%3C%2FP%3E%3CP%3Esource%3A%20MSExchange%20Certificate%20Deployment%2C%20event%20id%202005%2C%20level%3A%26nbsp%3Bwarning%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EFederation%20or%20Auth%20certificate%20not%20found%3A%20618F92187B527A8EDEA1C4C763F8B8BA0CAFE413.%20Unable%20to%20find%20the%20certificate%20in%20the%20local%20or%20neighboring%20sites.%20Confirm%20that%20the%20certificate%20is%20available%20in%20your%20topology%20and%20if%20necessary%2C%20reset%20the%20certificate%20on%20the%20Federation%20Trust%20to%20a%20valid%20certificate%20using%20Set-FederationTrust%20or%20Set-AuthConfig.%20The%20certificate%20may%20take%20time%20to%20propagate%20to%20the%20local%20or%20neighboring%20sites.%3C%2FEM%3E%3C%2FP%3E%3CP%3EI%20have%20been%20able%20to%20verify%20that%20the%20missing%20certificate%20does%20not%20exist%20in%20the%20certificate%20store.%20The%20server%20does%20have%20a%20certificate%20named%20'Microsoft%20Exchange%20Server%20Auth%20Certificate%22%20in%20the%20certificate%20store%20but%20its%20thumb%20print%20does%20not%20match%20the%20one%20mentioned%20in%20the%20event%20log%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20run%26nbsp%3Bget-FederationTrust%20%7C%20fl%2C%20I'm%20getting%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%5BPS%5D%20C%3A%5CWindows%5Csystem32%26gt%3Bget-FederationTrust%20%7C%20fl%0A%0A%0ARunspaceId%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%2062c9c6bb-0393-45e4-a24c-e3071bb585fc%0AApplicationIdentifier%20%20%20%20%20%20%20%20%3A%200000000040057966%0AApplicationUri%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20FYDIBOHF25SPDLT.***.com%0AOrgCertificate%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20%5BSubject%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20CN%3DFederation%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5BIssuer%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20CN%3DFederation%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5BSerial%20Number%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%201FF0CE76F8A189B2479F0014E568B52A%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5BNot%20Before%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%209%2F16%2F2018%201%3A43%3A36%20PM%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5BNot%20After%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%209%2F16%2F2023%201%3A43%3A36%20PM%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5BThumbprint%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20618F92187B527A8EDEA1C4C763F8B8BA0CAFE413%0A%0AOrgNextCertificate%20%20%20%20%20%20%20%20%20%20%20%3A%0AOrgPrevCertificate%20%20%20%20%20%20%20%20%20%20%20%3A%0AOrgPrivCertificate%20%20%20%20%20%20%20%20%20%20%20%3A%20618F92187B527A8EDEA1C4C763F8B8BA0CAFE413%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20solution%20should%20be%20obvious%3A%20I%20need%20to%20replace%20the%20federation%20trust%20certificate.%20This%20is%20where%20things%20get%20interesting%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20working%20with%20the%20document%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Frenew-the-federation-certificate-exchange-2013-help%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EReplace%20an%20expired%20federation%20certificate%3C%2FA%3E.%20As%20I%20mentioned%20above%2C%20a%20new%20certificate%20already%20exists%20in%20the%20store.%20I%20need%20to%20update%20the%20federation%20trust%20to%20use%20the%20new%20certificate.%20As%20per%20instructions%2C%20I%20need%20to%20remove%20all%20federated%20domains%20first.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%5BPS%5D%20C%3A%5CWindows%5Csystem32%26gt%3BRemove-FederatedDomain%20-DomainName%20***.com%20-Force%0A%0AConfirm%0AAre%20you%20sure%20you%20want%20to%20perform%20this%20action%3F%0ARemoving%20federated%20domain%20%22***.com%20on%20organization%20%22***%22.%0A%5BY%5D%20Yes%20%20%5BA%5D%20Yes%20to%20All%20%20%5BN%5D%20No%20%20%5BL%5D%20No%20to%20All%20%20%5B%3F%5D%20Help%20(default%20is%20%22Y%22)%3A%0AFederation%20certificate%20with%20the%20thumbprint%20%22618F92187B527A8EDEA1C4C763F8B8BA0CAFE413%22%20cannot%20be%20found.%0A%20%20%20%20%2B%20CategoryInfo%20%20%20%20%20%20%20%20%20%20%3A%20InvalidResult%3A%20(%3A)%20%5BRemove-FederatedDomain%5D%2C%20FederationCertificateInvalidException%0A%20%20%20%20%2B%20FullyQualifiedErrorId%20%3A%20%5BServer%3DMAIL5%2CRequestId%3D4a9693d0-4723-444b-a44b-0fa9a118f487%2CTimeStamp%3D7%2F12%2F2021%2012%3A29%3A0%0A%20%20%202%20PM%5D%20%5BFailureCategory%3DCmdlet-FederationCertificateInvalidException%5D%20CE320263%2CMicrosoft.Exchange.Management.System%0A%20%20ConfigurationTasks.RemoveFederatedDomain%0A%20%20%20%20%2B%20PSComputerName%20%20%20%20%20%20%20%20%3A%20mail5.***.local%0A%0A%5BPS%5D%20C%3A%5CWindows%5Csystem32%26gt%3B%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20fails%20and%20it%20turns%20out%20that%20if%20the%20federation%20trust%20certificate%20is%20missing%2C%20the%20trust%20cannot%20be%20edited%20anymore%20at%20all.%20This%20is%20explained%20here%3A%26nbsp%3B%3CA%20title%3D%22Error%20when%20you%20make%20changes%20to%20federation%20trust%3A%20Federation%20certificate%20with%20the%20thumbprint%20cannot%20be%20found%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fadministration%2Ffederation-certificate-with-thumbprint-cannot-be-found%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EError%20when%20you%20make%20changes%20to%20federation%20trust%3A%20Federation%20certificate%20with%20the%20thumbprint%20cannot%20be%20found%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20solution%20is%20to%20remove%20the%20trust%20manually%20using%20ADSI%20editor%20and%20then%20recreate%20the%20trust.%20I%20deleted%20the%20trust%20as%20per%20instructions%20and%20indeed%20it%20now%20shows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%5BPS%5D%20C%3A%5CWindows%5Csystem32%26gt%3Bget-FederationTrust%0A%5BPS%5D%20C%3A%5CWindows%5Csystem32%26gt%3B%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENext%2C%20I%20tried%20to%20recreate%20the%20federation%20trust%20and%20my%20understanding%20was%20that%20the%20Hybrid%20Configuration%20Wizard%20would%20take%20care%20of%20that.%20I'm%20also%20fairly%20certain%20that%20HCW%20created%20the%20trust%20in%20the%20first%20place%20when%20I%20set%20up%20the%20hybrid%20environment.%20%3CU%3EHCW%20does%20not%20recreate%20the%20trust%3C%2FU%3E.%20It%20runs%20without%20errors%20but%20it%20does%20not%20create%20the%20federation%20trust.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20I%20found%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2020-significant-update-to-hybrid-configuration-wizard%2Fba-p%2F1238753%22%20target%3D%22_self%22%3EMarch%202020%20significant%20update%20to%20Hybrid%20Configuration%20Wizard%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EHCW%20will%20no%20longer%20enable%20Federation%20Trust%20by%20default%20for%20all%20installations.%20Instead%2C%20it%20will%20only%20enable%20Federation%20Trust%20if%20there%20are%20Exchange%202010%20servers%20on%20premises.%20HCW%20will%20call%20Get-ExchangeServer%20and%20if%20no%20Exchange%202010%20servers%20are%20reported%2C%20the%20workflow%20to%20enable%20Federation%20Trust%20and%20subsequently%20require%20domain%20proof%20will%20not%20execute.%20Note%20that%20organization%20relationships%20are%20still%20created.%3C%2FEM%3E%3C%2FP%3E%3CP%3EIn%20our%20network%2C%20there%20are%20no%20Exchange%202010%20servers%20left%20on%20premises.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%3A%20%3CSTRONG%3EIs%20the%20federation%20trust%20still%20needed%20in%20Hybrid%20Exchange%3F%3C%2FSTRONG%3E%20Should%20I%20attempt%20to%20recreate%20federation%20trust%20using%20these%20instructions%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fconfigure-a-federation-trust-exchange-2013-help%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20a%20federation%20trust%3A%20Exchange%202013%20Help%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%2C%20I'm%20currently%20in%20the%20process%20of%20verifying%20if%20everything%20to%20do%20with%20Hybrid%20Exchange%20still%20works%20now%20that%20the%20federation%20trust%20has%20been%20removed%20(free%2Fbusy%2C%20mail%20flow%2C%20live%20migrations%20etc.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2538485%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hi,

we have a Hybrid Exchange environment in 'Full Hybrid' configuration. The on-premises setup consists of one Exchange 2016 server.

 

I noticed several recurring errors in the application log of the on-premises exchange server.
source: MSExchange Common, event id 401, level: error

The organization certificate named '618F92187B527A8EDEA1C4C763F8B8BA0CAFE413' in the Federation Trust object 'Microsoft Federation Gateway' cannot be found in the computer's certificate store. Please review the Federation Trust properties and the certificates present in the certificate store of the server.

 

as well as:

source: MSExchange Certificate Deployment, event id 2005, level: warning

Federation or Auth certificate not found: 618F92187B527A8EDEA1C4C763F8B8BA0CAFE413. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites.

 

I have been able to verify that the missing certificate does not exist in the certificate store. The server does have a certificate named 'Microsoft Exchange Server Auth Certificate" in the certificate store but its thumb print does not match the one mentioned in the event log error.

 

When I run get-FederationTrust | fl, I'm getting

 

[PS] C:\Windows\system32>get-FederationTrust | fl


RunspaceId                   : 62c9c6bb-0393-45e4-a24c-e3071bb585fc
ApplicationIdentifier        : 0000000040057966
ApplicationUri               : FYDIBOHF25SPDLT.***.com
OrgCertificate               : [Subject]
                                 CN=Federation

                               [Issuer]
                                 CN=Federation

                               [Serial Number]
                                 1FF0CE76F8A189B2479F0014E568B52A

                               [Not Before]
                                 9/16/2018 1:43:36 PM

                               [Not After]
                                 9/16/2023 1:43:36 PM

                               [Thumbprint]
                                 618F92187B527A8EDEA1C4C763F8B8BA0CAFE413

OrgNextCertificate           :
OrgPrevCertificate           :
OrgPrivCertificate           : 618F92187B527A8EDEA1C4C763F8B8BA0CAFE413

 

 

The solution should be obvious: I need to replace the federation trust certificate. This is where things get interesting:

 

I'm working with the document Replace an expired federation certificate. As I mentioned above, a new certificate already exists in the store. I need to update the federation trust to use the new certificate. As per instructions, I need to remove all federated domains first.

 

[PS] C:\Windows\system32>Remove-FederatedDomain -DomainName ***.com -Force

Confirm
Are you sure you want to perform this action?
Removing federated domain "***.com on organization "***".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):
Federation certificate with the thumbprint "618F92187B527A8EDEA1C4C763F8B8BA0CAFE413" cannot be found.
    + CategoryInfo          : InvalidResult: (:) [Remove-FederatedDomain], FederationCertificateInvalidException
    + FullyQualifiedErrorId : [Server=MAIL5,RequestId=4a9693d0-4723-444b-a44b-0fa9a118f487,TimeStamp=7/12/2021 12:29:0
   2 PM] [FailureCategory=Cmdlet-FederationCertificateInvalidException] CE320263,Microsoft.Exchange.Management.System
  ConfigurationTasks.RemoveFederatedDomain
    + PSComputerName        : mail5.***.local

[PS] C:\Windows\system32>

 

 

This fails and it turns out that if the federation trust certificate is missing, the trust cannot be edited anymore at all. This is explained here: Error when you make changes to federation trust: Federation certificate with the thumbprint cannot b...

The solution is to remove the trust manually using ADSI editor and then recreate the trust. I deleted the trust as per instructions and indeed it now shows:

 

[PS] C:\Windows\system32>get-FederationTrust
[PS] C:\Windows\system32>

 

 

Next, I tried to recreate the federation trust and my understanding was that the Hybrid Configuration Wizard would take care of that. I'm also fairly certain that HCW created the trust in the first place when I set up the hybrid environment. HCW does not recreate the trust. It runs without errors but it does not create the federation trust.

 

Then I found this: March 2020 significant update to Hybrid Configuration Wizard 

HCW will no longer enable Federation Trust by default for all installations. Instead, it will only enable Federation Trust if there are Exchange 2010 servers on premises. HCW will call Get-ExchangeServer and if no Exchange 2010 servers are reported, the workflow to enable Federation Trust and subsequently require domain proof will not execute. Note that organization relationships are still created.

In our network, there are no Exchange 2010 servers left on premises.

 

My question is: Is the federation trust still needed in Hybrid Exchange? Should I attempt to recreate federation trust using these instructions: Configure a federation trust: Exchange 2013 Help | Microsoft Docs

 

Additionally, I'm currently in the process of verifying if everything to do with Hybrid Exchange still works now that the federation trust has been removed (free/busy, mail flow, live migrations etc.)

0 Replies