Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, February 29, 2016 1:38 PM
We're running Exchange Server 2013 CU10.
Our Exchange Delegation Federation certificate expired a couple of months ago and hasn't been renewed.
I understand that this certificate was supposed to automatically renew itself with SP1.
I am unable to renew the certificate in the Exchange Control Panel and receive an error message "Federation certificates can only be managed through the FederationTrust tasks."
I came across an article, http://blogs.technet.com/b/exchange/archive/2014/09/10/keep-your-federation-trust-up-to-date.aspx, that advises to use the following command to update the trust:
Get-FederationTrust | Set-FederationTrust -RefreshMetadata.
The command completed successfully, but the certificate still did not update.
My next consideration is to renew the certificate from the personal computer certificate store.
But before I do this I would like to get your opinions/suggestions on next possible steps.
Thanks!
All replies (6)
Tuesday, March 1, 2016 7:33 AM
Hi GregT8,
You can try to manually use the next certificate as the current certificate and check if any helps:
1.View federation trust certificates : the following command displays the previous, current, and next certificates used by the federation trust.
Get-FederationTrust "Federation Name" | Select Org*certificate
2.Configure the federation trust to use the next certificate :
Set-FederationTrust "Federation Name" -Thumbprint "xxxxxxxxxx"
3.Configure the federation trust to use the next certificate as the current certificate :
Set-FederationTrust "Federation Name" -PublishFederationCertificate
4.Refresh federation metadata and certificate from the Azure AD authentication system :
Set-FederationTrust "Federation Name" -RefreshMetadata
In addition, you can refer to the following article to understand Transitioning to a new certificate in a Federation:
The certificate used to create the federation trust is designated as the current certificate. However, you may need to install and use a new certificate for the federation trust periodically. For example, you may need to use a new certificate if the current certificate expires or to meet a new business or security requirement. To ensure a seamless transition to a new certificate, you must install the new certificate on your Exchange 2013 server and configure the federation trust to designate it as the new certificate. Exchange 2013 automatically distributes the new certificate to all other Exchange 2013 servers in the organization. Depending on your Active Directory topology, distribution of the certificate may take a while. You can verify the certificate status using the Test-FederationTrustCertificate cmdlet in the Shell.
After you verify the certificate's distribution status, you can configure the trust to use the new certificate. After switching certificates, the current certificate is designated as the previous certificate, and the new certificate is designated as the current certificate. The new certificate is published to the Azure AD authentication system, and all new tokens exchanged with the Azure AD authentication system are encrypted using the new certificate.
Best regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Niko Cheng
TechNet Community Support
Tuesday, March 1, 2016 1:55 PM
Niko,
Thanks for your reply.
This is good info.
When I run Get-FederationTrust "Federation Name", the command shows a blank entry for OrgNextCertificate.
Therefore, I'm unable to capture the thumbprint for the next certificate.
What's your recommendation on proceeding from this point?
Friday, November 25, 2016 4:04 PM
Did you ever find a solution to this issue? My org is having the same problem currently and haven't been able to fix it so far. Federation certificate expired and. I next certificate to roll to. Even MS support hasn't been able to help much, we had to completely bypass ADFS authentication just to access OWA and WCP.
Monday, November 28, 2016 2:03 PM
I was able to fix it by removing and re-introducing our hybrid configuration by using this article: http://blog.skysoft-is.com/?p=133
Thursday, December 22, 2016 6:46 PM
Running Exchange 2016 CU3 and having the same problem. Our "Exchange Delegation Federation" certificate expired today and has not automatically renewed. It now has an Invalid status. Here's what I've tried without success.
- Action: Get-FederationTrust | Select Org*Cert*
Result: OrgNextCertificate: *blank
* - Action: Get-FederationTrust | Set-FederationTrust -RefreshMetadata
Result: WARNING: The command completed successfully but no settings of 'Microsoft Federation Gateway' have been modified. - Action: Get-FederationTrust | Select Org*Cert*
Result: OrgNextCertificate: *blank
* - Action: Set-FederationTrust "Microsoft Federation Gateway" -PublishFederationCertificate
Result: The certificate that can be used next must be established before it can be published.z - Action: Select the "Exchange Delegation Federation" certificate in the EAC and click Renew.
Result: Error A special Rpc error occurs on server <server>: Federation certificates can only be managed through the FederationTrust tasks. - Action: Re-ran the Hybrid Configuration Wizard
Result: No change.
How can I force Exchange to generate a new Federation certificate without completely removing and re-adding the hybrid configuration? Any recommendations are much appreciated.
Monday, March 6, 2017 2:39 AM
Hi GregT8,
Please have a look at the following similar thread, and it might be helpful:
Unable to renew Exchange Delegation Federation certificate (Solved)
Best Regards,
Niko Cheng
TechNet Community Support
Please remember to mark the replies as answers.
If you have feedback for TechNet Subscriber Support, contact [email protected].