Updated on 2/10/2021

Microsoft periodically refreshes certificates in Office 365 as part of our effort to maintain a highly available and secure environment. From Jan 23rd, 2021, we are making a certificate change on our Microsoft Federation Gateway that could affect some customers as detailed in this knowledge base article. Please note that the certificate might be rolled at any time (more information can be found here) which will further enhance security of the environment. The good news is you can easily avoid any disruption.

Who is affected?

This certificate change can affect any customer that is using the Microsoft Federation Gateway (MFG). If you are in a hybrid configuration that relies on a Federation Trust established with MFG in the Exchange on-premises organization or if you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker, you need to take action.

When will the change occur?

The change is scheduled to occur at any time going forward. You must take action to avoid any disruptions.

What type of issues will you face if no action is taken?

If you don't take action, you won't be able to use services that rely on the Microsoft Federation Gateway. For example:

  • A cloud user might not be able to see free/busy information for an on-premises user and vice versa.
  • MailTips might not work in a Hybrid configuration.
  • Cross-premises free/busy might stop working between organizations that have organization relationships in place.

Additionally, if you run the Test-FederationTrust cmdlet, you might receive an error message that indicates that the Delegation token has validation issues. For example, you receive an error message that resembles the following:

Id : TokenValidation
Type : Error
Message : Failed to validate delegation token.

And, you might receive one of the following error messages in the Exchange Web Services (EWS) responses:

An error occurred when processing the security tokens in the message
Autodiscover failed for email address User@contoso.com with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message

What action should you take?

You can use the following command on your Exchange Server to create a scheduled task to run the update process daily. This is how we recommend you keep your Federation Trust constantly updated. This will prevent you from being negatively affected by future metadata changes.

Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010; $fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata

If you prefer to not use a scheduled task, you can manually run the command at any time to refresh the metadata. This is not recommended due to refresh frequency, and manually updating this would be quite cumbersome.

Get-Federationtrust | Set-FederationTrust –RefreshMetadata

Please note that we have seen some situations where this command should be run twice to ensure it is successful.

The Exchange Hybrid Team

Comments
Frequent Visitor
Microsoft
Senior Member
Senior Member
New Contributor
Frequent Visitor
Senior Member
Microsoft
Frequent Contributor
Microsoft
Frequent Contributor
Microsoft
Frequent Contributor
Senior Member
Senior Member
Microsoft
Microsoft
Frequent Contributor
Regular Visitor
Microsoft
Microsoft
Frequent Contributor
Senior Member
Frequent Contributor
Senior Member
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE