Exchange Delegation Federation Certificate Expired
Florencia Abila
I recently noticed my Exchange Delegation Federation certificate ia about to expire. I wanted to go ahead an renew it so Exchange would'n be barking to me about an expired certificate. I followed the procedures here -us/exchange/renew-the-federation-certificate-exchange-2013-help#step-2-configure-the-new-certificate-as-the-federation-certificate and was able to complete Step 1 to create the certificate
I then went to Step 2 "Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint -RefreshMetaData" entering the Thumbprint but I got an error that says "Cannot update certificate until the federation trust is provisioned with STS."
We have a standalone Exchange 2019 server with no Federation Trust set up. I assume the certificate we have now must of come from back when we had Exchange Online. Since we don't have any Federation Trust's set up can I go ahead and delete the two certificates (old and new) or is there a way to renew the certificate so it doesn't keep telling me it is expired?
@Jerry Trimmer I wanted to follow up and know if the below responses helped in answering your query. If it did, please do not forget to accept the appropriate response as Answer so that others in the community facing similar issues can easily find the solution.
I'm having the same problem and found a blog here that's been helpful and I've ran the steps but I've also found other information here in the Microsoft Community that's giving some information that talks about removing the trust and recreating it and that would be it for my scenario, so I'm wanting to clear this up and see what input I get from this community.
I have an on-premise Exchange Server 2016 that's configured in a hybrid configuration with Microsoft 365/Exchange Online. All mailboxes have been migrated to 365 and the on-premise EAC is used only to manage exchange attributes since we still have our on-premise Active Directory. My Federation certificate expired but nothing is being affected by this. The only reason I'm wanting to renew/roll it over to a new self-signed certificate is because I've read that for me to upgrade this server the federation certificate has to be valid or I'll run into problems.
Of course there is no absolute requirement to have it in your scenario, but it wouldnt hurt to create a new one and clean that up either
-us/exchange/renew-the-federation-certificate-exchange-2013-help#replace-an-expired-federation-certificate
If the federation certificate has already expired, you need to remove all federated domains from the federation trust, and then remove and recreate the federation trust. If you have multiple federated domains, you need to identify the primary domain shared domain so you can remove it last.
Once the new cert is created can the recreation of the federation trust be done through the GUI at Exchange 2016 > Organization > Sharing > Federation Trust (assuming this will show Add once I delete my existing trust).
If you have multiple federated domains, you need to identify the primary domain shared domain so you can remove it last
The value of the AccountNamespace property contains the primary shared domain in the format FYDIBOHF25SPDLT. For example, in the value FYDIBOHF25SPDLT.contoso.com, contoso.com is the primary shared domain.
yes, Remove the domains set in the org / Fed trust sharing ( there are two domains at min - yours and the Azure domain - the AccountNameSpace is the Azure domain.
and recreate the fed trust
You can also follow this:
Instead of Powershell can i just use the EAC (on prem) GUI at EAC > Organization > Sharing tab > Click "Remove" in the Federation Trust section and then create in the GUI? If so, then I shoudl be able to complete this with your instructions provided from the rebel admin site.
Instead of detecting and removing any federated domains via PowerShell can this all be done in the Exchange 2016 Exchange Admin Center GUI? For example: Can I just click the" Remove" button in Exchange 2016 EAC > Organization > Sharing > Federation Trust? And then move on with the rebeladmin.com instructions for recreating everything?
@Andy David - MVP can you please look at my previous post and give me some guidance on this? I've also seen other posts in other places similar to my scenario and they were successful at removing the trust from their Exchange Admin Center and recreating it which updated everything with the new cert and all is good. I'm hoping my case is the same and that I can follow those steps as well.
Hello we have an exchange 2019 onprem, hybrid configuration. We use the exchange onprem for user mgmt and internal relaying only. No mailboxes onprem anymore.
We noticed our Exchange Delegation Federation certificate expired a while ago. I was wondering, do we need to renew this certificate in our deployment? or can we remove this certificate? I did notice there was a federation set up.
Or can we renew this certificate by rerunning the HCW?
thanks
@Jan De Smet
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to close this thread. It also could be beneficial to other community members reading this thread.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
The instructions on this page only suggest to remove the federated domains and the trust.
When they are removed, I just recreate it via the ECP?
-us/exchange/configure-a-federation-trust-exchange-2013-help
The OrgPrivCertificate parameter above provides the thumbprint of the current federation certificate while the OrgPrevCertificate will show the previous certificate thumbprint. In our case its blank as we have only one federation certificate.
We will be discussing the renewal scenario where the federation certificate is still within the validity period and has not expired yet. If your certificate has already expired there are some additional steps and hence refer this article instead.
Meanwhile check and confirm that the new Federation certificate is published to all Exchange servers. It might take some time for the certificate and its services to show up on all the Exchange servers. You can also verify by running the command :
In the above screenshot, the Thumbprint and TXT Proof mentioned on top is the new one. Share the new Proof TXT record to your DNS team to get the existing TXT record in the bottom updated in external DNS.
Sign in to Exchange Admin Center on-premises. Navigate to servers > certificates. Select the Exchange Server if you have more than one Exchange Server running in the organization. Double-click the Microsoft Exchange Server Auth Certificate.
The Set-AuthConfig parameter defines Microsoft Exchange as a partner application for server-to-server authentication with other partner applications such as Microsoft SharePoint 2013 and Microsoft Lync 2013 or Skype for Business Server 2015.
The PublishCertificate switch specifies that the specified certificate be immediately rolled over as the current certificate. The certificate is deployed immediately to all Client Access servers.
Give it a maximum of 24 hours and run the health checker script again. All the certificate statuses appear as Valid and the Microsoft Exchange Server Auth Certificate is bound to services SMTP.
We showed how to renew the Microsoft Exchange Server Auth Certificate. First, go through the steps as shown to renew the Auth Certificate. After that, you can remove the old Auth certificate. If you have an Exchange Hybrid deployment, rerun the Hybrid Configuration Wizard. As always, verify that the new Microsoft Exchange Server Auth Certificate is valid by running the Exchange Health Checker script.
Thank you so much for the detailed guide and answered questions. I was able to quickly and efficiently complete the certificate renewal process following your steps and the added answer to assign the SMTP service to the correct cert. Please know that what you do really does make a dramatic difference for the community and we all truly appreciate you and your expertise.
Hi, I need some help after I renewed the auth cert when I run get-exchangeCertificate the result I get is empty, do I need to wait 24 hour?? Because last time when we do this it does not need that long.
The new certificate shows up on the Server I created it on. Will this certificate replicate to the other 4 servers without me saying Y to the replacement portion of the command? It has been roughly 36 hours and the new certificate still does not exist on the other 4 servers.
My hope was that I could create a new cert without overwriting, have it replicate, THEN set it to the Default and overwrite once it was in place on all servers. It will not work this way (although it might if you manually export and import on each server).
Question 3: Do I have to run the hybrid config wizard? The reason I am asking is that I checked Exchange Online 365, and the connectors inbound and outbound are pointing to the SAN certificate. I verified this by running the following commands:
1. Run the command shown in the article, and it will set the Auth certificate expiration date to 5 years.
2. No, it will not take over your SAN certificate.
3. Yes, rerun the HCW so it will replace the Auth certificate in Microsoft Entra ID. It has nothing to do with your SAN certificate.
So the question is if we renew Auth Certficate at 2016 ( since mail flow is still from 2016 as migration is going on) and publish, so will it be replicated at 2019 dag Client access servers as well? If not then what should we do either export or import or any work around?
4a15465005