This article came out in February and I have been behind on my blog updates due to my current project, but I feel this post is important and am going to relay the message that I received here for your review. Thanks again for your support of this blog and its continued longevity.
Microsoft periodically refreshes certificates in Office 365 as part of our effort to maintain a highly available and secure environment. From Jan 23rd, 2021, we are making a certificate change on our Microsoft Federation Gateway every six weeks that could affect some customers as detailed in this knowledge base article. Please note that longer term, this “six week” rhythm to renew the certificate will be further shortened to daily renewals which will further enhance security of the environment. The good news is you can easily avoid any disruption.
Who is affected?
This certificate change can affect any customer that is using the Microsoft Federation Gateway (MFG). If you are in a hybrid configuration that relies on a Federation Trust established with MFG in the Exchange on-premises organization or if you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker, you need to take action.
When will the change occur?
The change is scheduled to occur every six weeks to begin with, with this frequency further increasing. You must take action to avoid any disruptions.
What type of issues will you face if no action is taken?
If you don’t take action, you won’t be able to use services that rely on the Microsoft Federation Gateway. For example:
- A cloud user might not be able to see free/busy information for an on-premises user and vice versa.
- MailTips might not work in a Hybrid configuration.
- Cross-premises free/busy might stop working between organizations that have organization relationships in place.
Additionally, if you run the Test-FederationTrust cmdlet, you might receive an error message that indicates that the Delegation token has validation issues. For example, you receive an error message that resembles the following:
Id : TokenValidation
Type : Error
Message : Failed to validate delegation token.
And, you might receive one of the following error messages in the Exchange Web Services (EWS) responses:
An error occurred when processing the security tokens in the message
Autodiscover failed for email address User@contoso.com with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message
What action should you take?
You can use the following command on your Exchange Server to create a scheduled task to run the update process daily. This is how we recommend you keep your Federation Trust constantly updated. This will prevent you from being negatively affected by future metadata changes.
Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010 ; $fedTrust = Get-FederationTrust ; Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata"
If you prefer to not use a scheduled task, you can manually run the command at any time to refresh the metadata. This is not recommended as the frequency to refresh certificate will increase from 6 week period to daily, and manually updating this would be quite cumbersome.
Get-Federationtrust | Set-FederationTrust –RefreshMetadata
Please note that we have seen some situations where this command should be run twice to ensure it is successful.