{"id":918,"date":"2021-03-16T10:07:15","date_gmt":"2021-03-16T15:07:15","guid":{"rendered":"https:\/\/itblog.ldlnet.net\/?p=918"},"modified":"2021-03-16T10:08:15","modified_gmt":"2021-03-16T15:08:15","slug":"keep-your-federation-trust-up-to-date","status":"publish","type":"post","link":"https:\/\/itblog.ldlnet.net\/index.php\/2021\/03\/16\/keep-your-federation-trust-up-to-date\/","title":{"rendered":"Keep your Federation Trust up-to-date"},"content":{"rendered":"\n<p class=\"has-bright-blue-color has-text-color\"><em>This article came out in February and I have been behind on my blog updates due to my current project, but I feel this post is important and am going to relay the message that I received here for your review. Thanks again for your support of this blog and its continued longevity<\/em>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-text-color has-background has-dark-gray-background-color has-dark-gray-color is-style-wide\"\/>\n\n\n\n<p>Microsoft periodically refreshes certificates in Office 365 as part of our effort to maintain a highly available and secure environment. From Jan 23<sup>rd<\/sup>, 2021, we are making a certificate change on our Microsoft Federation Gateway every six weeks that could affect some customers as detailed in&nbsp;<a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fexchange%2Ftroubleshoot%2Fcalendars%2Ffreebusy-lookups-stop-working&amp;data=04%7C01%7Cgeraldr%40microsoft.com%7Cac4b167e4a054e40af9c08d8cdeacf18%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637485755755438016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=0yUwoo7jjA8RMiXzXNEef%2FXFjAgINdwV4fi3V%2FMjV08%3D&amp;reserved=0\" target=\"_blank\" rel=\"noreferrer noopener\">this knowledge base article<\/a>. Please note that longer term, this &#8220;six week&#8221; rhythm to renew the certificate will be further shortened to daily renewals which will further enhance security of the environment. The good news is you can easily avoid any disruption.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Who is affected?<\/h2>\n\n\n\n<p>This certificate change can affect any customer that is using the Microsoft Federation Gateway (MFG). If you are in a hybrid configuration&nbsp;that relies on a Federation Trust established with MFG in the Exchange on-premises organization&nbsp;<strong>or&nbsp;<\/strong>if you are sharing free\/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker, you need to take action.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">When will the change occur?<\/h2>\n\n\n\n<p>The change is scheduled to occur every six weeks to begin with, with this frequency further increasing. You must take action to avoid any disruptions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What type of issues will you face if no action is taken?<\/h2>\n\n\n\n<p>If you don&#8217;t take action, you won&#8217;t be able to use services that rely on the Microsoft Federation Gateway. For example:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A cloud user might not be able to see free\/busy information for an on-premises user and vice versa.<\/li><li>MailTips might not work in a Hybrid configuration.<\/li><li>Cross-premises free\/busy might stop working between organizations that have organization relationships in place.<\/li><\/ul>\n\n\n\n<p>Additionally, if you run the&nbsp;Test-FederationTrust&nbsp;cmdlet, you might receive an error message that indicates that the Delegation token has validation issues. For example, you receive an error message that resembles the following:<\/p>\n\n\n\n<p class=\"has-yellow-color has-dark-gray-background-color has-text-color has-background has-medium-font-size\">Id : TokenValidation<br>Type : Error<br>Message : Failed to validate delegation token.<\/p>\n\n\n\n<p>And, you might receive one of the following error messages in the&nbsp;<strong>Exchange Web Services (EWS)<\/strong>&nbsp;responses:<\/p>\n\n\n\n<p class=\"has-yellow-color has-dark-gray-background-color has-text-color has-background has-medium-font-size\">An error occurred when processing the security tokens in the message<br>Autodiscover failed for email address User@contoso.com with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What action should you take?<\/h2>\n\n\n\n<p>You can use the following command on your Exchange Server to create a scheduled task to run the update process daily. This is how we recommend you keep your Federation Trust constantly updated. This will prevent you from being negatively affected by future metadata changes.<\/p>\n\n\n<pre class=\"lang:PowerShell nums:False\" title=\"PowerShell Script to Schedule Task\">Schtasks \/create \/sc Daily \/tn FedRefresh \/tr \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010 ; $fedTrust = Get-FederationTrust ; Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata\"\n<\/pre>\n\n\n\n<p>If you prefer to not use a scheduled task, you can manually run the command at any time to refresh the metadata. This is not recommended as the frequency to refresh certificate will increase from 6 week period to daily, and manually updating this would be quite cumbersome.<\/p>\n\n\n<pre class=\"lang:PowerShell nums:False\" title=\"Manual Update of MetaData for Federation\">Get-Federationtrust | Set-FederationTrust \u2013RefreshMetadata\n<\/pre>\n\n\n\n<p class=\"has-medium-pink-color has-text-color\"><em>Please note that we have seen some situations where this command should be run&nbsp;twice&nbsp;to ensure it is successful.<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-text-color has-background has-dark-gray-background-color has-dark-gray-color is-style-wide\"\/>\n\n\n\n<p class=\"has-small-font-size\"><strong><em>REFERENCES:<\/em><\/strong><br><a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fkeep-your-federation-trust-up-to-date%2Fba-p%2F2088788&amp;data=04%7C01%7Cgeraldr%40microsoft.com%7Cac4b167e4a054e40af9c08d8cdeacf18%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637485755755447973%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=GJ14%2BmBR8gq8tocQ3zBNdFPxwtVlWwkV9%2FIVMit0ubY%3D&amp;reserved=0\">Keep your Federation Trust up-to-date &#8211; Microsoft Tech Community<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article came out in February and I have been behind on my blog updates due to my current project, but I<\/p>\n<p class=\"link-more\"><a class=\"myButt \" href=\"https:\/\/itblog.ldlnet.net\/index.php\/2021\/03\/16\/keep-your-federation-trust-up-to-date\/\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":877,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[267,4,265,194,3,266],"tags":[280,73,238,88,8],"class_list":["post-918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-active-directory","category-exchange","category-microsoft365","category-office365","category-powershell","category-security-and-compliance","tag-adfs","tag-federation","tag-m365","tag-o365","tag-powershell","odd"],"_links":{"self":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/918","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/comments?post=918"}],"version-history":[{"count":6,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/918\/revisions"}],"predecessor-version":[{"id":924,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/918\/revisions\/924"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media\/877"}],"wp:attachment":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media?parent=918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/categories?post=918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/tags?post=918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}