"Federation certificate with the thumbprint cannot be found" error when you try to set up the federation trust to use the next certificate in Office 365

Article translations Article translations
Article ID: 2810692 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

Consider the following scenario in a hybrid deployment of on-premises Exchange Server and Exchange Online in Office 365:
  • The current certificate that was created for the federation trust on the hybrid server is unintentionally deleted.
  • The current certificate must be replaced for the trust to work correctly.
  • A new certificate is created.
  • You run the Manage Federation Wizard, and then you select the Roll certificate to make the next certificate as the current certificate check box to use the new certificate.
In this scenario, the wizard doesn't update the certificate as expected. When you try to use the Set-FederationTrust -Identity cmdlet to make the federation trust use the next certificate as the current certificate, you receive the following error message:
[PS] C:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
Federation certificate with the thumbprint "<thumbprint of the current certificate>" cannot be found.
+ CategoryInfo : InvalidResult: (:) [Set-FederationTrust], FederationCertificateInvalidException
+ FullyQualifiedErrorId : 906B427C,Microsoft.Exchange.Management.SystemConfigurationTasks

CAUSE

This issue occurs if the new certificate is missing from the certificate store. In this case, the Manage Federation Wizard can't roll to the new certificate.

SOLUTION

To fix this issue, update the Active Directory object for the federation trust by adding the thumbprint for the next federation certificate to the object. This lets the Manage Federation Wizard or the Set-FederationTrust cmdlet successfully process the rollover request.

To do this, follow these steps:
  1. Log on to the Exchange 2010 hybrid deployment server as a domain admin.
  2. Open Active Directory Service Interfaces (ADSI) Edit. To do this, click Start, click Run, type ADSIEdit.msc, and then click OK.
  3. After the ADSI Edit window is loaded, right-click ADSI Edit in the navigation pane, and then click Connect To.
  4. In the Connection Settings window, click Select a well known Naming Context in the Connection Point area, and then click Configuration.
  5. In the Computer area, select Default (Domain or server that you are logged into), and then click OK.
  6. Locate CN=Configuration, DC=<DOMAIN>, DC=<COM>, CN=Services , CN=Microsoft Exchange, CN=<ORGANIZAION NAME>, CN=Federation Trusts.

    Note Replace the values in the placeholders (< >) with the values that are specific to your environment.
  7. Right-click CN=Microsoft Federation Gateway, and then click Properties.
  8. Double-click the msExchFedOrgNextCertificate property, and then copy the whole value.

    Note This value might be populated only if you experience the issue that's described in the "Symptoms" section. If the value isn't populated, you can't continue with the remaining steps.
  9. Close the msExchFedOrgNextCertificate property.
  10. Double-click the msExchFedOrgPrivCertificate property, and then paste the value that you copied in step 8. The thumbnail of the current certificate will be replaced with the thumbnail of the next certificate.
  11. Click OK to set the value.
  12. Manually force Active Directory replication. Or, wait for the change to replicate throughout your Active Directory infrastructure.

    Note For more information about how to force Active Directory replication, go to the following TechNet website:
    Force replication over a connection
  13. In the Exchange Management Console, run the Manage Federation Wizard again. The current certificate and the next certificate should be the same.
  14. Select the Roll certificate to make the next certificate as the current certificate check box, and then complete the steps in the wizard.
  15. Test the configuration by using the Test-Federation cmdlet. The results should show that the validation of the federation certificate was successful.

    Note For more information about the Test-FederationTrust cmdlet, go to the following TechNet website:
    Test-FederationTrust

MORE INFORMATION

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.

Properties

Article ID: 2810692 - Last Review: July 9, 2014 - Revision: 7.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Microsoft Exchange Online
  • Microsoft Exchange Server 2010 Enterprise
  • Microsoft Exchange Server 2010 Service Pack 2
  • Microsoft Exchange Server 2010 Service Pack 3
Keywords: 
o365e hybrid o365 o365a o365022013 o365m KB2810692

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com