Consider the following scenario in a hybrid deployment of on-premises Exchange Server and Exchange Online in Office 365:
- The current certificate that was created for the federation trust on the hybrid server is unintentionally deleted.
- The current certificate must be replaced for the trust to work correctly.
- A new certificate is created.
- You run the Manage Federation Wizard, and then you select the Roll certificate to make the next certificate as the current certificate check box to use the new certificate.
In this scenario, the wizard doesn't update the certificate as expected. When you try to use the Set-FederationTrust -Identity
cmdlet to make the federation trust use the next certificate as the current certificate, you receive the following error message:
[PS] C:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
Federation certificate with the thumbprint "<thumbprint of the current certificate>" cannot be found.
+ CategoryInfo : InvalidResult: (:) [Set-FederationTrust], FederationCertificateInvalidException
+ FullyQualifiedErrorId : 906B427C,Microsoft.Exchange.Management.SystemConfigurationTasks
This issue occurs if the new certificate is missing from the certificate store. In this case, the Manage Federation Wizard can't roll to the new certificate.
To fix this issue, update the Active Directory object for the federation trust by adding the thumbprint for the next federation certificate to the object. This lets the Manage Federation Wizard or the Set-FederationTrust
cmdlet successfully process the rollover request.
To do this, follow these steps:
- Log on to the Exchange 2010 hybrid deployment server as a domain admin.
- Open Active Directory Service Interfaces (ADSI) Edit. To do this, click Start, click Run, type ADSIEdit.msc, and then click OK.
- After the ADSI Edit window is loaded, right-click ADSI Edit in the navigation pane, and then click Connect To.
- In the Connection Settings window, click Select a well known Naming Context in the Connection Point area, and then click Configuration.
- In the Computer area, select Default (Domain or server that you are logged into), and then click OK.
- Locate CN=Configuration, DC=<DOMAIN>, DC=<COM>, CN=Services , CN=Microsoft Exchange, CN=<ORGANIZAION NAME>, CN=Federation Trusts.
Note Replace the values in the placeholders (< >) with the values that are specific to your environment.
- Right-click CN=Microsoft Federation Gateway, and then click Properties.
- Double-click the msExchFedOrgNextCertificate property, and then copy the whole value.
Note This value might be populated only if you experience the issue that's described in the "Symptoms" section. If the value isn't populated, you can't continue with the remaining steps.
- Close the msExchFedOrgNextCertificate property.
- Double-click the msExchFedOrgPrivCertificate property, and then paste the value that you copied in step 8. The thumbnail of the current certificate will be replaced with the thumbnail of the next certificate.
- Click OK to set the value.
- Manually force Active Directory replication. Or, wait for the change to replicate throughout your Active Directory infrastructure.
Note For more information about how to force Active Directory replication, go to the following TechNet website:
- In the Exchange Management Console, run the Manage Federation Wizard again. The current certificate and the next certificate should be the same.
- Select the Roll certificate to make the next certificate as the current certificate check box, and then complete the steps in the wizard.
- Test the configuration by using the Test-Federation cmdlet. The results should show that the validation of the federation certificate was successful.
Note For more information about the Test-FederationTrust cmdlet, go to the following TechNet website:
Still need help? Go to the Office 365 Community
Article ID: 2810692 - Last Review: June 4, 2013 - Revision: 5.0
- Microsoft Office 365 for education (pre-upgrade)
- Microsoft Office 365 for enterprises (pre-upgrade)
- Microsoft Exchange Online
- Microsoft Exchange Server 2010 Enterprise
- Microsoft Exchange Server 2010 Service Pack 2
- Microsoft Exchange Server 2010 Service Pack 3
|o365e o365062011 hybrid o365 o365a o365022013 pre-upgrade after upgrade o365m KB2810692|