Free/busy lookups stop working in a cross-premises environment or an Exchange Server hybrid deployment

Note

The Hybrid Configuration wizard included in the Exchange Management Console in Microsoft Exchange Server 2010 is no longer supported. Therefore, you should no longer use the old Hybrid Configuration wizard. Instead, use the Microsoft 365 Hybrid Configuration wizard available at https://aka.ms/HybridWizard. For more information, see Microsoft 365 Hybrid Configuration wizard for Exchange 2010.

Symptoms

Free/Busy lookups stop working for users in a cross-premises environment, or in a hybrid deployment of on-premises Exchange Server and Exchange Online. Additionally, these issues may extend to other features that rely on the Microsoft Federation Gateway.

If you run the Test-FederationTrust cmdlet, you receive an error message that indicates that the Delegation token has validation issues. For example, you receive an error message that resembles the following:

Id : TokenValidation  
Type: Error  
Message : Failed to validate delegation token.

Additionally, you might receive one of the following error messages in the Exchange Web Services (EWS) Responses:

An error occurred when processing the security tokens in the message

Autodiscover failed for email address User@contoso.com with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message

Cause

This issue occurs if the certificate, and other metadata information, in the Microsoft Federation Gateway (or in the on-premises environment) becomes outdated or invalid.

Resolution

To resolve this issue, refresh the metadata by running the Get-FederationTrust | Set-FederationTrust -RefreshMetadata command.

Note

This command updates the information used for the Federation trust. You won't have to re-create organization relationships or sharing policies. The commands must be run in the target environment of the Free/Busy request.

  1. Open the Exchange Management Shell on the on-premises Exchange server.

  2. Run the following cmdlet:

    Get-FederationTrust | Set-FederationTrust -RefreshMetadata
    

More information

This issue could affect any environment that uses the Microsoft Federation Gateway. These environments include on-premises organizations that have set up free/busy, or sharing policies, between their organization and either other on-premises organizations, or Exchange Online in Microsoft 365.

To run the procedure in the Resolution section as an automated task and prevent future issues, open a command prompt on the Exchange server, then run the following command. Doing this updates the Federation trust daily.

Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -command Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; $fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata" /ru System

Still need help? Go to Microsoft Community or the Microsoft Q&A.