Federation trust and sharing errors for federated Exchange 2010 organizations

Applies to: Exchange Server 2010 StandardExchange Server 2010 Enterprise

Problem


Federated sharing features for an Exchange 2010 organization stop working correctly after February 25, 2014. You or your federated sharing partners may see errors that affect federation trust and sharing features.

Cause


Microsoft has discontinued federation trust support for the consumer instance of the Microsoft Federation Gateway. Currently, only federation trusts in the business instance of the Microsoft Azure AD authentication system are supported.

By default, the following Exchange organizations use the consumer instance of the Microsoft Federation Gateway and are immediately affected by this change in support:
  • Release to manufacturing (RTM) versions of Exchange 2010 that have set up federation trusts for sharing free/busy calendar information together with other federated organizations
  • Exchange organizations that are hosted by Microsoft Live@edu
By default, the following Exchange organizations use the business instance of the Microsoft Azure AD authentication system and are not affected by this change:
  • Exchange 2013 (or later version) organizations that use the Enable Federation Trust wizard
  • Exchange 2010 Service Pack 1 (SP1) (or later version) organizations that use the New Federation Trust wizard
  • Exchange organizations that are hosted by Office 365, such as Exchange Online
  • Federation trusts that are configured to support hybrid deployments between Exchange 2010 organizations and Exchange Online
If you are using Azure, and you have to verify which Microsoft Azure AD authentication system instance your Exchange organization is using for an existing federation trust, run the following command in the Exchange Management Shell: 
Get-FederationInformation -DomainName <your hosted Exchange domain namespace> 

The consumer instance returns a value of <uri:WindowsLiveID> for the TokenIssuerURIs parameter.

Resolution


To resolve this issue, Exchange 2010 organizations and any affected federated Exchange 2010 partner organizations must remove their existing federation trusts and create new federation trusts by using the Microsoft Azure AD authentication system. To do this, follow these steps:
  1. Identify your federated domains

    Run the following cmdlet in the Exchange Management Shell to identify the federated domains and AccountNamespace:
    Get-FederatedOrganizationIdentifier 
  2. Remove the federated domains

    Run the following cmdlet in the Exchange Management Shell to remove each federated domain:
    Remove-FederatedDomain -DomainName <your federated domain> -force 
  3. Remove AccountNamespace

    Run the following cmdlet in the Exchange Management Shell to remove AccountNamespace:
    Remove-FederatedDomain -DomainName <your AccountNamespace> -force 
  4. Remove the federation trust

    Run the following cmdlet in the Exchange Management Shell to remove the federation trust:
    Get-FederationTrust | Remove-FederationTrust 
    For more information, see Replace an expired federation certificate and Remove-FederationTrust.
  5. Create a new federation trust

    For more information, see Create a Federation Trust.