"Federation certificate with the thumbprint cannot be found" error when you make changes to federation trust

S'aplica a: Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard EditionExchange Server 2013 Enterprise

Symptoms


Assume that you try to perform the following operations in an Exchange organization:
  • Make changes to your federation trust
  • Create a new certificate for your federation trust
  • Use federation services
  • Remove your federated domains or federation trust
In this situation, you receive an error message that resembles the following:
Federation certificate with the thumbprint [certificate thumbprint] cannot be found.

+ CategoryInfo: InvalidArgument: (:) [Set-FederationTrust], FederationCertificateInvalidException

+ FullyQualifiedErrorId: [Server=Server Name,RequestId=RequestId,TimeStamp=DateTime] [FailureCategory=Cmdlet-FederationCertificateInvalidException] D02898C6,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederationTrust

+ PSComputerName: ComputerName
This issue occurs after you recover the only Exchange server in your environment by using the Setup /m:RecoverServer option.

Cause


This issue occurs because the Exchange federation trust certificate (OrgPrivCertificate) that's referenced by the Microsoft Exchange federation trust object is missing. However, the federation configuration mistakenly recognizes it as still there. Therefore, any cmdlets that edit, manipulate, or use the federation trust to look for this certificate fail.

Workaround


To work around this issue, use the Active Directory Service Interfaces Editor (ADSI Edit) to delete the current federation trust and create a new one.

To do this, follow these steps:
  1. Open ADSI Edit. To do this, click Start, click Run, type ADSIEdit.msc, and then click OK.
  2. Locate CN=Federation,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com, and do the following:
    1. Clear the value of the msExchFedAccountNamespace attribute.
    2. Clear the value of the msExchFedDelegationTrust attribute.
    3. Set the value of the msExchFedIsEnabled attribute to False.
  3. Locate CN=Microsoft Federation Gateway,CN=Federation Trusts,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com, and remove the federation trust. For example, remove Microsoft Federation Gateway.
  4. Locate CN=Accepted Domains,CN=Transport Settings,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com, and clear the value of the msExchFedAcceptedDomainLink attribute for each accepted domain name.
  5. Re-create the federation trust. For more information, see Configure a federation trust.

More Information


If you have multiple Exchange servers in your environment, you should be able to export and import the federation certificate from another server.