@Andy David - MVP can you please look at my previous post and give me some guidance on this? I've also seen other posts in other places similar to my scenario and they were successful at removing the trust from their Exchange Admin Center and recreating it which updated everything with the new cert and all is good. I'm hoping my case is the same and that I can follow those steps as well.
Exchange Delegation Federation certificate expired
My Exchange Delegation Federation certificate on my Exchange 2016 on-premises server has expired.
We have a hybrid setup with Exchange online.
Other than some test mailboxes on the on-premises Exchange 2016 all main mailboxes live on Exchange online.
What is this expired cert used for?
Do I need to renew it?
It has been expired for two weeks and I am not noticing any issues.
I would like to better understand its purpose and use.
4 answers
Sort by: Newest
-
-
Joshua Thompson 201 Reputation points
2020-09-17T20:57:36.037+00:00 Thank you both for the reply.
Will running through these steps impact mail flow at all?
-
Joyce Shen - MSFT 16,641 Reputation points
2020-09-16T02:34:58.573+00:00 Hi @Joshua Thompson , as said above, the expiration of the federation certificate may cause the issue unable to retrieve free/busy and calendar information between the two environments.
If the federation certificate has already expired, you need to remove all federated domains from the federation trust, and then remove and recreate the federation trust. If you have multiple federated domains, you need to identify the primary domain shared domain so you can remove it last.
mainly steps list below:
- Document the existing trust settings (federated domains, federation settings)
- Force remove each federated domain from the federation
- Remove the federation trust
- Wait for AD replication
- Create a new self-signed federation certificate
- Create a new federation trust
- Update the trust organisation information
- Configure the required settings in the trust (as per the documentation you created in step 1)
- Wait for AD replication
- Test the certificate and trust (Test-FederationTrustCertificate, Test-FederationTrust) – it can take 12-48 hours before the trust reports as being no longer expired!
- Add each of the federated domains back into the trust (this will involve generating domain ‘Proof’ entries and adding them to your external DNS, then waiting for DNS propagation)
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Andy David - MVP 142.2K Reputation points MVP
2020-09-15T20:39:08.59+00:00 Well the hybrid configuration depends on it and is used essentially for free/busy sharing between your on-prem org and Exchange Online.
https://learn.microsoft.com/en-us/exchange/federation-exchange-2013-help
With all your mailboxes in ExO, you haven't noticed it however :)
If you re-run the Hybrid Wizard it will look for a valid Federation Cert and throw an error if one doesnt exist.
Example: https://techcommunity.microsoft.com/t5/exchange-team-blog/how-to-address-federation-trust-issues-in-hybrid-configuration/ba-p/1144285Of course there is no absolute requirement to have it in your scenario, but it wouldnt hurt to create a new one and clean that up either
https://learn.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help#replace-an-expired-federation-certificatehttps://learn.microsoft.com/en-us/exchange/configure-a-federation-trust-exchange-2013-help
and its pretty easy to do.