question

WW-6729 avatar image
0 Votes"
WW-6729 asked KyleXu-MSFT commented

Exchange Delegation Federation certificate expired

Hello! Need help with expired Exchange Delegation Federation certificate. I've managed to renew the certificate following this MS sites:

https://docs.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help#replace-an-expired-federation-certificate

https://docs.microsoft.com/en-us/exchange/configure-a-federation-trust-exchange-2013-help

We have hybrid environment where our on-prem users can't see our online users free/busy calendar information. This was because our Exchange Delegation Federation certificate expired. After we renew it the free/busy problem stayed. We figured that it might be the problem with Auth Configuration (get-authconfig |fl) for CurrentCertificateThumbprint value where this value is still from the previous Exchange Delegation Federation certificate.

Does anybody have experience with this? If we change this value to our new Exchange Delegation Federation certificate thumbprint is there any steps to do after changing that value? Some sites mention that we need to publish this certificate and also start HCW (this site: http://www.wave16.com/2018/06/test-oauthconnectivity-errormissing.html)

Will changing this Auth Configuration value for CurrentCertificateThumbprint to our new CurrentCertificateThumbprint have impact on our mail-flow or something else?

Is it possible to auto-renew this certificate?

Thank you!

office-exchange-hybrid-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered KyleXu-MSFT commented

@GK-6729

The "get-authconfig" is used to check the "Microsoft Exchange Server Auth Certificate" which different from "Exchange Delegation Federation certificate". You can follow this article to renew this certificate and clear old certificate.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

After modify those two certificates, I would suggest you rerun HCW to update this configuration.

The renewal procedure is simple and will not affect mail flow. But the best practice is to modify the Exchange server when it is idle.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GK-6729

I am writing here to confirm with you any update about this thread now?
If the above suggestion helps, please be free to mark it as an answer for helping more people.

0 Votes 0 ·
WW-6729 avatar image
0 Votes"
WW-6729 answered KyleXu-MSFT commented

Hello KyleXu, thank you for the response.

Will things work if I just put the thumbprint of our new Exchange Delegation Federation certificate under Auth Configuration? This was obviously done first time because I have no explanation why Auth Configuration has thumbprint of our old Exchange Delegation Federation certificate. Is this type of configuration acceptable or MS recommends to have one certificate for Exchange Delegation Federation and one certificate for Auth Configuration?

If we go with the creation of a new Auth Configuration certificate will it have impact on something in our environment because i see that this certificate is used also for Lync, Sharepoint...?

Thank you!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I would suggest you renew it in the correct way, the way that you said isn't supported. Renew certificate will not effect the using of other server.

0 Votes 0 ·