question

ZichaoWu-7449 avatar image
0 Votes"
ZichaoWu-7449 asked YukiSun-MSFT commented

Test-FederationTrust failed

[PS] C:\Windows\system32>Test-FederationTrust -UserIdentity Test@olivertest.site


Begin process.

STEP 1 of 6: Getting ADUser information for Test@olivertest.site...
RESULT: Success.

STEP 2 of 6: Getting FederationTrust object for Test@olivertest.site...
RESULT: Success.

STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.
RESULT: Success.

STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
WARNING: Could not retrieve orgPrivCertificate from GetOrganizationCertificates

Closing Test-FederationTrust...


RunspaceId : e6e79ace-6411-41cc-bceb-df4267e68d7b
Id : FederationTrustConfiguration
Type : Success
Message : FederationTrust object in ActiveDirectory is valid.

RunspaceId : e6e79ace-6411-41cc-bceb-df4267e68d7b
Id : FederationMetadata
Type : Success
Message : The federation trust contains the same certificates published by the security token service in its
federation metadata.

RunspaceId : e6e79ace-6411-41cc-bceb-df4267e68d7b
Id : StsCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

RunspaceId : e6e79ace-6411-41cc-bceb-df4267e68d7b
Id : StsPreviousCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

RunspaceId : e6e79ace-6411-41cc-bceb-df4267e68d7b
Id : OrganizationCertificate
Type : Error
Message : Certificate referenced by property OrgPrivCertificate in the FederationTrust object is expired.

Error: GetOrganizationCertificates(federationTrust) returned null when called in Process()
+ CategoryInfo : NotSpecified: (:) [], LocalizedException
+ FullyQualifiedErrorId : [Server=EX2016,RequestId=e2c5044d-0901-426a-8c7f-fdf80ea72cec,TimeStamp=7/3/2021 10:00:45 AM] [FailureCategory=Cmdlet-LocalizedException] 531E662F
+ PSComputerName : ex2016.olivertest.site


Step 4 with warning, and the step 6 with error said the "FederationTrust object is expired." however this is the new created federation trust in Exchange 2016 EAC, and also I tried manually remove and re-create but the same issue persists, please help, thanks.

Oliver

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

YukiSun-MSFT avatar image
0 Votes"
YukiSun-MSFT answered YukiSun-MSFT commented

Hi @ZichaoWu-7449,

According to the error message "Certificate referenced by property OrgPrivCertificate in the FederationTrust object is expired.", seems like the issue is with the certificate used as OrgPrivCertificate. But from your description, this is a purely new created federation trust, so you have also confirmed that the certificate used as OrgPrivCertificate is still valid, right?

If this has been checked, as Microsoft Federation Gateway uses UTC time, which is usually different with the local time used by the Exchaneg server, and this could result in the same error message based on my research, so it's suggested to give it a few more hours and run Test-FederationTrust again to see if it can success.

Here's a similar thread for reference:
test-federationtrust errors
111659-1.png


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1.png (9.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello YukiSun,

Thanks a lot, actually wait some hours then now it working.

0 Votes 0 ·

Great! Glad to know that it works now : )

0 Votes 0 ·