Microsoft periodically refreshes certificates in Office 365 as part of our effort to maintain a highly available and secure environment. From Jan 23rd, 2021, we are making a certificate change on our Microsoft Federation Gateway every six weeks that could affect some customers as detailed in this knowledge base article. The good news is you can easily avoid any disruption.
Who is affected?
This certificate change can affect any customer that is using the Microsoft Federation Gateway. If you are in a hybrid configuration or if you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker, you need to take action.
When will the change occur?
After the change is scheduled to occur every six weeks. You must take action before then to avoid any disruption.
What type of issues will you face if no action is taken?
If you don’t take action, you won’t be able to use services that rely on the Microsoft Federation Gateway. For example:
- A cloud user might not be able to see free/busy information for an on-premises user and vice versa.
- MailTips might not work in a Hybrid configuration.
- Cross-premises free/busy might stop working between organizations that have organization relationships in place.
Additionally, if you run the Test-FederationTrust cmdlet, you receive an error message that indicates that the Delegation token has validation issues. For example, you receive an error message that resembles the following:
Id : TokenValidation
Type : Error
Message : Failed to validate delegation token.
And, you might receive one of the following error messages in the Exchange Web Services (EWS) responses:
An error occurred when processing the security tokens in the message
Autodiscover failed for email address User@contoso.com with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message
What action should you take?
You can use the following command on your Exchange Server to create a scheduled task to run the update process daily. This is how we recommend you keep your Federation Trust constantly updated. This will prevent you from being negatively affected by future metadata changes.
Schtasks /create /sc Daily /tn FedRefresh /tr “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010; $fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata” /ru System
If you prefer to not use a scheduled task, you can manually run the command at any time to refresh the metadata. If you choose a manual option, it will be cumbersome as you will have to keep track of this task every six weeks or run it daily.
Get-Federationtrust | Set-FederationTrust –RefreshMetadata