Hi everyone,
I'm in the process of attempting to set up an Exchange 2010 Federation Trust with the MFG so as to create an Organization Relationship with a partner organization (we are running Exchange 2010 SP1 in both organizations), however I'm hitting a strange issue I'm hoping someone may be able to help with.
I have successfully setup the trust with the MFG using the namespace exchangedelegation.mycompany.com, and created the external DNS TXT record for the domain proof for this domain. I have also successfully added the DNS TXT record for the domain proof for the namespace mycompany.com which I have then added to the trust with the MFG - so far so good.
Now, when I run a Test-FederationTrust, I get the following results:
-----------------------------------------------------------------------------------------
RunspaceId : 25acdf33-9130-427e-8ca2-b2f74d72764f
Id : FederationTrustConfiguration
Type : Success
Message : FederationTrust object in ActiveDirectory is valid.
RunspaceId : 25acdf33-9130-427e-8ca2-b2f74d72764f
Id : FederationMetadata
Type : Success
Message : The federation trust contains the same certificates published by the security token service in its federat
ion metadata.
RunspaceId : 25acdf33-9130-427e-8ca2-b2f74d72764f
Id : StsCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.
RunspaceId : 25acdf33-9130-427e-8ca2-b2f74d72764f
Id : StsPreviousCertificate
Type : Success
Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.
RunspaceId : 25acdf33-9130-427e-8ca2-b2f74d72764f
Id : OrganizationCertificate
Type : Error
Message : Certificate referenced by property OrgPrivCertificate in the FederationTrust object is expired.
-----------------------------------------------------------------------------------------
I have tried removing the trust with the MFG as well as removing the self-signed certificate created for Federation and recreating from scratch, however I hit the same error every time. I have verified that the certificate that is in use for Federation is valid, so I'm a little stumped here.
If I attempt to run a Get-FederationInformation for my domain, I get the following results:
-----------------------------------------------------------------------------------------
Get-FederationInformation -DomainName mycompany.com
Federation information could not be received from the external organization.
+ CategoryInfo : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
+ FullyQualifiedErrorId : A83969B0,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation
-----------------------------------------------------------------------------------------
If I try to run a Get-FederationInformation for microsoft.com, I get the following results (after seeing it start to retrieve info for xbox.com, microsoft.com, exchange.microsoft.com, windows.microsoft.com and zune.net):
-----------------------------------------------------------------------------------------
WARNING: An unexpected error has occurred and a Watson dump is being generated: Operation is not valid due to the
current state of the object.
Operation is not valid due to the current state of the object.
+ CategoryInfo : NotSpecified: (:) [Get-FederationInformation], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Exchange.Management.SystemConfigurationTasks.
GetFederationInformation
-----------------------------------------------------------------------------------------
I'm wondering if this could be related to the fact that the Federation Trust has been created and removed a couple of times prior, and there may be remnants from that at play.
Any thoughts would be most welcome...
Cheers,
Cameron