Exchange Delegation Federation certificate expired

Joshua Thompson 201 Reputation points
2020-09-15T20:22:22.89+00:00

My Exchange Delegation Federation certificate on my Exchange 2016 on-premises server has expired.
We have a hybrid setup with Exchange online.

Other than some test mailboxes on the on-premises Exchange 2016 all main mailboxes live on Exchange online.

What is this expired cert used for?
Do I need to renew it?

It has been expired for two weeks and I am not noticing any issues.

I would like to better understand its purpose and use.

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,165 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 150.4K Reputation points MVP
    2020-09-15T20:39:08.59+00:00

    Well the hybrid configuration depends on it and is used essentially for free/busy sharing between your on-prem org and Exchange Online.

    https://learn.microsoft.com/en-us/exchange/federation-exchange-2013-help

    With all your mailboxes in ExO, you haven't noticed it however :)

    If you re-run the Hybrid Wizard it will look for a valid Federation Cert and throw an error if one doesnt exist.
    Example: https://techcommunity.microsoft.com/t5/exchange-team-blog/how-to-address-federation-trust-issues-in-hybrid-configuration/ba-p/1144285

    Of course there is no absolute requirement to have it in your scenario, but it wouldnt hurt to create a new one and clean that up either
    https://learn.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help#replace-an-expired-federation-certificate

    https://learn.microsoft.com/en-us/exchange/configure-a-federation-trust-exchange-2013-help

    and its pretty easy to do.

    2 people found this answer helpful.

  2. Joyce Shen - MSFT 16,671 Reputation points
    2020-09-16T02:34:58.573+00:00

    Hi @Joshua Thompson , as said above, the expiration of the federation certificate may cause the issue unable to retrieve free/busy and calendar information between the two environments.

    If the federation certificate has already expired, you need to remove all federated domains from the federation trust, and then remove and recreate the federation trust. If you have multiple federated domains, you need to identify the primary domain shared domain so you can remove it last.

    mainly steps list below:

    1. Document the existing trust settings (federated domains, federation settings)
    2. Force remove each federated domain from the federation
    3. Remove the federation trust
    4. Wait for AD replication
    5. Create a new self-signed federation certificate
    6. Create a new federation trust
    7. Update the trust organisation information
    8. Configure the required settings in the trust (as per the documentation you created in step 1)
    9. Wait for AD replication
    10. Test the certificate and trust (Test-FederationTrustCertificate, Test-FederationTrust) – it can take 12-48 hours before the trust reports as being no longer expired!
    11. Add each of the federated domains back into the trust (this will involve generating domain ‘Proof’ entries and adding them to your external DNS, then waiting for DNS propagation)

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Joshua Thompson 201 Reputation points
    2020-09-17T20:57:36.037+00:00

    Thank you both for the reply.

    Will running through these steps impact mail flow at all?


  4. Angel Castillo 31 Reputation points
    2022-02-10T15:52:10.973+00:00

    @Andy David - MVP can you please look at my previous post and give me some guidance on this? I've also seen other posts in other places similar to my scenario and they were successful at removing the trust from their Exchange Admin Center and recreating it which updated everything with the new cert and all is good. I'm hoping my case is the same and that I can follow those steps as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.