You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in Exchange and Shell Infrastructure Permissions.

You can use the New Federation Trust wizard in the Exchange Management Console (EMC) on the hybrid server to create the federation trust with the Microsoft Federation Gateway for the on-premises organization.

1. In the console tree, click Organization Configuration for the on-premises Exchange forest.
   
   
2. In the action pane, click New Federation Trust.
   
   
3. On the New Federation Trust page, click New.
   
   

   Note:
   This automatically creates a self-signed certificate for the federation trust with the gateway and deploys the self-signed certificate to the Exchange servers in your organization. The default name of the new federation trust is Microsoft Federation Gateway.

4. On the Completion page, click Finish to close the wizard.
   
   

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in Exchange and Shell Infrastructure Permissions.

You must use the Exchange Management Shell to create the domain proofs for your federation domain and your primary SMTP domain. Run the Get-FederatedDomainProof cmdlet for both of these domains.

This example generates the domain proof string used for the TXT record for the federated delegation domain exchangedelegation.contoso.com and the primary SMTP domain contoso.com.

	Copy Code
Get-FederatedDomainProof -DomainName exchangedelegation.contoso.com Get-FederatedDomainProof -DomainName contoso.com

Save the output values returned in the Proof field because you'll need them in the next step. Paste the output values into a text editor, such as Notepad, so that you can copy it from the text editor and then paste it into the Text field of the TXT record property.

Now you must add TXT records for both the exchangedelegation.contoso.com domain and the contoso.com domain. Each TXT record must include the domain proof string that was generated when you ran the Get-FederatedDomainProof cmdlet in the previous step. For example, if the federated domain is exchangedelegation.contoso.com and your primary SMTP domain is contoso.com, the TXT records would be similar to the following:

Refer to your DNS host's Help for information about how to add a TXT record to your DNS zone.

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions.

You can use the Manage Federation wizard in the EMC on the hybrid server to configure federation for the accepted domains:

1. In the console tree, navigate to Organization Configuration for the on-premises Exchange forest and then select the Microsoft Federation Gateway federation trust.
   
   
2. In the action pane, click Manage Federation.
   
   
3. On the Manage Federation Certificate page, information is displayed for the certificates used for the federation trust. This includes information for the current certificate, the next certificate, and the previous certificate. Select the current certificate and make sure the Contacting the Microsoft Federation Gateway to get its certificate and federation metadata check box is selected. Click Next to continue.
   
   

   Note:
   It’s normal for the certificate Distribution Status to be displayed as “Unknown” in the Manage Federation Certificate list. To update the distribution status, click Show distribution state.

4. On the Manage Federated Domains page, click Add to add the federated delegation domain as a federated domain first. By selecting the federated delegation domain first, it’s automatically designated as the account namespace for the federation trust. The Select Accepted Domain dialog box displays all accepted domains in the Exchange 2010 organization. For example, select the exchangedelegation.contoso.com domain to set this domain as the Account Namespace.
   
   
5. On the Manage Federated Domains page, click Add to also add the primary SMTP domain as a federated domain. For example, select the contoso.com domain.
   
   
6. Verify that the federated delegation domain is displayed with bold formatting. This bold formatting indicates that it’s designated as the account namespace for the federation trust. If it isn’t designated as the account namespace, select the federated delegation domain and click Set as Account Namespace to designate it as the account namespace.
   
   

   Note:
   It’s normal for the domain State to be displayed as “Unknown” in the Manage Federated Domains list.

7. In the E-mail address of organization contact box, enter the e-mail address of the designated organization contact for federation. This e-mail address is used only as a contact address and doesn't have any federated delegation configuration properties.
   
   
8. Select the Enable Federation check box to enable federation. You can also use this check box to disable federation for the Exchange organization if needed. Click Next to continue.
   
   
9. On the Manage Federation page, review the Configuration Summary, and then click Manage to execute the changes.
   
   
10. On the Completion page, click Finish to close the wizard.
    
    

The successful completion of the federated delegation process for your on-premises organization depends on several separate configuration settings. So, you should verify that each component area has been correctly configured.

• Federation Trust   The successful completion of the New Federation Trust wizard will be your first indication that the federation trust creation process worked as expected. To verify that the federation trust has been created successfully, open the EMC and select the Organization Configuration node. Click the Federation Trust tab to display the properties of the federation trust with the Microsoft Federation Gateway.
  
  To further verify that the federation trust was created successfully, you can run the Get-FederationTrust and the Get-FederationInformation cmdlets in the Exchange Management Shell. These cmdlets output the properties of the federation trust that have been configured for your on-premises organization.
  
  You should also create a test user account using the New-TestCasConnectivity User.ps1 script located in %ExchangeInstallPath%\Scripts and then run the Test-FederationTrust cmdlet in the EMC to verify that delegation tokens can be properly received from the Microsoft Federation Gateway.
  
  
• TXT Records   You can verify the TXT records are correctly configured by viewing the record properties in your DNS management tools or by using the Nslookup command-line tool.
  
  

Having problems? Ask for help in the Office 365 forums. To access the forums, you'll need to sign in using an account that's granted administrator access to your cloud-based service. Visit the forums at: Office 365 Forums