Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
Use the Manage Federation wizard to manage certificates used for a federation trust, refresh the Microsoft Federation Gateway certificate and metadata, add or change the organization contact for federation, and disable or enable federation for the Exchange organization. In addition to the wizard in the EMC, you can also use the Shell to manage a federation trust.
Looking for other management tasks related to federation? Check out Managing Federation.
Prerequisites
Before you use the Manage Federation wizard or the corresponding cmdlets to modify a federation trust, a federated organization identifier, or federated domains, we recommend you understand how federation works and the impact of modifying federation configuration. For more information, see Understanding Federation.
What Do You Want to Do?
Use the EMC to manage federation
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.
 Note: |
|---|
| The Manage Federation wizard is a comprehensive way of managing the federation trust and its associated federated organization identifier. The wizard includes multiple tasks. |
- In the console tree, navigate to Organization
Configuration.
- In the result pane, click the Federation Trust tab, and
then select the federation trust you want to manage. By default,
the trust is named Microsoft Federation Gateway.
- In the action pane, click Manage Federation.
- On the
Manage Federation Certificate page, information is displayed
for the certificates used for the federation trust. This includes
information for the current certificate, the next certificate, and
the previous certificate. The current certificate is the active
certificate used for the federation trust. The next certificate is
a replacement certificate that will be used if the current
certificate expires or needs to be replaced. The previous
certificate is the certificate that was used for the federation
trust immediately before the current certificate. You can take the
following actions:
- Properties Select the current, next, or
previous certificate from the Property Name column, and then
click Properties to view the certificate's properties.
- Edit Select the Next Certificate
from the Property Name column, and then click Edit to
select another certificate as the next certificate.
- Show distribution state Click this
button to display the distribution state of the certificate in your
Exchange organization.
- Contact the Microsoft Federation Gateway to get its
certificate and federation metadata This check
box is selected by default. When you use this option, Exchange
retrieves the certificate and federation metadata from the
Microsoft Federation Gateway. Clear this check box if you don't
want to perform this refresh.
- Roll certificate to mark the next certificate as the current
certificate Select this check box to configure
the federation trust to use the next certificate as the current
certificate.
Important:Before you configure the federation trust to use the next certificate, you must make sure the certificate is installed on all Microsoft Exchange Server 2010 servers. To check the certificate status, click Show distribution state. The distribution state of the certificate is displayed in the Distribution State column. Expand the column width to display all text in the column.
- Properties Select the current, next, or
previous certificate from the Property Name column, and then
click Properties to view the certificate's properties.
- On
the Manage Federated Domains page, you can take the
following actions:
- Add Click this button to add a domain
as a federated domain. The Select Accepted Domain dialog box
displays all accepted domains in the Exchange 2010
organization.
Note:To add an accepted domain to this list, use the New-AcceptedDomain cmdlet. 
Select a domain from the
Domain column, and then click this button to remove the
domain.
- E-mail address of organization
contact Use this box to enter the e-mail
address of the designated organization contact for federation.
- Enable Federation Select this check box
to enable federation. Clear this check box to disable federation
for the Exchange organization.
Note:Configuring domains is one of several steps in setting up federated delegation in your Exchange 2010 organization. To review all the steps, see Configure Federated Delegation. - Add Click this button to add a domain
as a federated domain. The Select Accepted Domain dialog box
displays all accepted domains in the Exchange 2010
organization.
- On the Manage
Federation page, review the Configuration Summary, and
then click Manage to execute the changes.
- On the Completion
page, review the following, and then click Finish to close
the wizard:
- A status of Completed indicates that the wizard
completed the task successfully.
- A status of Failed indicates that the task wasn't
completed. If the task fails, review the summary for an
explanation, and then click Back to make any configuration
changes.
- A status of Completed indicates that the wizard
completed the task successfully.
Use the Shell to manage federation
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.
View federation certificates
This example displays the previous, current, and next certificates used by the federation trust MyFederationTrust.
 Copy Code |
|
|---|---|
Get-FederationTrust -Identity MyFederationTrust | Select Org*certificate |
|
For detailed syntax and parameter information, see Get-FederationTrust.
Check federation certificate status
This example displays the state of federation certificates on all Hub Transport and Client Access servers in the organization.
| Copy Code |
|
|---|---|
Test-FederationTrustCertificate |
|
For detailed syntax and parameter information, see Test-FederationTrustCertificate.
Configure the federation trust to use a certificate as the next certificate
This example configures the federation trust MyFederationTrust to use the certificate with the provided thumbprint as the next certificate. After the certificate is deployed to all Exchange servers in the organization, you can use the PublishCertificate switch to configure the trust to use this certificate as the current certificate.
| Copy Code |
|
|---|---|
Set-FederationTrust -Identity MyFederationTrust -Thumbprint AC00F35CBA8359953F4126E0984B5CCAFA2F4F17 |
|
For detailed syntax and parameter information, see Set-FederationTrust.
Configure the federation trust to use the next certificate as the current certificate
This example configures the federation trust MyFederationTrust to use the next certificate as the current certificate and publishes it to the Microsoft Federation Gateway.
| Copy Code |
|
|---|---|
Set-FederationTrust "MyFederationTrust" -PublishFederationCertificate |
|
 Caution: |
|---|
| Before configuring the federation trust to use the next certificate as the current federation certificate, make sure that the certificate is deployed on all Exchange servers in your organization. Use the Test-FederationTrustCertificate cmdlet or the Manage Federation wizard to check the deployment status of the certificate. |
For detailed syntax and parameter information, see Set-FederationTrust.
Refresh federation metadata and certificate from the Microsoft Federation Gateway
This example refreshes the federation metadata and certificate of the Microsoft Federation Gateway for the federation trust MyFederationTrust.
| Copy Code |
|
|---|---|
Set-FederationTrust MyFederationTrust -RefreshMetadata |
|
For detailed syntax and parameter information, see Set-FederationTrust.
View federated organization identifier and federated domains
This example displays the Exchange organization's federated organization identifier and related information, including federated domains and status.
| Copy Code |
|
|---|---|
Get-FederatedOrganizationIdentifier |
|
For detailed syntax and parameter information, see Get-FederatedOrganizationIdentifier.
Add a domain as a federated domain
This example adds the domain contoso.co.uk as a federated domain. The domain must exist as an accepted domain in the Exchange organization.
| Copy Code |
|
|---|---|
Add-FederatedDomain contoso.co.uk |
|
For detailed syntax and parameter information, see Add-FederatedDomain.
Remove a federated domain
This example removes the domain contoso.co.uk as a federated domain.
| Copy Code |
|
|---|---|
Remove-FederatedDomain contoso.co.uk |
|
For detailed syntax and parameter information, see Remove-FederatedDomain.
Enable federation for the Exchange organization
This example enables federation for the Exchange organization.
| Copy Code |
|
|---|---|
Set-FederatedOrganizationIdentifier -Enabled $true |
|
For detailed syntax and parameter information, see Set-FederatedOrganizationIdentifier.
Disable federation for the Exchange organization
This example disables federation for the Exchange organization.
| Copy Code |
|
|---|---|
Set-FederatedOrganizationIdentifier -Enabled $false |
|
For detailed syntax and parameter information, see Set-FederatedOrganizationIdentifier.