Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

Use the Manage Federation wizard to manage certificates used for a federation trust, refresh the Microsoft Federation Gateway certificate and metadata, add or change the organization contact for federation, and disable or enable federation for the Exchange organization. In addition to the wizard in the EMC, you can also use the Shell to manage a federation trust.

Looking for other management tasks related to federation? Check out Managing Federation.

Prerequisites

Before you use the Manage Federation wizard or the corresponding cmdlets to modify a federation trust, a federated organization identifier, or federated domains, we recommend you understand how federation works and the impact of modifying federation configuration. For more information, see Understanding Federation.

What Do You Want to Do?

Use the EMC to manage federation

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

Note:
The Manage Federation wizard is a comprehensive way of managing the federation trust and its associated federated organization identifier. The wizard includes multiple tasks.
  1. In the console tree, navigate to Organization Configuration.

  2. In the result pane, click the Federation Trust tab, and then select the federation trust you want to manage. By default, the trust is named Microsoft Federation Gateway.

  3. In the action pane, click Manage Federation.

  4. On the Manage Federation Certificate page, information is displayed for the certificates used for the federation trust. This includes information for the current certificate, the next certificate, and the previous certificate. The current certificate is the active certificate used for the federation trust. The next certificate is a replacement certificate that will be used if the current certificate expires or needs to be replaced. The previous certificate is the certificate that was used for the federation trust immediately before the current certificate. You can take the following actions:

    • Properties   Select the current, next, or previous certificate from the Property Name column, and then click Properties to view the certificate's properties.

    • Edit   Select the Next Certificate from the Property Name column, and then click Edit to select another certificate as the next certificate.

    • Show distribution state   Click this button to display the distribution state of the certificate in your Exchange organization.

    • Contact the Microsoft Federation Gateway to get its certificate and federation metadata   This check box is selected by default. When you use this option, Exchange retrieves the certificate and federation metadata from the Microsoft Federation Gateway. Clear this check box if you don't want to perform this refresh.

    • Roll certificate to mark the next certificate as the current certificate   Select this check box to configure the federation trust to use the next certificate as the current certificate.

      Important:
      Before you configure the federation trust to use the next certificate, you must make sure the certificate is installed on all Microsoft Exchange Server 2010 servers. To check the certificate status, click Show distribution state. The distribution state of the certificate is displayed in the Distribution State column. Expand the column width to display all text in the column.
  5. On the Manage Federated Domains page, you can take the following actions:

    • Add   Click this button to add a domain as a federated domain. The Select Accepted Domain dialog box displays all accepted domains in the Exchange 2010 organization.

      Note:
      To add an accepted domain to this list, use the New-AcceptedDomain cmdlet.
    • Remove icon   Select a domain from the Domain column, and then click this button to remove the domain.

    • E-mail address of organization contact   Use this box to enter the e-mail address of the designated organization contact for federation.

    • Enable Federation   Select this check box to enable federation. Clear this check box to disable federation for the Exchange organization.

    Note:
    Configuring domains is one of several steps in setting up federated delegation in your Exchange 2010 organization. To review all the steps, see Configure Federated Delegation.
  6. On the Manage Federation page, review the Configuration Summary, and then click Manage to execute the changes.

  7. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to manage federation

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

View federation certificates

This example displays the previous, current, and next certificates used by the federation trust MyFederationTrust.

Copy Code
Get-FederationTrust -Identity MyFederationTrust | Select Org*certificate

For detailed syntax and parameter information, see Get-FederationTrust.

Check federation certificate status

This example displays the state of federation certificates on all Hub Transport and Client Access servers in the organization.

Copy Code
Test-FederationTrustCertificate

For detailed syntax and parameter information, see Test-FederationTrustCertificate.

Configure the federation trust to use a certificate as the next certificate

This example configures the federation trust MyFederationTrust to use the certificate with the provided thumbprint as the next certificate. After the certificate is deployed to all Exchange servers in the organization, you can use the PublishCertificate switch to configure the trust to use this certificate as the current certificate.

Copy Code
Set-FederationTrust -Identity MyFederationTrust -Thumbprint AC00F35CBA8359953F4126E0984B5CCAFA2F4F17

For detailed syntax and parameter information, see Set-FederationTrust.

Configure the federation trust to use the next certificate as the current certificate

This example configures the federation trust MyFederationTrust to use the next certificate as the current certificate and publishes it to the Microsoft Federation Gateway.

Copy Code
Set-FederationTrust "MyFederationTrust" -PublishFederationCertificate
Caution:
Before configuring the federation trust to use the next certificate as the current federation certificate, make sure that the certificate is deployed on all Exchange servers in your organization. Use the Test-FederationTrustCertificate cmdlet or the Manage Federation wizard to check the deployment status of the certificate.

For detailed syntax and parameter information, see Set-FederationTrust.

Refresh federation metadata and certificate from the Microsoft Federation Gateway

This example refreshes the federation metadata and certificate of the Microsoft Federation Gateway for the federation trust MyFederationTrust.

Copy Code
Set-FederationTrust MyFederationTrust -RefreshMetadata

For detailed syntax and parameter information, see Set-FederationTrust.

View federated organization identifier and federated domains

This example displays the Exchange organization's federated organization identifier and related information, including federated domains and status.

Copy Code
Get-FederatedOrganizationIdentifier

For detailed syntax and parameter information, see Get-FederatedOrganizationIdentifier.

Add a domain as a federated domain

This example adds the domain contoso.co.uk as a federated domain. The domain must exist as an accepted domain in the Exchange organization.

Copy Code
Add-FederatedDomain contoso.co.uk

For detailed syntax and parameter information, see Add-FederatedDomain.

Remove a federated domain

This example removes the domain contoso.co.uk as a federated domain.

Copy Code
Remove-FederatedDomain contoso.co.uk

For detailed syntax and parameter information, see Remove-FederatedDomain.

Enable federation for the Exchange organization

This example enables federation for the Exchange organization.

Copy Code
Set-FederatedOrganizationIdentifier -Enabled $true

For detailed syntax and parameter information, see Set-FederatedOrganizationIdentifier.

Disable federation for the Exchange organization

This example disables federation for the Exchange organization.

Copy Code
Set-FederatedOrganizationIdentifier -Enabled $false

For detailed syntax and parameter information, see Set-FederatedOrganizationIdentifier.