Create a Federation Trust

Applies to: Exchange Server 2010

Use the New Federation Trust wizard to create a new federation trust. A federation trust establishes a trust relationship between an Exchange organization and the Microsoft Federation Gateway. The trust is a prerequisite for enabling calendar free/busy sharing or federated delivery between two Exchange organizations, or allowing users to share their calendar and contacts with external recipients.

Prerequisites

• The domain used for establishing a federation trust should be resolvable from the Internet.
  This requires that the domain be registered with a domain registrar, and the DNS zone for the domain be hosted on a DNS server accessible from the Internet. If the organization receives Internet e-mail for the domain, these requirements are already met.
• A valid X.509 certificate issued that meets the requirements for federation trusts.
  The certificate must be issued by a Certification Authority (CA) trusted by the Microsoft Federation Gateway. This certificate will be deployed automatically to all Client Access and Hub Transport servers accessible by the federation trust task.

What Do You Want to Do?

• Use the EMC to create a federation trust
• Use the Shell to create a federation trust

Use the EMC to create a federation trust

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

1. In the console tree, click Organization Configuration. In the action pane, click New Federation Trust.
2. On the New Federation Trust page, complete the following field:
   • Certificate thumbprint   Click Browse. In the Select Federation Certificate dialog box, select the certificate you want to use for the trust. Click New to create the trust.
3. On the Completion page, review the following, and then click Finish to close the wizard:
   • A status of Completed indicates that the wizard completed the task successfully.
   • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to create a federation trust

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

1. Run the following command to get a list of certificates and their thumbprints:

   Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $false} | fl
   

   Note

   To cut and paste text in a Shell window, you must select QuickEdit Mode from the Shell Properties page.

   Where is an alias for the Where-Object cmdlet. It can also be replaced by the alias ? (question mark). To get a list of all aliases available to your Shell session, use the Get-Alias cmdlet.
   If there is only one non-self-signed certificate on the server, you can simplify this task by combining commands from both steps. Results from the Get-ExchangeCertificate cmdlet can be pipelined to the New-FederationTrust cmdlet, as shown in the following example:

   Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $false} | New-FederationTrust -Name "My Federation Trust"
   

2. Run the following command to create the federation trust named My Federation Trust:

   New-FederationTrust -Name "My Federation Trust" -thumbprint 6C8AABD537D53A78CB84E7EEBC8D759C96283ED3
   

Other Tasks

After you create a federation trust, you may also want to:

• Create a TXT Record for Federation
• Create an Organization Relationship
• Create a Sharing Policy

For More Information

Understanding Federation