Create a Federation Trust

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

A federation trust establishes a trust relationship between a Microsoft Exchange Server 2010 organization and the Microsoft Federation Gateway.

Note

Creating a federation trust is one of several steps in setting up federated delegation in your Exchange organization. To review all the steps, see Configure Federated Delegation.

Looking for other management tasks related to federation? Check out Managing Federation.

Prerequisites

  • The domain used for establishing a federation trust should be resolvable from the Internet. This requires that the domain be registered with a domain registrar and the Domain Name System (DNS) zone for the domain to be hosted on a DNS server accessible from the Internet. If the organization receives Internet e-mail for the domain, these requirements are already met.

  • Both Exchange organizations in a federated delegation relationship must use the same Microsoft Federation Gateway instance for their federation trusts. This requirement applies when configuring federated delegation between two on-premises Exchange organizations or between an on-premises Exchange organization and an Exchange organization hosted by Microsoft Online Services or Microsoft Live@edu.

    When you create a federation trust with the Microsoft Federation Gateway for your Exchange organization, the federation trust will use either the business or consumer instance of the Microsoft Federation Gateway.

    The following Exchange organizations use the business instance of the Microsoft Federation Gateway by default:

    • Exchange 2010 Service Pack 2 (SP2) organizations using self-signed certificates for a federation trust

    • Exchange organizations hosted by Microsoft Online Services, such as the Exchange Online service offered in the Microsoft Business Productivity Online Standard Suite

    The following Exchange organizations use the consumer instance of the Microsoft Federation Gateway by default:

    • Release to manufacturing (RTM) version of Exchange 2010 organizations using certificates issued by third-party certification authorities

    • Exchange organizations hosted by Microsoft Live@edu

    We recommend that all Exchange organizations use the business instance of the Microsoft Federation Gateway for federation trusts. Before configuring federated delegation between the two organizations, you need to verify which Microsoft Federation Gateway instance each Exchange organization is using for any existing federation trusts. To determine which Microsoft Federation Gateway instance an Exchange organization is using for an existing federation trust, run the following Shell command.

    Get-FederationInformation -DomainName <the hosted Exchange domain namespace>
    

    The business instance returns a value of <uri:federation:MicrosoftOnline> for the TokenIssuerURIs parameter.

    The consumer instance returns a value of <uri:WindowsLiveID> for the TokenIssuerURIs parameter.

    To configure federated delegation with an Exchange organization that has an existing federation trust that's using the business instance of the Microsoft Federation Gateway, follow the steps in Use the EMC to create a federation trust or Use the Shell to create a federation trust steps in this topic. These steps are all you need to perform to create federation trusts that can be used to enable federated delegation between two Exchange 2010 SP2 organizations.

    To configure federated delegation between your Exchange 2010 SP2 organization and an Exchange organization that has an existing federation trust that's using the consumer instance of the Microsoft Federation Gateway, select from the following methods:

    • Recommended method   The Exchange organization using the consumer instance of the Microsoft Federation Gateway should install Exchange 2010 SP2. After installing SP2, the existing federated domains and federation trusts should be removed and re-created using the EMC. When the federation trusts are re-created, the business instance of the Microsoft Federation Gateway will be used. You should also test all existing organization relationships to verify that they're functioning properly. For details about how to remove federation trusts, see Remove a Federation Trust.

    • Alternative method   To create a federation trust using the consumer instance of the Microsoft Federation Gateway, the Exchange 2010 SP2 organization can use the procedure Use the Shell to create a federation trust that uses the consumer instance of the Microsoft Federation Gateway. This method should be used only when you need to enable federated delegation with another Exchange organization that can't install Exchange 2010 SP2.

What Do You Want to Do?

  • Use the EMC to create a federation trust

  • Use the Shell to create a federation trust

  • Use the Shell to create a federation trust that uses the consumer instance of the Microsoft Federation Gateway

Use the EMC to create a federation trust

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

  1. In the console tree, click Organization Configuration.

  2. In the action pane, click New Federation Trust.

  3. On the New Federation Trust page, click New. This automatically creates a self-signed certificate for the federation trust with the Microsoft Federation Gateway and deploys the self-signed certificate to the Exchange servers in your organization. The default name of the new federation trust is Microsoft Federation Gateway.

  4. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Note

The new federation trust appears on the Federation Trust tab.

Note

To complete the federation configuration, you must add a text (TXT) record in DNS for the domain you want to use as the account namespace and for any other domain you want to add as a federated domain on the Microsoft Federation Gateway. After the TXT records are available in DNS, complete the federation trust configuration by using the Manage Federation wizard in the EMC or the Set-FederatedOrganizationIdentifier cmdlet in the Shell. For details, see Create a TXT Record for Federation or Managing Federation.

Use the Shell to create a federation trust

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

  1. This example creates a unique subject key identifier to be used with the certificate.

    $ski = [System.Guid]::NewGuid().ToString("N")
    
  2. This example creates a self-signed certificate for the federation trust with the Microsoft Federation Gateway.

    New-ExchangeCertificate -FriendlyName "Exchange Federated Delegation" -DomainName $env:USERDNSDOMAIN -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski
    
  3. This example retrieves the self-signed certificate and creates the federation trust "Microsoft Federation Gateway". This automatically deploys the self-signed certificate to the Exchange servers in your organization.

    Get-ExchangeCertificate | ?{$_.friendlyname -eq "Exchange Federated Delegation"} | New-FederationTrust -Name "Microsoft Federation Gateway"
    

For detailed syntax and parameter information, see the following topics:

Use the Shell to create a federation trust that uses the consumer instance of the Microsoft Federation Gateway

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

Note

You can't use the EMC to create a federation trust that uses the consumer instance of the Microsoft Federation Gateway.

Prerequisite

To create a federation trust that uses the consumer instance of the Microsoft Federation Gateway, you need a valid X.509 certificate that meets the requirements for federation trusts. The certificate must be issued by a certification authority (CA) trusted by the Microsoft Federation Gateway. This certificate will be deployed automatically to all Client Access and Hub Transport servers accessible by the federation trust task. For more details, see Trusted Root Certification Authorities for Federation Trusts.

  1. This example gets a list of certificates and their thumbprints.

    Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $false} | Format-List
    

    Where is an alias for the Where-Object cmdlet. It can also be replaced by the alias ? (question mark). To get a list of all aliases available in the Shell, run the Get-Alias cmdlet.

    If there's only one certificate on the server that's not self-signed, you can simplify this task by combining commands from this step and the next step. You can pipeline results from the Get-ExchangeCertificate cmdlet to the New-FederationTrust cmdlet, as shown in this example.

    Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $false} | New-FederationTrust -Name "Microsoft Federation Gateway" -UseLegacyProvisioningService
    
  2. This example creates the federation trust Microsoft Federation Gateway.

    New-FederationTrust -Name "Microsoft Federation Gateway" -Thumbprint 6C8AABD537D53A78CB84E7EEBC8D759C96283ED3 -UseLegacyProvisioningService
    

    Important

    After you create a federation trust, the next step in configuring federation delegation is to create a separate TXT record in the DNS zone for both the federated delegation subdomain and each primary e-mail or SMTP proxy domain you want to federate. Because you've created a federation trust that uses the consumer instance of the Microsoft Federation Gateway, you must follow the steps outlined in the Exchange 2010 RTM version of the topic Create a TXT Record for Federation. After the TXT records are available in DNS, complete the federation trust configuration by using the Manage Federation wizard in the EMC or the Set-FederatedOrganizationIdentifier cmdlet in the Shell.

For detailed syntax and parameter information, see Get-ExchangeCertificate or New-FederationTrust.

Other Tasks

After you create a federation trust, you may also want to:

 © 2010 Microsoft Corporation. All rights reserved.