Manage Federation

Applies to: Exchange Server 2010

Use the Manage Federation wizard to manage certificates used for a federation trust, refresh the Microsoft Federation Gateway certificate and metadata, add or change the organization contact for federation, and disable or enable federation for the Exchange organization. In addition to the wizard in the EMC, you can also use the Exchange Management Shell to manage a federation trust.

Before you use the Manage Federation wizard or the corresponding cmdlets to modify a federation trust, a federated organization identifier, or federated domains, we recommend you understand how federation works and the impact of modifying federation configuration. For more information, see Understanding Federation.

What Do You Want to Do?

  • Use the EMC to manage federation
  • Use the Shell to manage federation

Use the EMC to manage federation

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

Note

The Manage Federation wizard is a comprehensive way of managing the federation trust and the federated organization identifier associated with it. The wizard includes multiple tasks.

  1. In the console tree, navigate to Organization Configuration.
  2. In the result pane, click the Federation Trust tab, and then select the Federation Trust you want to manage. By default, the trust is named Microsoft Federation Gateway.
  3. In the action pane, click Manage Federation.
  4. On the Manage Federation Certificate, you can take the following actions:
    • **Properties **  Select the current, next, or previous certificate from the Property Name column and then click Properties to view the certificate's properties.

    • Edit   Select the Next Certificate from the Property Name column, and then click Edit to select another certificate as the next certificate.

    • Roll certificate to mark the next certificate as the current certificate   Select this check box to configure the federation trust to use the next certificate as the current certificate.

      Important

      Before you configure the federation trust to use the next certificate, you must make sure the certificate is installed on all Exchange 2010 servers. To check the certificate status, click Show distribution state. The distribution state of the certificate is displayed in the Distribution State column. Expand the column width to display all text in the column.

  • Contact the Microsoft Federation Gateway to get its certificate and federation metadata   This check box is selected by default. When you use this option, Exchange retrieves the certificate and federation metadata from the Microsoft Federation Gateway. Clear this check box if you don't want to perform this refresh.
  1. On the Manage Federated Domains page, you can take the following actions:
    • Add a domain as a federated domain   To add a domain as a federated domain, click Add. The Select Accepted Domain dialog box displays all accepted domains in the Exchange 2010 organization.
    • Remove a federated domain   To remove a federated domain, select the domain from the Domain column, and then click Remove icon.
    • Modify or add an organization contact   Enter the e-mail address of the designated organization contact for federation.
    • Disable or Enable Federation   Clear the Enable Federation check box to disable federation for the Exchange organization.
  2. On the Manage Federation page, review the Configuration Summary, and then click Manage to execute the changes.
  3. On the Completion page, review the following, and then click Finish to close the wizard:
    • A status of Completed indicates that the wizard completed the task successfully.
    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to manage federation

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.

You can use the Shell to perform many tasks related to federation:

View federation certificates

Check federation certificate status

Configure the federation trust to use a certificate as the next certificate

Configure the federation trust to use the next certificate as the current certificate

Refresh federation metadata and certificate from the Microsoft Federation Gateway

View federated domains

Add a domain as a federated domain

Remove a federated domain

Enable federation for the Exchange organization

Disable federation for the Exchange organization

View federation certificates

This example displays the previous, current, and next certificates used by the federation trust MyFederationTrust.

Get-FederationTrust -Identity MyFederationTrust | Select Org*certificate

For detailed parameter and syntax information, see Get-FederationTrust.

Check federation certificate status

This example displays the state of federation certificates on each Exchange 2010 server in the organization.

Test-FederationTrustCertificate

For detailed parameter and syntax information, see Test-FederationTrustCertificate.

Configure the federation trust to use a certificate as the next certificate

This example configures the federation trust MyFederationTrust to use the certificate with thumbprint as the next certificate. After the certificate is deployed to all Hub Transport and Client Access servers in the Exchange organization, you can use the PublishCertificate switch to configure the trust to use this certificate as the current certificate.

Set-FederationTrust -Identity MyFederationTrust -Thumbprint AC00F35CBA8359953F4126E0984B5CCAFA2F4F17

For detailed parameter and syntax information, see Set-FederationTrust.

Configure the federation trust to use the next certificate as the current certificate

This example configures the federation trust MyFederationTrust to use the next certificate as the current certificate and publishes it to the Microsoft Federation Gateway.

Set-FederationTrust "MyFederationTrust" -PublishFederationCertificate

Warning

Before configuring the federation trust to use the next certificate as the current certificate, make sure that the certificate is deployed on all Hub Transport servers and Client Access servers. Use the Test-FederationCertificate cmdlet or the Manage Federation wizard to check the deployment status of the certificate.

For detailed parameter and syntax information, see Set-FederationTrust.

Refresh federation metadata and certificate from the Microsoft Federation Gateway

This example refreshes the federation metadata and certificate of the Microsoft Federation Gateway for the federation trust MyFederationTrust.

Set-FederationTrust MyFederationTrust -RefreshMetadata

For detailed parameter and syntax information, see Set-FederationTrust.

View federated domains

This example displays all federated domains for the federated organization identifier.

Get-FederatedOrganizationIdentifier

For detailed parameter and syntax information, see Get-FederatedOrganizationIdentifier.

Add a domain as a federated domain

This command adds the domain contoso.co.uk as a federated domain. The domain must exist as an accepted domain in the Exchange Server organization.

Add-FederatedDomain contoso.co.uk

For detailed parameter and syntax information, see Add-FederatedDomain.

Remove a federated domain

This command removes the domain contoso.co.uk as a federated domain.

Remove-FederatedDomain contoso.co.uk

For detailed parameter and syntax information, see Remove-FederatedDomain.

Enable federation for the Exchange organization

This command enables federation for the Exchange organization.

Set-FederatedOrganizationIdentifier -Enabled $true

For detailed parameter and syntax information, see Set-FederatedOrganizationIdentifier.

Disable federation for the Exchange organization

This command disables federation for the Exchange organization.

Set-FederatedOrganizationIdentifier -Enabled $false

For detailed parameter and syntax information, see Set-FederatedOrganizationIdentifier.

For More Information

Understanding Federation

Create a Federation Trust