Configure Federated Delegation for an Exchange 2003 Hybrid Deployment

  • Article

 

Applies to: Exchange Server 2010 SP1

Estimated time to complete: 15 minutes

Federated delegation is a relationship established between your on-premises organization and the cloud-based service that uses a federation trust with the Microsoft Federation Gateway. Federated delegation is a requirement for configuring centralized mail delivery and many mailbox management features. Additionally, when coupled with configuring an organization relationship between the Exchange organizations, it enables users in both organizations to share their calendar availability (free/busy) information with each other. Federated delegation is also a requirement for other rich messaging features such as MailTips, Message Tracking, and Multi-Mailbox Search.

Configuring federated delegation for your on-premises organization requires several steps:

  1. Create a federation trust with the Microsoft Federation Gateway for your on-premises organization. (A federation trust with the gateway for the cloud-based organization is automatically created when you create the cloud-based service account.)

  2. Create domain proofs for the domain you want to use as the account namespace and for any other domain you want to add as a federated domain on the Microsoft Federation Gateway. We recommend that you use a domain namespace for the federated account namespace that's different from the domain you're using as your primary SMTP domain. To differentiate that this subdomain is used for federated delegation functionality, we recommend creating a separate subdomain of "exchangedelegation". An example of a federated delegation subdomain is exchangedelegation.contoso.com.

  3. Create a text (TXT) record in the Domain Name System (DNS) zone of each accepted domain you want to federate. The TXT record contains the federated domain proof encryption string generated in the previous step.

  4. Configure the domains for federation.

Learn more at: Understanding Federated Delegation

Warning

This topic is meant to be read as part of the Microsoft Exchange Server 2003 and Office 365 Hybrid Deployment checklist. Information or procedures in this topic may depend on prerequisites configured in topics earlier in the checklist. To view the checklist, see Checklist - Exchange 2003 and Office 365 Hybrid Deployment.

How do I create a federation trust with the Microsoft Federation Gateway?

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in Exchange and Shell Infrastructure Permissions.

You can use the New Federation Trust wizard in the Exchange Management Console (EMC) on the hybrid server to create the federation trust with the Microsoft Federation Gateway for the on-premises organization.

  1. In the console tree, click Organization Configuration for the on-premises Exchange forest.

  2. In the action pane, click New Federation Trust.

  3. On the New Federation Trust page, click New.

    Note

    This automatically creates a self-signed certificate for the federation trust with the gateway and deploys the self-signed certificate to the Exchange servers in your organization. The default name of the new federation trust is Microsoft Federation Gateway.

  4. On the Completion page, click Finish to close the wizard.

How do I create domain proofs for federated domains?

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in Exchange and Shell Infrastructure Permissions.

You must use the Exchange Management Shell to create the domain proofs for your federation domain and your primary SMTP domain. Run the Get-FederatedDomainProof cmdlet for both of these domains.

This example generates the domain proof string used for the TXT record for the federated delegation domain exchangedelegation.contoso.com and the primary SMTP domain contoso.com.

Get-FederatedDomainProof -DomainName exchangedelegation.contoso.com
Get-FederatedDomainProof -DomainName contoso.com

Save the output values returned in the Proof field because you'll need them in the next step. Paste the output values into a text editor, such as Notepad, so that you can copy it from the text editor and then paste it into the Text field of the TXT record property.

How do I create a TXT record in DNS for the accepted domains?

Now you must add TXT records for both the exchangedelegation.contoso.com domain and the contoso.com domain. Each TXT record must include the domain proof string that was generated when you ran the Get-FederatedDomainProof cmdlet in the previous step. For example, if the federated domain is exchangedelegation.contoso.com and your primary SMTP domain is contoso.com, the TXT records would be similar to the following:

Domain DNS record type Text

exchangedelegation.contoso.com

TXT

7Zyr2i/fE/M/T3AwCpitDbF30Fk/TdzXME6f7d1lDaKGthPdoS+UF94t43D2nU5hLNnIAP+5A3jJR2ik9HDPgg==

contoso.com

TXT

Eh/po5qT098GMPklJU2DShrYO9mPseTn5i9wWKOKebmceLPuLCpaejYj83W53H/YcuzPy2VSo621BHO4DNS7jg==

Refer to your DNS host's Help for information about how to add a TXT record to your DNS zone.

How do I configure the domains for federation?

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions.

You can use the Manage Federation wizard in the EMC on the hybrid server to configure federation for the accepted domains:

  1. In the console tree, navigate to Organization Configuration for the on-premises Exchange forest and then select the Microsoft Federation Gateway federation trust.

  2. In the action pane, click Manage Federation.

  3. On the Manage Federation Certificate page, information is displayed for the certificates used for the federation trust. This includes information for the current certificate, the next certificate, and the previous certificate. Select the current certificate and make sure the Contacting the Microsoft Federation Gateway to get its certificate and federation metadata check box is selected. Click Next to continue.

    Note

    It’s normal for the certificate Distribution Status to be displayed as “Unknown” in the Manage Federation Certificate list. To update the distribution status, click Show distribution state.

  4. On the Manage Federated Domains page, click Add to add the federated delegation domain as a federated domain first. By selecting the federated delegation domain first, it’s automatically designated as the account namespace for the federation trust. The Select Accepted Domain dialog box displays all accepted domains in the Exchange 2010 organization. For example, select the exchangedelegation.contoso.com domain to set this domain as the Account Namespace.

  5. On the Manage Federated Domains page, click Add to also add the primary SMTP domain as a federated domain. For example, select the contoso.com domain.

  6. Verify that the federated delegation domain is displayed with bold formatting. This bold formatting indicates that it’s designated as the account namespace for the federation trust. If it isn’t designated as the account namespace, select the federated delegation domain and click Set as Account Namespace to designate it as the account namespace.

    Note

    It’s normal for the domain State to be displayed as “Unknown” in the Manage Federated Domains list.

  7. In the E-mail address of organization contact box, enter the e-mail address of the designated organization contact for federation. This e-mail address is used only as a contact address and doesn't have any federated delegation configuration properties.

  8. Select the Enable Federation check box to enable federation. You can also use this check box to disable federation for the Exchange organization if needed. Click Next to continue.

  9. On the Manage Federation page, review the Configuration Summary, and then click Manage to execute the changes.

  10. On the Completion page, click Finish to close the wizard.

How do I know this worked?

The successful completion of the federated delegation process for your on-premises organization depends on several separate configuration settings. So, you should verify that each component area has been correctly configured.

  • Federation Trust   The successful completion of the New Federation Trust wizard will be your first indication that the federation trust creation process worked as expected. To verify that the federation trust has been created successfully, open the EMC and select the Organization Configuration node. Click the Federation Trust tab to display the properties of the federation trust with the Microsoft Federation Gateway.

    To further verify that the federation trust was created successfully, you can run the Get-FederationTrust and the Get-FederationInformation cmdlets in the Exchange Management Shell. These cmdlets output the properties of the federation trust that have been configured for your on-premises organization.

    You should also create a test user account using the New-TestCasConnectivity User.ps1 script located in %ExchangeInstallPath%\Scripts and then run the Test-FederationTrust cmdlet in the EMC to verify that delegation tokens can be properly received from the Microsoft Federation Gateway.

  • TXT Records   You can verify the TXT records are correctly configured by viewing the record properties in your DNS management tools or by using the Nslookup command-line tool.

Having problems? Ask for help in the Office 365 forums. To access the forums, you'll need to sign in using an account that's granted administrator access to your cloud-based service. Visit the forums at: Office 365 Forums

 © 2010 Microsoft Corporation. All rights reserved.