Exchange Delegation Federation / Microsoft Federation Gateway / Renew Certificate

From Ilianko

EAC is alerting for certificate expiration.

Certtificate about to expire.png

It is easier to renew the certificate before expiration.

Generate new self signed certificate from exchange shell

Key Identifier ( Random name for the key) 

$:\> $SKI = [System.Guid]::NewGuid().ToString("N");
$:\> echo $SKI
  3ecaf8d9942c4fb4848e6201810e0734

Create Key 

New-ExchangeCertificate -DomainName 'Federation' -FriendlyName "Exchange Delegation Federation" `
  -Services Federation -SubjectKeyIdentifier $SKI -PrivateKeyExportable $true

Thumbprint                                Subject                                                                                                                                                                
----------                                -------                                                                                                                                                                
133F83817AD86C127C0A71B92214C52D6B3A4D31  CN=Federation

Set the "next" in exchange

$:\>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 133F83817AD86C127C0A71B92214C52D6B3A4D31 -RefreshMetaData

WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. `
You should update all TXT proof-of-ownership  records that were previously set in DNS for all the domains `
configured for Federation before publishing the new certificate.
The new hash-value should be replaced with the OrgNextCertificate proof value output generated with `
"Get-FederatedDomainProof -DomainName example.com".

Update DNS TXT record

Find and update the TXT record responsible for Federation 

$:\>nslookup -type=txt example.com  8.8.8.8

example.com	text = "v=spf1 mx -all"
example.com	text = "google-site-verification=...
example.com	text = "qwa3SWMSP+278DT56LL2y+QmQ33UgQzRuofsRjLrZIyhl8O...=="

Authoritative answers can be found from:

Get-FederatedDomainProof -DomainName example.com| Format-List Thumbprint,Proof 

//new
Thumbprint : 133F83817AD86C127C0A71B92214C52D6B3A4D31
Proof      : asaq33FMhbo05dK8M+Tek1gj7frqmnatO1hM5MWLx98yLivsrIJQ6M1Zk4W90bmSE4...==

//old
Thumbprint : 993FF8C8E1F312FE59CF6C047C60FAF35AC33F66
Proof      : qwa3SWMSP+278DT56LL2y+QmQ33UgQzRuofsRjLrZIyhl8O...==


New TXT record 

$:\>nslookup -type=txt example.com  8.8.8.8

example.com	text = "v=spf1 mx -all"
example.com	text = "google-site-verification=...
example.com	text = "asaq33FMhbo05dK8M+Tek1gj7frqmnatO1hM5MWLx98yLivsrIJQ6M1Zk4W90bmSE4...=="


New TXT record 

$:\>nslookup -type=txt example.com ns.local.dns

example.com	text = "v=spf1 mx -all"
example.com	text = "google-site-verification=...
example.com	text = "asaq33FMhbo05dK8M+Tek1gj7frqmnatO1hM5MWLx98yLivsrIJQ6M1Zk4W90bmSE4...=="

Test before change

$:\> Test-FederationTrust -UserIdentity mail@example.com

 Begin process.

STEP 1 of 6: Getting ADUser information for mail@example.com...
RESULT: Success.

STEP 2 of 6: Getting FederationTrust object for mail@example.com...
RESULT: Success.

STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.
RESULT: Success.

STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
RESULT: Success.
 

Validating current configuration for KLJWLKJDWL57623.example.com...
 
Validation successful.

STEP 5 of 6: Requesting delegation token...
RESULT: Success. Token retrieved.

STEP 6 of 6: Validating delegation token...
RESULT: Success.

Closing Test-FederationTrust...


RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : FederationTrustConfiguration
Type       : Success
Message    : FederationTrust object in ActiveDirectory is valid.

RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : FederationMetadata
Type       : Success
Message    : The federation trust contains the same certificates published by the security token service in its federation metadata.

RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : StsCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : StsPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : OrganizationCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.

RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : TokenRequest
Type       : Success
Message    : Request for delegation token succeeded.

RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : TokenValidation
Type       : Success
Message    : Requested delegation token is valid.

Set Apply the "Next" certificate

Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate

Errors

FederationTrust object is expired

Certificate was created with local time. This was 2 hours earlier ...

Solution: wait https://jesperstahle.azurewebsites.net/?p=142

Error: 

...
STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
WARNING: Could not retrieve orgPrivCertificate from GetOrganizationCertificates

Closing Test-FederationTrust...
...
RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : OrganizationCertificate
Type       : Error
Message    : Certificate referenced by property OrgPrivCertificate in the FederationTrust object is expired.
Error: GetOrganizationCertificates(federationTrust) returned null when called in Process()
   + CategoryInfo          : NotSpecified: (:) [], LocalizedException
   + FullyQualifiedErrorId : [Server=mail,RequestId=3fa41912-ddfa-41af-b063-92cb4fa6623d,TimeStamp=12/2/2019 8:46:58 AM] [FailureCategory=Cmdlet- LocalizedException] 3CE8F0B2
   + PSComputerName        : mail.example.com

Certificate 

$:\> get-federationtrust |select *
RunspaceId                   : ea565-64c3-4656-9e7f-420a7b4a4d78
ApplicationIdentifier        : 0000000048307
ApplicationUri               : KLJWLKJDWL57623.example.com
OrgCertificate               : [Subject]
                                CN=Federation
                              [Issuer]
                                CN=Federation
                              [Serial Number]
                                JHKJD6756JHG26KJ54D6WD46QW
                              [Not Before]
                                12/2/2019 9:23:23 AM
                              [Not After]
                                12/2/2024 9:23:23  AM

Deleted Old Certificate

The old certificate is not automatically removed. After remove with mmc console the following error appears. 

RunspaceId : ea565-64c3-4656-9e7f-420a7b4a4d78
Id         : OrganizationPreviousCertificate
Type       : Error
Message    : Unable to find the certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object. 

WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance of an object.
Object reference not set to an instance of an object.
   + CategoryInfo          : NotSpecified: (:) [Test-FederationTrust], NullReferenceException
   + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Exchange.Management.SystemConfigurationTasks.TestFederationTrust
   + PSComputerName        : mail.example.com

Solution: Clear the OrgPrevPrivCertificate with ADSIEdit

Retrieved from "https://ilianko.com/index.php?title=Exchange_Delegation_Federation_/_Microsoft_Federation_Gateway_/_Renew_Certificate&oldid=5963"