Share via

Exchange 2010: Federation Setup

  • Article

A federation trust establishes a trust relationship between a Microsoft Exchange Server 2010 organization and the Microsoft Federation Gateway.

Prerequisites:

  • The domain used for establishing a federation trust should be resolvable from the Internet.
  • Both Exchange organizations in a federated delegation relationship must use the same Microsoft Federation Gateway instance for their federation trusts. 

Microsoft Technet Article for Reference: http://technet.microsoft.com/en-us/library/dd335198(v=exchg.141).aspx

Important Steps:

  • Autodiscover for your organization resolves externally, you can test this via the following link: https://www.testexchangeconnectivity.com/
  • Autodiscover External URL is setup in Exchange.
  • TXT records.

If you open up the EMC in Exchange and click on Organization Configuration you can create a new Federation Trust or Hybrid trust if you running earlier versions of Exchange.

When you create the Trust it gives a warning that you need to create TXT records in DNS. Basically, you will have two TXT records created, one with your domain name, e.g.domain.com and another one ExchangeDelegation.domain.com.

What you need to do is open up the EMS and running the following command to get the proof address:

  • Get-FederationDomainProof -DomainName exchangedelegation.domain.com
  • Get-FederationDomainProof -DomainName domain.com

You now copy the **Proof **entry and add this to your TXT record for each one. Allow DNS to replicate for 24 hours.

The next step is to create a new Accepted domain forExchangeDelegation.domain.com and set it to authoritive.

After that, click the Organization Configuration node and select the Microsoft Federation Gateway trust under the Federation Trust tab.
Then click Manage Federation in the Actions pane.
Click Next to bring up the Manage Federated Domains window. Click Add and select the Microsoft Federated Trust accepted domain you just created.
Lastly, click Manage.

If your TXT records have not propagated yet you might get the following error:

“Proof of domain ownership has failed. Make sure that the TXT record for the specified domain is available in DNS. The format of the TXT record should be “example.com IN TXT hash-value” where “example.com” is the domain you want to configure for Federation and “hash-value” is the proof value generated with “Get-FederatedDomainProof -DomainName example.com”.  The proof of domain ownership is not valid or is missing.

The last part of this is to setup the Organization Relationships:

Click the Organization Relationships tab on the Organization Configuration node in the EMC.
Click New Organization Relationship in the Actions pane. The New Organization Relationship wizard will start.  Enter a name, you can call it Calendar Share, etc.
Select the Enable free/busy information access check-box and specify the free busy data access level you wish to share using the drop-down box.
Click Next and enter the external domain name or manually enter the information if you have it.

If you get the following error below there are a few things to check:

Error: Federation information could not be received from the external organization.

  • Check that Autodiscover is resolving correctly as mentioned above.
  • Run nslookup to test if the TXT records are showing: nslookup -querytype=TXT domain.com
  • Get-FederationInformation domain.com -Verbose
  • Check that your External URL property is set, you can check it by typing in the following:

Get-WebServicesVirtualDirectory | fl name,server,InternalURL,ExternalURL

  • If the URL is blank or has the wrong info you can fix it as follows:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalURL https://mail.domain.com/EWS/Exchange.asmx

Now you can test by opening a calendar and see if you are able to view calendars. If you get any errors check your application logs on your Exchange server.