Exchange 2010 SP2 Federation Trust Setup

Today I got round to setting up a Federation Trust in Exchange 2010.

The steps are pretty straight forward but you need to make sure of the following:

  • Autodiscover for your organization resolves externally, you can test this via the following link: https://www.testexchangeconnectivity.com/
  • Autodiscover External URL is setup in Exchange.
  • TXT records.

If you open up the EMC in Exchange and click on Organization Configuration you can create a new Federation Trust or Hybrid trust if you running earlier versions of Exchange.

When you create the Trust it gives a warning that you need to create TXT records in DNS. Basically you will have 2 TXT records created, one with you domain name, e.g. domain.com and another one ExchangeDelegation.domain.com.

What you need to do is open up the EMS and running the following command to get the proof address:

Get-FederationDomainProof -DomainName exchangedelegation.domain.com
Get-FederationDomainProof -DomainName domain.com

You now copy the Proof entry and add this to your TXT record for each one. Allow DNS to replicate, I normally allow mine to replicate for 24 hrs.

The next step is to create a new Accepted domain for ExchangeDelegation.domain.com and set it to authoritive.

After that click the Organization Configuration node and select the Microsoft Federation Gateway trust under the Federation Trust tab.
Then click Manage Federation in the Actions pane.
Then click Next to bring up the Manage Federated Domains window, click Add and select the Microsoft Federated Trust accepted domain you just created.
Lastly click on Manage.

If your TXT records have not propagated yet you might get the following error:

“Proof of domain ownership has failed. Make sure that the TXT record for the specified domain is available in DNS. The format of the TXT record should be “example.com IN TXT hash-value” where “example.com” is the domain you want to configure for Federation and “hash-value” is the proof value generated with “Get-FederatedDomainProof -DomainName example.com”.  The proof of domain ownership is not valid or is missing.”

The last part of this is to setup the Organization Relationships:

Click the Organization Relationships tab on the Organization Configuration node in the EMC.
Then click New Organization Relationship in the Actions pane. The New Organization Relationship wizard will start.  Enter a name, you can call it Calendar Share etc., then
select the Enable free/busy information access check-box and specify the free busy data access level you wish to share using the drop-down box.
Then click Next and enter the external domain name or manually enter the information if you have it.

If you get the following error below there are a few things to check:

Error: Federation information could not be received from the external organization.

  • Check that Autodiscover is resolving correctly as mentioned above.
  • Run nslookup to test if the TXT records are showing: nslookup -querytype=TXT domain.com
  • Get-FederationInformation domain.com -Verbose
  • Check that your External URL property is set, you can check it by typing in the following:

Get-WebServicesVirtualDirectory | fl name,server,InternalURL,ExternalURL

  • If the URL is blank or has the wrong info you can fix it as follows:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalURL https://mail.domain.com/EWS/Exchange.asmx

Now you can test by opening a calendar and see if you are able to view calendars. If you get any errors check your application logs on your Exchange server.

Hope it helps.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s