Manage Federation
Applies to: Exchange Server 2010
Use the Manage Federation wizard to manage certificates used for a federation trust, refresh the Microsoft Federation Gateway certificate and metadata, add or change the organization contact for federation, and disable or enable federation for the Exchange organization. In addition to the wizard in the EMC, you can also use the Exchange Management Shell to manage a federation trust.
Before you use the Manage Federation wizard or the corresponding cmdlets to modify a federation trust, a federated organization identifier, or federated domains, we recommend you understand how federation works and the impact of modifying federation configuration. For more information, see Understanding Federation.
What Do You Want to Do?
- Use the EMC to manage federation
- Use the Shell to manage federation
Use the EMC to manage federation
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.
Note
The Manage Federation wizard is a comprehensive way of managing the federation trust and the federated organization identifier associated with it. The wizard includes multiple tasks.
- In the console tree, navigate to Organization Configuration.
- In the result pane, click the Federation Trust tab, and then select the Federation Trust you want to manage. By default, the trust is named Microsoft Federation Gateway.
- In the action pane, click Manage Federation.
- On the Manage Federation Certificate, you can take the following actions:
**Properties ** Select the current, next, or previous certificate from the Property Name column and then click Properties to view the certificate's properties.
Edit Select the Next Certificate from the Property Name column, and then click Edit to select another certificate as the next certificate.
Roll certificate to mark the next certificate as the current certificate Select this check box to configure the federation trust to use the next certificate as the current certificate.
Important
Before you configure the federation trust to use the next certificate, you must make sure the certificate is installed on all Exchange 2010 servers. To check the certificate status, click Show distribution state. The distribution state of the certificate is displayed in the Distribution State column. Expand the column width to display all text in the column.
- Contact the Microsoft Federation Gateway to get its certificate and federation metadata This check box is selected by default. When you use this option, Exchange retrieves the certificate and federation metadata from the Microsoft Federation Gateway. Clear this check box if you don't want to perform this refresh.
- On the Manage Federated Domains page, you can take the following actions:
- Add a domain as a federated domain To add a domain as a federated domain, click Add. The Select Accepted Domain dialog box displays all accepted domains in the Exchange 2010 organization.
- Remove a federated domain To remove a federated domain, select the domain from the Domain column, and then click
.gif "Remove icon")
. - Modify or add an organization contact Enter the e-mail address of the designated organization contact for federation.
- Disable or Enable Federation Clear the Enable Federation check box to disable federation for the Exchange organization.
- On the Manage Federation page, review the Configuration Summary, and then click Manage to execute the changes.
- On the Completion page, review the following, and then click Finish to close the wizard:
- A status of Completed indicates that the wizard completed the task successfully.
- A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
Use the Shell to manage federation
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Federation trusts" entry in the Exchange and Shell Infrastructure Permissions topic.
You can use the Shell to perform many tasks related to federation:
View federation certificates
Check federation certificate status
Configure the federation trust to use a certificate as the next certificate
Configure the federation trust to use the next certificate as the current certificate
Refresh federation metadata and certificate from the Microsoft Federation Gateway
View federated domains
Add a domain as a federated domain
Remove a federated domain
Enable federation for the Exchange organization
Disable federation for the Exchange organization
View federation certificates
This example displays the previous, current, and next certificates used by the federation trust MyFederationTrust.
Get-FederationTrust -Identity MyFederationTrust | Select Org*certificate
For detailed parameter and syntax information, see Get-FederationTrust.
Check federation certificate status
This example displays the state of federation certificates on each Exchange 2010 server in the organization.
Test-FederationTrustCertificate
For detailed parameter and syntax information, see Test-FederationTrustCertificate.
Configure the federation trust to use a certificate as the next certificate
This example configures the federation trust MyFederationTrust to use the certificate with thumbprint as the next certificate. After the certificate is deployed to all Hub Transport and Client Access servers in the Exchange organization, you can use the PublishCertificate switch to configure the trust to use this certificate as the current certificate.
Set-FederationTrust -Identity MyFederationTrust -Thumbprint AC00F35CBA8359953F4126E0984B5CCAFA2F4F17
For detailed parameter and syntax information, see Set-FederationTrust.
Configure the federation trust to use the next certificate as the current certificate
This example configures the federation trust MyFederationTrust to use the next certificate as the current certificate and publishes it to the Microsoft Federation Gateway.
Set-FederationTrust "MyFederationTrust" -PublishFederationCertificate
Warning
Before configuring the federation trust to use the next certificate as the current certificate, make sure that the certificate is deployed on all Hub Transport servers and Client Access servers. Use the Test-FederationCertificate cmdlet or the Manage Federation wizard to check the deployment status of the certificate.
For detailed parameter and syntax information, see Set-FederationTrust.
Refresh federation metadata and certificate from the Microsoft Federation Gateway
This example refreshes the federation metadata and certificate of the Microsoft Federation Gateway for the federation trust MyFederationTrust.
Set-FederationTrust MyFederationTrust -RefreshMetadata
For detailed parameter and syntax information, see Set-FederationTrust.
View federated domains
This example displays all federated domains for the federated organization identifier.
Get-FederatedOrganizationIdentifier
For detailed parameter and syntax information, see Get-FederatedOrganizationIdentifier.
Add a domain as a federated domain
This command adds the domain contoso.co.uk as a federated domain. The domain must exist as an accepted domain in the Exchange Server organization.
Add-FederatedDomain contoso.co.uk
For detailed parameter and syntax information, see Add-FederatedDomain.
Remove a federated domain
This command removes the domain contoso.co.uk as a federated domain.
Remove-FederatedDomain contoso.co.uk
For detailed parameter and syntax information, see Remove-FederatedDomain.
Enable federation for the Exchange organization
This command enables federation for the Exchange organization.
Set-FederatedOrganizationIdentifier -Enabled $true
For detailed parameter and syntax information, see Set-FederatedOrganizationIdentifier.
Disable federation for the Exchange organization
This command disables federation for the Exchange organization.
Set-FederatedOrganizationIdentifier -Enabled $false
For detailed parameter and syntax information, see Set-FederatedOrganizationIdentifier.