Here is the situation and the solution
Situation
- I Had a federated trust setup in exchange 2010 SP1 (same issue can happen in RTM)
- I created it using the “UseLegacyProvisioningService” switch and so was using a 3rd party certificate
- After the trust was established I had some issues with the cert… and while it’s a long story the gist is that the cert was revoked and I received a new one.
- Well this caused an issue with my federation trust because I didn’t get the cert switched before the revocation (this can also happen if you delete the cert from the cert store or if it expires before you roll to a new one)
Symptoms: I received the following errors when I try to make any changes to the Federation trust or even try to delete it.
An error occurred accessing Windows Live. Detailed information: "The request failed with HTTP status 403: Forbidden.".
+ CategoryInfo : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
+ FullyQualifiedErrorId : 84DE3E74,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederationTrust
Error:
Exception has been thrown by the target of an invocation.
An error occurred accessing Windows Live. Detailed information: "The request failed with HTTP status 403: Forbidden.".
The request failed with HTTP status 403: Forbidden.
Click here for help… http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex1FCF67
Reason: the certificate that was used and is expected is no longer valid and so cannot be trusted on the live servers at Microsoft
Solution: Use ADSIEdit to change the cert to the new thumbprint
- Add the new cert as the next cert in EMC under Federation Trusts
- Open ADSIEDit with Domain admin Credentials
- Connect to Configuration naming context
- Browse to Domain –> Configuration –> Services –> Microsoft Exchange –> OrgName –> Federation Trusts
- Rich Click on your Federation Trust in the right hand window and go to properties
- Scroll down until you find the key “msExchFedOrgNextPrivCertificate” (this was where my solution varied from EXPTA’s)
- Edit the key and select all the contents and copy, then close the key
- Edit the Key “msExchFedOrgPrivCertificate” and paste in your copied contents (It may be a good idea to have a copy of this keys contents before overwriting it)
- Close all windows
- re-open the EMC or EMS run your failed commands again and life is grand!
Thanks to EXPTA and Gene at Microsoft for the assist in figuring this out.