Problems with Federation Trust After changes to your certificate

Here is the situation and the solution


  • I Had a federated trust setup in exchange 2010 SP1 (same issue can happen in RTM)
  • I created it using the “UseLegacyProvisioningService” switch and so was using a 3rd party certificate
  • After the trust was established I had some issues with the cert… and while it’s a long story the gist is that the cert was revoked and I received a new one.
  • Well this caused an issue with my federation trust because I didn’t get the cert switched before the revocation (this can also happen if you delete the cert from the cert store or if it expires before you roll to a new one)

Symptoms: I received the following errors when I try to make any changes to the Federation trust or even try to delete it.

    An error occurred accessing Windows Live. Detailed information: "The request failed with HTTP status 403: Forbidden.".
        + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
        + FullyQualifiedErrorId : 84DE3E74,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederationTrust

    Exception has been thrown by the target of an invocation.


    An error occurred accessing Windows Live. Detailed information: "The request failed with HTTP status 403: Forbidden.".

    The request failed with HTTP status 403: Forbidden.
    Click here for help…

Reason: the certificate that was used and is expected is no longer valid and so cannot be trusted on the live servers at Microsoft

Solution: Use ADSIEdit to change the cert to the new thumbprint

  1. Add the new cert as the next cert in EMC under Federation Trusts
  2. Open ADSIEDit with Domain admin Credentials
  3. Connect to Configuration naming context
  4. Browse to Domain –> Configuration –> Services –> Microsoft Exchange –> OrgName –> Federation Trusts
  5. image
  6. Rich Click on your Federation Trust in the right hand window and go to properties
  7. Scroll down until you find the key “msExchFedOrgNextPrivCertificate” (this was where my solution varied from EXPTA’s)
  8. Edit the key and select all the contents and copy, then close the key
  9. Edit the Key “msExchFedOrgPrivCertificate” and paste in your copied contents (It may be a good idea to have a copy of this keys contents before overwriting it)
  10. Close all windows
  11. re-open the EMC or EMS run your failed commands again and life is grand!

Thanks to EXPTA and Gene at Microsoft for the assist in figuring this out.

Problem after removing arbitration mailbox using ADSIEdit

If you removed the arbitration mailbox from ADSI and not via EMS (Here’s how to use EMS) you may get the following errors when trying to reinstall the mailbox role.

Log Name: Application
Source: MSExchangeSetup
Event ID: 1002
Task Category: Microsoft Exchange Setup
Level: Error
Keywords: Classic
User: N/A

Exchange Server component Mailbox Role failed.
Error: Error:
The following error was generated when "$error.Clear();
if ($RoleIsDatacenter -ne $true)
{if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
{# upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
if ( $mbxs.length -eq 0)
{$dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
if($dbs.Length -ne 0)
{$mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
if ($mbxUser.Length -ne 0)
{enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;}}}}
{write-exchangesetuplog -info "Skipping creating Discovery Search Mailbox because of insufficient permission."} }

Active Directory operation failed on server.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152392, #1:0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 200f4 (homeMDB)

Normally this error indicates a problem contacting a DC or the Server not being in the “exchange servers” AD group, in this specific instance this can be caused because the discovery mailbox missing the HomeMDB and HomeMTA attributes.

Here is how to manually add them back

  1. Start –> Run –> ADSIEDIT.MSC (should already know this since you used it to remove the MBX)
  2. Default Naming Context –> “DC=Domain, DC=Local” –> CN=Users –> CN=DiscoverySearchMailbox {}
  3. image
  4. Right Click –> Properties
  5. Find HomeMDB and HomeMTA this needs to be populated with the DN of the server and Database.image

Also to recreate the arbitration mailbox use new-mailbox commandlet with the –arbitration parameter