Jonathan Raper
asked on
Exchange 2013 / Office 365 BPA calling out issue with federation certificate
My google-fu is coming up short today.
I have 2 Exchange 2007 in coexistence with 2 Exchange 2013 servers, which are in turn configured for hybrid mode with O365. I have run the Hybrid configuration wizard, and it seems to have passed. The sole purpose of the 2013 servers is to facilitate the hybrid connection to Office 365 so that we can migrate our mailboxes from 2007 to O365.
For authentication to O365, we are using ADFS built on Server 2012 R2 (essentially ADFS 3.0). ADFS works beautifully.
I was preparing to migrate my first mailbox, and decided to run the BPA one last time, and got this message:
"Exchange Server: Office 365 hybrid configuration - Validate the certificate 'EX001.CONTOSO.CORP\THUMBP RINT' is proper in place for federation and mail flow"
"The server EX001 is configured for Office 365 hybrid, but the certificate 'EX001.CONTOSO.CORP\THUMBP RINT' is not proper in place for federation and mail flow for Office 365 hybrid configuration. Expected status: get-exchangecertificate to see it should be third party, have a private key, and have the SMTP service associated with. Actual status: IsSelfSigned = True, HasPrivateKey = True, Service = SMTP,Federation. Learn more."
My question - is this just simply looking for the third party certificate that I have installed for IMAP, POP, IIS, & SMTP to be assigned for Federation, or is it looking for a different certificate? in the EAC, you cannot assign this service, so I am assuming it has to be enabled in the Exchange Management Shell?
Puzzled...
Thanks,
Jonathan
I have 2 Exchange 2007 in coexistence with 2 Exchange 2013 servers, which are in turn configured for hybrid mode with O365. I have run the Hybrid configuration wizard, and it seems to have passed. The sole purpose of the 2013 servers is to facilitate the hybrid connection to Office 365 so that we can migrate our mailboxes from 2007 to O365.
For authentication to O365, we are using ADFS built on Server 2012 R2 (essentially ADFS 3.0). ADFS works beautifully.
I was preparing to migrate my first mailbox, and decided to run the BPA one last time, and got this message:
"Exchange Server: Office 365 hybrid configuration - Validate the certificate 'EX001.CONTOSO.CORP\THUMBP
"The server EX001 is configured for Office 365 hybrid, but the certificate 'EX001.CONTOSO.CORP\THUMBP
My question - is this just simply looking for the third party certificate that I have installed for IMAP, POP, IIS, & SMTP to be assigned for Federation, or is it looking for a different certificate? in the EAC, you cannot assign this service, so I am assuming it has to be enabled in the Exchange Management Shell?
Puzzled...
Thanks,
Jonathan
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That's for establishing the trust with the MFG. Not the same thing :)
ASKER
Thanks for the clarification....
Do you have any suggestions as to what I need to do?
Do you have any suggestions as to what I need to do?
Get a valid 3rd party certificate :)
You can get one for free from sites like StartSSL or Comodo, but they come with certain limitations.
You can get one for free from sites like StartSSL or Comodo, but they come with certain limitations.
ASKER
I have a third party certificate.... IIS, SMTP, POP, and IMAP are all associated with it.
You should have one, otherwise I dont see how you have completed the HCW in the first place. Is it assigned to all CAS servers though? Do you have any Edge servers and have you assigned the certificate there as well?
ASKER
I only have 4 Exchange servers:
two running 2007 (in two separate sites with roughly half of my mailboxes on one server, and half on the other server)
two running 2013 (in the same site as one of the 2007 servers, that are purely for use as CAS and Hybrid migration servers)
I do not have any edge servers.
the third party certificate is assigned to all 4 servers, and all services (except federation, obviously) are associated with the third party certificate.
two running 2007 (in two separate sites with roughly half of my mailboxes on one server, and half on the other server)
two running 2013 (in the same site as one of the 2007 servers, that are purely for use as CAS and Hybrid migration servers)
I do not have any edge servers.
the third party certificate is assigned to all 4 servers, and all services (except federation, obviously) are associated with the third party certificate.
Can you post the sanitized result of Get-ExchangeCertificate?
ASKER
[PS] C:\>Get-ExchangeCertificat e
Thumbprint Services Subject
---------- -------- -------
08A3A*******1FF6 IP.WS.. CN=mail.contoso.com, OU=Domain Control Validated <-- This is my third party cert
C634F*******0687 ...WS.. CN=EX001
5E922*******34C7 ....... CN=WMSvc-EX001
C684C*******B4E2 ....SF. CN=Federation
60D97*******1B25 ....S.. CN=Microsoft Exchange Server Auth Certificate
[PS] C:\>
Thumbprint Services Subject
---------- -------- -------
08A3A*******1FF6 IP.WS.. CN=mail.contoso.com, OU=Domain Control Validated <-- This is my third party cert
C634F*******0687 ...WS.. CN=EX001
5E922*******34C7 ....... CN=WMSvc-EX001
C684C*******B4E2 ....SF. CN=Federation
60D97*******1B25 ....S.. CN=Microsoft Exchange Server Auth Certificate
[PS] C:\>
Post the actual properties ( | fl)
ASKER
I have not been active due to the Easter holiday. Please do not close this question.
Jonathan
Jonathan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Assigning points due to effort. Thanks for the assistance!
ASKER
To top it off, I just stumbled across this technet article which explicitly states that the certificate for federation is self signed!
Certificate requirements for hybrid deployments
Specifically:
"The on-premises federated trust configured as part of federated sharing in a hybrid deployment uses a self-signed certificate by default. Unless you have specific requirements, there's no need to use a third-party certificate with the federation trust configured as part of a hybrid deployment."
just a little frustrated....