Exchange 2013 / Office 365 BPA calling out issue with federation certificate

My google-fu is coming up short today.

I have 2 Exchange 2007 in coexistence with 2 Exchange 2013 servers, which are in turn configured for hybrid mode with O365. I have run the Hybrid configuration wizard, and it seems to have passed. The sole purpose of the 2013 servers is to facilitate the hybrid connection to Office 365 so that we can migrate our mailboxes from 2007 to O365.

For authentication to O365, we are using ADFS built on Server 2012 R2 (essentially ADFS 3.0). ADFS works beautifully.

I was preparing to migrate my first mailbox, and decided to run the BPA one last time, and got this message:

"Exchange Server: Office 365 hybrid configuration - Validate the certificate 'EX001.CONTOSO.CORP\THUMBPRINT' is proper in place for federation and mail flow"
"The server EX001 is configured for Office 365 hybrid, but the certificate 'EX001.CONTOSO.CORP\THUMBPRINT' is not proper in place for federation and mail flow for Office 365 hybrid configuration. Expected status: get-exchangecertificate to see it should be third party, have a private key, and have the SMTP service associated with. Actual status: IsSelfSigned = True, HasPrivateKey = True, Service = SMTP,Federation. Learn more."

My question - is this just simply looking for the third party certificate that I have installed for IMAP, POP, IIS, & SMTP to be assigned for Federation, or is it looking for a different certificate? in the EAC, you cannot assign this service, so I am assuming it has to be enabled in the Exchange Management Shell?



JonathanSpitfireSenior Solutions EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
You need a valid 3rd party certificate for Hybrid. But then again, you wouldnt have made it past the HCW if you didnt have one in place. The BPA might simply be 'detecting' the wrong one I guess :)

Try the Exchange Hybrid troubleshooter:
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
Thanks Vasil - the Exchange Troubleshooter gives me the exact same error message....and the exact same URL.... :-(

To top it off, I just stumbled across this technet article which explicitly states that the certificate for federation is self signed!

Certificate requirements for hybrid deployments


"The on-premises federated trust configured as part of federated sharing in a hybrid deployment uses a self-signed certificate by default. Unless you have specific requirements, there's no need to use a third-party certificate with the federation trust configured as part of a hybrid deployment."

just a little frustrated....
Vasil Michev (MVP)Commented:
That's for establishing the trust with the MFG. Not the same thing :)
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

JonathanSpitfireSenior Solutions EngineerAuthor Commented:
Thanks for the clarification....

Do you have any suggestions as to what I need to do?
Vasil Michev (MVP)Commented:
Get a valid 3rd party certificate :)
You can get one for free from sites like StartSSL or Comodo, but they come with certain limitations.
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
I have a third party certificate.... IIS, SMTP, POP, and IMAP are all associated with it.
Vasil Michev (MVP)Commented:
You should have one, otherwise I dont see how you have completed the HCW in the first place. Is it assigned to all CAS servers though? Do you have any Edge servers and have you assigned the certificate there as well?
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
I only have 4 Exchange servers:

two running 2007 (in two separate sites with roughly half of my mailboxes on one server, and half on the other server)
two running 2013 (in the same site as one of the 2007 servers, that are purely for use as CAS and Hybrid migration servers)

I do not have any edge servers.

the third party certificate is assigned to all 4 servers, and all services (except federation, obviously) are associated with the third party certificate.
Vasil Michev (MVP)Commented:
Can you post the sanitized result of Get-ExchangeCertificate?
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
[PS] C:\>Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
08A3A*******1FF6  IP.WS.., OU=Domain Control Validated  <-- This is my third party cert
C634F*******0687  ...WS..    CN=EX001
5E922*******34C7  .......    CN=WMSvc-EX001
C684C*******B4E2  ....SF.    CN=Federation
60D97*******1B25  ....S..    CN=Microsoft Exchange Server Auth Certificate

[PS] C:\>
Vasil Michev (MVP)Commented:
Post the actual properties ( | fl)
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
I have not been active due to the Easter holiday. Please do not close this question.

JonathanSpitfireSenior Solutions EngineerAuthor Commented:
I had several other things come up with my hybrid configuration, and so I ended up opening a case with Microsoft. I ended up getting Tim McMichael right off the bat, and he answered all of my questions, including this one.

The bottom line is that my server appears to be configured correctly, and the certificates appear to be correct. The cert SHOULD in fact be self-signed. We believe that the failure called out by the BPA is false (the BPA is STILL in beta, anyway). He double checked against two hybrid labs he had at his disposal, so we're confident this is just a fluke in the BPA.

so there ya go.

Thanks for the assistance.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
Assigning points due to effort. Thanks for the assistance!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.