Getting an error when setting up a federation trust in Exchange 2010?
Then you’re not alone. Although I have setup a couple of Exchange 2010 federation trusts without issues, I for some reason (explained later) got this error in a specific customer environment of mine:
As you can see from the above screenshot, the request failed with an HTTP status 403: Forbidden. The warning messaging explains this is because the Window Live metadata document is expired, and the certificate therefore is ignored. So what the hell does that mean?
Well, the explanation to this error was simple. It turned out that the certificate I used was from a 3rd party CA authority, that wasn’t on the list of CAs approved by the Microsoft Federation Gateway (MFG) service. You can find a list of supported CAs at this link: http://msdn.microsoft.com/en-us/library/cc287610.aspx
Thanks to Andrew Ehrensing from MCS for getting me on the right track in regards to this issue.
Cheers,
Henrik Walther
Technology Architect/Writer
MCM: Exchange 2007 | MVP: Exchange Architecture
MCITP: EMA + EA | MCSE: M + S | TechNet Influent
Hans Willi Kremer Says:
July 5th, 2010 at 2:08 am
Thanks for this explanation. But it is unbelievable that so little CAs are accepted by Microsoft.
We have a special UC cert by COMODO and trid to install Federeation. No chance. So we should stop using Federation as solution?
Henrik Walther Says:
July 5th, 2010 at 3:35 am
Hi Hans,
IIRC SP1 will allow an org to use a self-signed cert….