11

Okay so...this all started during our Office 365 setup. According to Microsoft, you have to delete your on-premises federation trust from Exchange, verify the domain, then add it back...otherwise you get an obscure error message when validating the domain name.

So I did this...except now the federation trust is broken. I get the following message from "Test-FederationTrust -Verbose":

VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Token Issuer Uri from Federation Metadata:
urn:federation:MicrosoftOnline.
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Token Issuer Certificate from Federation Metadata:
<snip>.
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Token Issuer Previous Certificate from Federation
Metadata: <snip>.
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Token Issuer End Point from Federation Metadata:
https://login.microsoftonline.com/extSTS.srf.
VERBOSE: [19:43:14.005 GMT] Test-FederationTrust : Retrieved Web Requestor Redirect End Point from Federation Metadata:
 https://login.microsoftonline.com/login.srf.
VERBOSE: [19:43:14.912 GMT] Test-FederationTrust : Failed to request delegation token. Reason: <S:Fault
xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:FailedAuth
entication</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Authentication
Failure</S:Text></S:Reason><S:Detail><psf:error
xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048821</psf:value><psf:internal
error><psf:code>0x80041012</psf:code><psf:text>The entered and stored passwords do not match.
</psf:text></psf:internalerror></psf:error></S:Detail></S:Fault>
Microsoft.Exchange.Net.WSTrust.SoapFaultException: Soap fault exception received.
   at Microsoft.Exchange.Net.WSTrust.SoapClient.Invoke(IEnumerable`1 headers, XmlElement bodyContent)
   at Microsoft.Exchange.Net.WSTrust.SecurityTokenService.IssueToken(DelegationTokenRequest request)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.TestFederationTrust.GetDelegationToken(ADUser user, Uri
target, SecurityTokenService securityTokenService)

What the heck does this mean? There's no passwords in a federated trust! I've attempted to recreate the trust multiple times to no avail. I also attempted to re-use the certificate the trust was working with before but that wasn't working either.

This also breaks the organizational relationships with the same message. I've asked our MSP and they have no idea what's wrong. Before I drop the money on a support ticket to Microsoft themselves ...has anyone seen this error message before?

I have also posted my Get-FederationTrust output below (scrubbed for security purposes, obviously):

RunspaceId                   : 5de750d3-a3c9-4502-a108-8b1f12d77fda
ApplicationIdentifier        : 000000004804FA68
ApplicationUri               : mydomain.com
OrgCertificate               : [Subject]
                                 CN=Federation

                               [Issuer]
                                 CN=Federation

                               [Serial Number]
                                 <snip>

                               [Not Before]
                                 10/27/2017 11:58:27 AM

                               [Not After]
                                 10/27/2022 11:58:27 AM

                               [Thumbprint]
                                 <snip>

OrgNextCertificate           :
OrgPrevCertificate           :
OrgPrivCertificate           : <snip>
OrgNextPrivCertificate       :
OrgPrevPrivCertificate       :
TokenIssuerCertificate       : [Subject]
                                 CN=Live ID STS Signing Public Key

                               [Issuer]
                                 CN=Live ID STS Signing Public Key

                               [Serial Number]
                                 <snip>

                               [Not Before]
                                 12/6/2016 5:06:29 PM

                               [Not After]
                                 12/5/2021 5:06:29 PM

                               [Thumbprint]
                                 <snip>

TokenIssuerPrevCertificate   : [Subject]
                                 CN=Live ID STS Signing Public Key

                               [Issuer]
                                 CN=Live ID STS Signing Public Key

                               [Serial Number]
                                 <snip>

                               [Not Before]
                                 7/18/2014 3:53:40 PM

                               [Not After]
                                 7/17/2019 3:53:40 PM

                               [Thumbprint]
                                 <snip>

PolicyReferenceUri           : EX_MBI_FED_SSL
TokenIssuerMetadataEpr       : https://nexus.microsoftonline-p.com/FederationMetadata/2006-12/FederationMetadata.xml
MetadataPollInterval         : 1.00:00:00
TokenIssuerType              : LiveId
TokenIssuerUri               : urn:federation:MicrosoftOnline
TokenIssuerEpr               : https://login.microsoftonline.com/extSTS.srf
WebRequestorRedirectEpr      : https://login.microsoftonline.com/login.srf
MetadataEpr                  :
MetadataPutEpr               :
TokenIssuerCertReference     : stscer
TokenIssuerPrevCertReference : stsbcer
NamespaceProvisioner         : LiveDomainServices2
AdminDisplayName             :
ExchangeVersion              : 0.10 (14.0.100.0)
Name                         : Microsoft Federation Gateway
DistinguishedName            : CN=Microsoft Federation Gateway,CN=Federation Trusts,CN=<my CN>,CN=Mi
                               crosoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com
Identity                     : Microsoft Federation Gateway
Guid                         : fa98ab67-228f-4b8a-9f94-69b1d1609ec9
ObjectCategory               : Divcom.com/Configuration/Schema/ms-Exch-Fed-Trust
ObjectClass                  : {top, msExchFedTrust}
WhenChanged                  : 10/27/2017 12:13:31 PM
WhenCreated                  : 10/27/2017 11:58:29 AM
WhenChangedUTC               : 10/27/2017 4:13:31 PM
WhenCreatedUTC               : 10/27/2017 3:58:29 PM
OrganizationId               :
OriginatingServer            : dc.mydomain.com
IsValid                      : True
SamErde
  • 3,324
  • 3
  • 23
  • 42
Nathan C
  • 14,901
  • 4
  • 42
  • 62
  • 1
    "According to Microsoft, you have to delete your On-Premises federation trust from Exchange, verify the domain, then add it back." I've done three hybrid coexistence migrations and I've never done this. I suspect that was somehow a misunderstanding or mistake. Hopefully you can mitigate it. Your Office 365 subscription includes support. There's a chance they won't support problems that seem to be with on-prem Exchange but it's worth a shot. At least you can verify how the federation should be set up. – Todd Wilcox Nov 01 '17 at 13:35
  • Perhaps, but I was unable to verify my domain with O365 (threw a generic "an error occurred, try again later" and I was told by Microsoft support to drop the federation trust to make it work which did. – Nathan C Nov 01 '17 at 13:45
  • Interesting. Perhaps you can re-open that ticket to have them help you address the fallout? – Todd Wilcox Nov 01 '17 at 13:51
  • Nope, they won't let me. I also can't file again using the Azure support because they don't deal with Exchange issues. My only choice is to file a tech support ticket directly with Microsoft (at a cool $499) so I'm hoping someone somewhere has seen this before. – Nathan C Nov 01 '17 at 14:05
  • @ToddWilcox I can confirm a federation trust can prevent o365 verification, as I spent a week with O365 support when [one blocked my domain verification](https://serverfault.com/q/866961/17708). Not sure why it's only needed in some cases though (of course, not everyone will have created one...). For me, it was an old trust that never actually got used so I didn't have to re-add it afterwards, so haven't seen that side of the issue. I wish you luck on this Nathan C, Positive thoughts. – Joshua McKinnon Nov 02 '17 at 05:05
  • One thing I will note, is in my exchange2010 hybrid, one of the directions of free/busy information did not work initially and after hours of head-banging, a restart of server during maintenance fixed the free/busy, which I think was federation related. [This link](https://vanhybrid.com/2014/01/12/freebusy-in-a-hybrid-environment-fail-and-test-federationtrust-returns-error-failed-to-validate-delegation-token/) mentions a similar Test-FederationTrust error to yours and offers something to try, you've probably already seen it but worth a shot in the dark? Good luck again, either way. – Joshua McKinnon Nov 02 '17 at 05:17
  • Yeah, unfortunately I've tried that already. I pretty much exhausted my Google searching :( – Nathan C Nov 02 '17 at 12:53

1 Answers1

0

This ended up resolving on its own since the other side of the trust also switched to O365. Not the answer I was hoping to get, but this is no longer relevant.

Nathan C
  • 14,901
  • 4
  • 42
  • 62