Hero Banner

Feedback & Support Discussions

Provide feedback on your partner experience.

Level 2 Contributor

Exchange 2013 Federation certificates Invalid

Dear Support,

We have  3 CAS server and 3 Mailbox servers, recently we observed that our Federation certificates is showing invalid so i tried to renew but it giving error "

A special Rpc error occurs on server MBX01: Federation certificates can only be managed through the FederationTrust tasks." and after automatically multiple federation certificate created.

so i tried to create certificate federation from powershell so after create certificate when i ran "Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint 6A99CED2E4F2B5BE96C5D17D662D217EF58B8F73 -RefreshMetaData 

so i am getting error 

Cannot update certificate until the federation trust is provisioned with STS.
    + CategoryInfo          : InvalidArgument: (:) [Set-FederationTrust], CannotUpdateCer...sionedException
    + FullyQualifiedErrorId : [Server=MBX01 ,RequestId=356565-af56-44f8-8cee-24f8b30c8729,TimeStamp=7/28/2019 7:27:
   35 AM] [FailureCategory=Cmdlet-CannotUpdateCertificateWhenFederationNotProvisionedException] D49A39F8,Microsoft.Ex
    + PSComputerName        : cas1.xyz.com



Please advice, Your prompt reply will be highly appropriated 


Visitor 1

Hi, I am having the same problem too so have you solved it yet?

Level 2 Contributor


you can delete the federation certificate from ADSI Edite and create and again

Level 4 Contributor

To fix this issue, update the Active Directory object for the federation trust by adding the thumbprint for the next federation certificate to the object. This lets the Manage Federation Wizard or the Set-FederationTrust cmdlet successfully process the rollover request.

To do this, follow these steps:
Log on to the Exchange 2010 hybrid deployment server as a domain admin.
Open Active Directory Service Interfaces (ADSI) Edit. To do this, click Start, click Run, type ADSIEdit.msc, and then click OK.
After the ADSI Edit window is loaded, right-click ADSI Edit in the navigation pane, and then click Connect To.
In the Connection Settings window, click Select a well known Naming Context in the Connection Point area, and then click Configuration.
In the Computer area, select Default (Domain or server that you are logged into), and then click OK.
Locate CN=Configuration, DC=<DOMAIN>, DC=<COM>, CN=Services , CN=Microsoft Exchange, CN=<ORGANIZAION NAME>, CN=Federation Trusts.

Note Replace the values in the placeholders (< >) with the values that are specific to your environment.
Right-click CN=Microsoft Federation Gateway, and then click Properties.
Double-click the msExchFedOrgNextCertificate property, and then copy the whole value.

Note This value might be populated only if you experience the issue that's described in the "Symptoms" section. If the value isn't populated, you can't continue with the remaining steps.
Close the msExchFedOrgNextCertificate property.
Double-click the msExchFedOrgPrivCertificate property, and then paste the value that you copied in step 8. The thumbnail of the current certificate will be replaced with the thumbnail of the next certificate.
Click OK to set the value.
Manually force Active Directory replication. Or, wait for the change to replicate throughout your Active Directory infrastructure.

Note For more information about how to force Active Directory replication, go to the following TechNet website:
Force replication over a connection
In the Exchange Management Console, run the Manage Federation Wizard again. The current certificate and the next certificate should be the same.
Select the Roll certificate to make the next certificate as the current certificate check box, and then complete the steps in the wizard.
Test the configuration by using the Test-Federation cmdlet. The results should show that the validation of the federation certificate was successful.

Community Manager

Hello @slickric,


Alternatively you might find answers and guidance on the Tech Community, on this thread: https://techcommunity.microsoft.com/t5/exchange/replace-an-expired-federation-certificate/m-p/901238


Hope this helps,