EWS Free Area

.

🔍 Federation Certificate Renewal in Exchange: When It’s Not Just About the Certificate

🏗 Customer Scenario

Organization Fabrikam uses the Exchange federation to share free/busy availability information with partner Contoso. Recently, the federation certificate expired.

Attempting to renew with:

Set-FederationTrust -Identity “Microsoft Federation Gateway” -PublishFederationCertificate

returned:

An unexpected result was received from Windows Live. Detailed information: “1007 AccessDenied: Access Denied.”

In this case, simply renewing the certificate was not enough — the federation trust had to be recreated.

âś… Two Options for Renewal

Both approaches are documented in 🔗Microsoft’s guide:

  • Option 1: Replace the certificate in the existing trust
    Generate a new certificate and associate it with the current federation trust.
    âś… Preferred if metadata remains consistent and trust itself is valid.
  • Option 2: Create a new federation trust
    Required if metadata is corrupted, or the federation trust has lost integrity.
    🔍 This was necessary in Fabrikam’s case.

âť— Issue After Renewal

Certificate updated successfully, but free/busy info from Fabrikam was not visible in Contoso.

Diagnostics:

  • Test-FederationTrust – Passed on both sides.
  • Test-OrganizationRelationship -Identity CONTOSO -UserIdentity user@fabrikam.com – No errors.

âš  Note: Test-OrganizationRelationship is synthetic and may not fully reflect the real user experience.
Example error from practice:

Description: The remote TargetSharingEpr URI ‘https://mail.contoso.com/EWS/Exchange.asmx’ doesn’t match an external URI of any local Client Access servers.

Root cause: manual case-sensitive TargetSharingEpr mismatch (EWS vs ews). Correcting the value removed the error, although functionality was intact before.

🔍 Troubleshooting Steps

  1. Client logs showed (you can use Fiddler or other utility you prefer):

Proxy web request failed. Inner exception: An error occurred when verifying security for the message.

Response Code: ErrorProxyRequestProcessingFailed

This typically points to federation trust metadata issues (see đź”— Microsoft KB).

Get-FederationTrust | Set-FederationTrust –RefreshMetadata

No improvement.

âś… Tip: Run this on all Exchange servers. Metadata refresh initializes from the local server, and errors may only appear when executed from a problematic server.

  1. Solution:
    On Contoso servers, restarted the EWS application pool:

Restart-WebAppPool MSExchangeServicesAppPool

(Requires elevated PowerShell or IIS Manager.)

âš  Brief outage for EWS clients during restart (including Outlook for Mac).

This resolved the issue.

🧩 Lessons Learned

  • Federation troubleshooting often extends beyond certificates.
  • Documentation of renewal steps with organization-specific caveats is critical.
    • Example: Microsoft docs don’t mention restarting EWS app pools, yet in practice this can be essential.
  • Maintaining an internal KB with historical issues can save hours during the next renewal cycle.

âś… Recommended Resources

The end.

Leave a comment