daknetworks.com

You are here: Blog Federation Trust in Exchange

Federation Trust in Exchange

Wednesday, 08 August 2018 14:53

Setup

1-First setup a trust to the Microsoft servers:

  • -login to the EAC.
  • -click ORGANIZATION.
  • -click SHARING.
  • -click ENABLE to add a Federation Trust to the Microsoft servers.
  • -click CLOSE.
  • -click MODIFY.
  • -select the PRIMARY domain.
  • -click OK.
  • -it will return a TXT record.
  • -create a TXT record for this domain on your public DNS server that contains the key. It will look like this:
    g1lg/IZ3MIHN0TaBsNMF+QzYbbA8Z39B/d46rQfQVmtNYbb6w0vRDQagL1b+bkbXbhstfg6PWw6JRtQqIIJ3Q==
  • -create a TXT record for this domian on your Private DNS servers in your Active Directory.
  • -wait. This should be around 15 minutes but can take 24 hours.

2-Second, the outside domain must do the same steps above.

3-Third setup an ORGANIZATION-SHARING using the outside domain. It will fail if the domains have not setup the trusts.

  • -checkmark enable calendar free/busy information sharing.

4-Fourth setup an INDIVIDUAL-SHARING policy and set it as the default policy for everyone in the Exchange server.

Result

That should do it; you should now be able to see each others calendars as FREE/BUSY (not details).

To my dismay, this does not update users in the Global Address List (GAL) to include the outside domain. This means that, by default, looking up another person's calendar in the outsidedomain.tld is near impossible. You either have to manually type in all the outsidedomain.tld users into Exchange or use tools to do the sync for you; it is not built into Exchange. Grrrr...

Troubleshooting

As troubleshooting, you can get the URL by:

  • -hold CONTROL
  • -right-click the OUTLOOK icon (bottom-right).
  • -click TEST-EMAIL-AUTOCONFIGURATION.
  • -type in your password.
  • -click TEST.
  • -the AVAILABILITY-SERVICE-URL is the important URL.

Also, in the EMS, you can use the commands:

get-sharingpolicy foo-policy |fl

get-organizationrelationship |fl

get-federationinformation -DomainName outsidedomain.tld

Test-FederationTrust -useridentity mail\inside.foo.user

test-organizationrelationship -useridentity This e-mail address is being protected from spambots. You need JavaScript enabled to view it -identity outsidedomain.tld

As a result of the above test-organizationrelationship troubleshooting command failing, I had to toggle two properties and had to run the following:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $false
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $True

Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $false
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $True

Contact Dak Networks

We are not taking on new clients at this time.