Saturday, December 4, 2021

Exchange - Removing Old/Expired Federation Certificates

I'll start off by saying Microsoft really dropped the ball on renewing an Exchange Federation Certificate. 

Following the MS instructions here, tells you how to renew it (sure, that's part of what we need) but they don't tell you how to remove the old one...which leads to the EAC screaming at you that certs are about to expire or already have. And there's no supported/built-in option like removing other self-signed certs.

If you even try to remove the old/expired Federation cert, it will throw the following error:

A special Rpc error occurs on server blah blah. Active certificates in use by Federation cannot be removed.

Well, that's weird...because we've already replaced the Fed Cert, right? Wrong...

When you renew a Federation Cert, it moves the old certificate to an ADSI attribute called "msExchFedOrgPrevPrivCertificate" and sets the new cert as the "msExchFedOrgPrivCertificate".

Notice the "PrevPriv" and "OrgPriv" in those names? 

**Note** These attributes can be found in ADSIEdit under CN=Configuration,DC=domain,DC=com > CN=Services > CN=Microsoft Exchange > CN=DOMAINNAME > CN=Federation Trusts > CN=Microsoft Federation Gateway > Properties

For some (stupid) reason, Exchange still sees the msExchFedOrgPrivCertificate as being used by Federation and MS should really fix that...I mean, do they NOT expect anyone to keep Exchange around longer than 5 years, which is when the certs expire?

In order to get around this, we need to clear that msExchFedOrgPrivCertificate attribute, after which, we can delete the cert from Exchange.

The Fix

I've come up with a PowerShell cmdlet to do just that.

Disclaimer: Modifying anything in ADSI can be destructive, so make sure you have a good AD backup or export the attribute using LDIFDE - you can find guides for that on the net.

Check The Attribute

In the Exchange Management Shell (EMS), run the following cmdlet to check our msExchFedOrgPrivCertificate value:

Get-ADObject -LDAPFilter "(objectclass=msexchfedtrust)" -SearchBase "CN=Microsoft Federation Gateway,CN=Federation Trusts,CN=EXCHANGEITUP,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchangeitup,DC=com" -Properties * | Select msExchFedOrgPrevPrivCertificate

**Note** Change "CN=EXCHANGEITUP" and "DC=exchangeitup,DC=com" to match your domain

It should output a hex value like so:

msExchFedOrgPrevPrivCertificate : {57, 52, 68, 48, 55, 52, 65, 53, 50, 69, 56, 51, 69, 49, 67, 56...}

Clear The Attribute

Next, we're going to clear the value, with the Set-ADObject, like so:

Set-ADObject "CN=Microsoft Federation Gateway,CN=Federation Trusts,CN=EXCHANGEITUP,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchangeitup,DC=com" -Clear msExchFedOrgPrevPrivCertificate 

What this does is search the ADSI Exchange Federation container for the "msExchFedOrgPrevPrivCertificate" attribute and uses the "-Clear" command to remove the entry.

**Note** Change "CN=EXCHANGEITUP" and "DC=exchangeitup,DC=com" to match your domain.

If you run your first cmdlet again, the value will be empty.

Delete The Certificate

Next, we'll get the cert thumbprint by running:

Get-ExchangeCertificate | Select Services,Thumbprint,NotAfter | ft -auto

You'll want to look at the Services column for "Federation" and the NotAfter column to find the old/expired cert and copy that Thumbprint.

Now, we'll remove that old certificate from Exchange by running the following for each of your Mailbox Servers:

Remove-ExchangeCertificate -Server MBX1 -Thumbprint 94D074A52E83E1C81528EE3C43FEE42266ED80A0 -Confirm:$false

**Note** Change "MBX1" to your server name(s), successively.

You can also do this in the EAC by navigating to Servers > Certificates > Select the Old Fed Cert and click the Trashcan icon

Do this on each Mailbox Server.

Now if you check the EAC, the old Federation Certificate will be gone from each of your servers, the alerts will be gone and Federation will still work!

No comments:

Post a Comment