No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Cannot Manage "Microsoft Federation Gateway"

  • 6 Followers
  • 15 Replies |
  • This post has 1 verified answer |
Answered (Verified) This question is answered

Hi,

 

I followed all requirements for setting up a Hybrid Environment but I keep ending up with this error when I want to "Manage Federation" in EMC. I also ran the command from EPS with the same result.

 

Here is the complet error message:

 

Set-FederationTrust
Completed

Exchange Management Shell command completed:
Set-FederationTrust -RefreshMetadata -Identity 'Microsoft Federation Gateway'

Elapsed Time: 00:00:01

Set-FederatedOrganizationIdentifier
Failed

Error:
An error occurred while attempting to provision Exchange to the Partner STS.  Detailed Information "An unexpected result was received from Windows Live.  Detailed information: "1007 AccessDenied: Access Denied.".".

An unexpected result was received from Windows Live.  Detailed information: "1007 AccessDenied: Access Denied.".

AccessDenied: Access Denied.
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.ExB5F48C

Exchange

 

Management Shell command attempted:
Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace 'ExoDelegate.mydomain.com' -OrganizationContact
'' -Enabled $true

Elapsed Time: 00:00:12

 

I tried it about 6 times with newly created certificates and proofs.... no luck

 

Any suggestions?

 

Thanks in advance,

 

Jasper Kraak (MCT)

 

  • Post Points: 20
Verified Answer
  • Hi,

     

    Got a call from MS Servie Request (thanks Sam) just an hour ago. Suggested solution: check your system time on CAS and PDC Emulator.

     

    .... all my Hosts (and VMs for that matter) were 7 minutes out of the actual time.....

     

    Had it all corrected and the "Manage Federation" Wizard completed within 20 secsonds!

     

    Kind Regards,

    Jasper Kraak (MCT)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
All Replies
  • Hi Jasper,

    In the lab files a script is hardcoded to work with child domains, while you are not using a child domain.

    You should reconfigured the PS script so that it does not refer to this anymore.

    Please refer to the link: social.technet.microsoft.com/.../539811c7-53c5-41d5-8d62-2f3be2914cc0

    You may also use EMC to manage the federation.

    Please refer to the link: technet.microsoft.com/.../dd876922.aspx

    Wish this can help you.

    Best Regards,

    Kylin Yang.

    • Top 150 Contributor
    • Post Points: 0
  • Hi there,

    This is not the issue. I am not working with the Ignite Lab Environment.

    I am being denie access to https://domain.live.com/ , that's what turns up when I use EPS -Verbose.

    Any other suggestions?

    Thanks in advance,

    Jasper Kraak (MCT)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hi there,

    I just deleted all of my Test Environment. I'll just start all over.

    Please send any answers on this post to jasper@kraak.com for the mailaccount used for this thread does not exist anymore.

    Thanks,

    Jasper Kraak (MCT)

     

    Sorry, Admin Mailaccount is still here :-)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hi there,

    Keep bumping in to the same error, on a complet clean environment. I ran teh command from EPS -Verbose. Here's the output line where it goes wrong:

     

    VERBOSE: [17:30:35.478 GMT] Set-FederatedOrganizationIdentifier : Calling

    'CreateAppId(uri='ExoDelegate.demo.ignite365.net',properties=[0])' at the domain services endpoint

    domains.live.com/.../managedelegation2.asmx.

    VERBOSE: [17:30:37.009 GMT] Set-FederatedOrganizationIdentifier : The request to Windows Live Domain Services failed

    with the following exception: [0]: Microsoft.Exchange.Management.FederationProvisioning.LiveDomainServicesException

    An unexpected result was received from Windows Live.  Detailed information: "1007 AccessDenied: Access Denied.".

     

    Please, any suggestions where I should look?

     

    Thanks,

    Jasper Kraak (MCT)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hello!?

     

    Build a new environment (again), same error! Please HELP me out here!

     

    Jasper Kraak (MCT)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hello Jasper,

    What step are you at in the Exchange Deployment Guide?

    David Rummelhart MSFT Moderator
    • Top 150 Contributor
    • Male
    • Post Points: 0
  • Hi,

    It's the step after putting the Proof DNS TXT Records in: Manage Federation.

     

    I may have come up with a possible resolution though:

     

    Could the cause be that I added and removed the custom domain "mydomain.com" before?  I deleted the users through DirSync and then removed the domain through the MSOL Powershell tool.  I was able to add the domain again and DirSync users from another AD.... and I noticed that some of the user properties are still from the "old" configuration. on http://domains.live.com/service/managedelegation.asmx I see something mentioned about releasing a domain? I'll give a try by using anoher domain....... see what happens

     

    In an earlier post you'll find the -verbose powershell output of the "Manage Federation" option in EMC.

     

    Kind regards,

    Jasper Kraak (MCT)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hi Jasper,

    So I understand, you have:

    - O365 account <customdomain>.onmicrosoft.com with it's inherent federation trust enabled (do not modify)

    - On-premises test environment <customdomin.com> and trying to set up federation trust using the default self-signed certificates in conjunction with hybrid deployment configuration.

    - You are *not* using your primary SMTP domain OR the O365 service domain as the Account Namespace for the on-premises federation trust - you are using the suggested "exchangedelegation.<customdomain>" or something else unique.

    Correct?

    -Robert

    • Not Ranked
    • Male
    • Post Points: 0
  • Hi,

     

    Yes, that is correct. I use "Exodelegate.mydomain.com" with the self signed certificate and the corresponding Proof-TXT DNS Record.

     

    As suggested 1/2 hour ago, when using the same domain in an earlier demo-environment, I did NOT delete the Federation Trust in Exchange, I just deleleted the custom domain from MSOL.

    So, I think that the mydomain.com might still be in the Exchange Online system, and of course it had other thumprints (TXT-DNS-Proof) associated .....

    In that case I'll have to extend my service request for deletion of that federated Exchange Domain in the Exchange Online system.

     

    Kind regards and thanks,

    Jasper Kraak (MCT)

     

     

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hello again,

     

    My assumption could not be verified.

     

    Again, I built a complete new Onprem environment, registered a new DomainName, purchased a new certificate, configured the lot as described in the deployment guide and still I get the same message from https://domains.live.com/service/managedelagation2.asmx

     

    For now I have no other conclusion then that the problem is on the Microsoft Side.....

     

    Any suggestions?

     

    Thanks,

    Jasper Kraak

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hello again,

     

    I would really like to have my issue resolved! But neither in the Forum nor in my Service Request I get any answers or suggestions.

     

    Please help moving foreward!

     

    Thanks,

    Jasper Kraak (MCT)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hi,

     

    Got a call from MS Servie Request (thanks Sam) just an hour ago. Suggested solution: check your system time on CAS and PDC Emulator.

     

    .... all my Hosts (and VMs for that matter) were 7 minutes out of the actual time.....

     

    Had it all corrected and the "Manage Federation" Wizard completed within 20 secsonds!

     

    Kind Regards,

    Jasper Kraak (MCT)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
  • Hello Jasper,

    Can you please post the given SR number on this thread and I will make sure it gets into the right hands.

    Respectfully,

    David Rummelhart MSFT Moderator
    • Top 150 Contributor
    • Male
    • Post Points: 0
  • Hi David,

     

    Here's the number:

    SRX1155808963ID

     

    Kind Regards,

    Jasper Kraak (MCT)

    @jasperkraak

    www.kraak.com

    • Not Ranked
    • Post Points: 0
Page 1 of 2 (16 items) 1|2|