none
Test-FederationTrust Failed to request delegation token RRS feed

  • Question

  • When running the Test-FederationTrust cmdlet on a CAS server running Exchange 2010 SP1 (RU5v1) I get an error saying that there was an issue getting a delegation token.

     

    The actual output is here:

     

    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : FederationTrustConfiguration
    Type       : Success
    Message    : FederationTrust object in ActiveDirectory is valid.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : FederationMetadata
    Type       : Success
    Message    : The federation trust contains the same certificates published by the security token service in its federat
                 ion metadata.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : StsCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : StsPreviousCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : OrganizationCertificate
    Type       : Success
    Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : TokenRequest
    Type       : Error
    Message    : Failed to request delegation token.
    
    

     

    I re-ran the cmdlet with the 'verbose' parameter and got the following:

     

    VERBOSE: [12:49:06.110 GMT] Test-FederationTrust : Beginning processing &
    VERBOSE: [12:49:06.110 GMT] Test-FederationTrust : Instantiating handler with index 0 for cmdlet extension agent "Admin
     Audit Log Agent".
    VERBOSE: [12:49:06.110 GMT] Test-FederationTrust : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write
     Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient
    Scope(s): {}, Exclusive Configuration Scope(s): {} }
    VERBOSE: Testing Federation Trust
    VERBOSE: [12:49:06.110 GMT] Test-FederationTrust : Resolved current organization: .
    VERBOSE: [12:49:06.126 GMT] Test-FederationTrust : Searching objects "extest_5580e4a3ff4a4" of type "ADUser" under the
    root "$null".
    VERBOSE: [12:49:06.126 GMT] Test-FederationTrust : Previous operation run on global catalog server
    'server.domain.net'.
    VERBOSE: [12:49:06.141 GMT] Test-FederationTrust : Requesting Federation Metadata from
    https://nexus.microsoftonline-p.com/FederationMetadata/2006-12/FederationMetadata.xml.
    VERBOSE: [12:49:06.704 GMT] Test-FederationTrust : Parsing Federation Metadata: 
    <fed:FederationMetadata>
      <SNIPPED>
    </fed:FederationMetadata>
    VERBOSE: [12:49:06.704 GMT] Test-FederationTrust : Retrieved Token Issuer Uri from Federation Metadata:
    urn:federation:MicrosoftOnline.
    VERBOSE: [12:49:06.704 GMT] Test-FederationTrust : Retrieved Token Issuer Certificate from Federation Metadata:
    B02FEAAC45742783AA61FC8DB7D0C5E0FF415239.
    VERBOSE: [12:49:06.704 GMT] Test-FederationTrust : Retrieved Token Issuer Previous Certificate from Federation
    Metadata: 089D50FCF27AE9642BFCD95384FD0BB9C14427A4.
    VERBOSE: [12:49:06.704 GMT] Test-FederationTrust : Retrieved Token Issuer End Point from Federation Metadata:
    https://login.microsoftonline.com/extSTS.srf.
    VERBOSE: [12:49:06.704 GMT] Test-FederationTrust : Retrieved Web Requestor Redirect End Point from Federation Metadata:
     https://login.microsoftonline.com/login.srf.
    VERBOSE: [12:49:07.423 GMT] Test-FederationTrust : Failed to request delegation token. Reason: <S:Fault
    xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:InvalidReq
    uest</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Invalid
    Request</S:Text></S:Reason><S:Detail><psf:error
    xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048820</psf:value><psf:internal
    error><psf:code>0x80047867</psf:code><psf:text>Server received a SAML token from an unrecognized issuer.
    </psf:text></psf:internalerror></psf:error></S:Detail></S:Fault>
    Microsoft.Exchange.Net.WSTrust.SoapFaultException: Soap fault exception received.
       at Microsoft.Exchange.Net.WSTrust.SoapClient.Invoke(IEnumerable`1 headers, XmlElement bodyContent)
       at Microsoft.Exchange.Net.WSTrust.SecurityTokenService.IssueToken(DelegationTokenRequest request)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.TestFederationTrust.GetDelegationToken(ADUser user, Uri
    target, SecurityTokenService securityTokenService)
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : FederationTrustConfiguration
    Type       : Success
    Message    : FederationTrust object in ActiveDirectory is valid.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : FederationMetadata
    Type       : Success
    Message    : The federation trust contains the same certificates published by the security token service in its federat
                 ion metadata.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : StsCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : StsPreviousCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : OrganizationCertificate
    Type       : Success
    Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.
    
    RunspaceId : 93c95e81-7679-4937-8c78-dc29e3bab37a
    Id         : TokenRequest
    Type       : Error
    Message    : Failed to request delegation token.
     
    VERBOSE: [12:49:07.423 GMT] Test-FederationTrust : Admin Audit Log: Entered Handler:OnComplete.
    VERBOSE: [12:49:07.423 GMT] Test-FederationTrust : Ending processing &
    
    

     


    I have removed/deleted the federation and re-created it several times to no avail.

     

    Any suggestions?

     

    Regards,
    Luke 
    • Edited by Luke Maslany Thursday, November 10, 2011 1:14 PM whitspace
    Thursday, November 10, 2011 1:01 PM

Answers

  • This specific issue is now resolved following the latest removal/re-creation of the federated trust.  

    The only change made prior to this was that we enabled WSSecurityAuthentication on the EWS virtual directory (a discrepancy identified by Microsoft Support - my thanks to them) using the following powershell command:

    Set-WebServicesVirtualDirectory –Identity “%computername%\EWS (Default Web Site)” –WSSecurityAuthentication $true

    The above command alone didn't get it working however even after restarting IIS, Exchange services and finally the CAS server itself.

    Since the federated trust was re-created the Test-FederationTrust cmdlet has consistently run successfully.

     

    Regards, 
    Luke

    • Marked as answer by Luke Maslany Thursday, December 8, 2011 12:14 PM
    Thursday, December 8, 2011 12:14 PM

All replies

  • Hi Luke,

    Per the information, there some issue when the request delegation token.
    I would suggest that you could get some information from below firstly:
    http://technet.microsoft.com/en-us/library/dd335047.aspx
    http://technet.microsoft.com/en-us/library/dd351033.aspx
    Because it is issued Security Assertion Markup Language (SAML) delegation tokens by the Microsoft Federation Gateway.
    I would suggest that you could contact MS to confirm the token issue.

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Gavin-Zhang Monday, December 5, 2011 8:19 AM
    • Unmarked as answer by Luke Maslany Thursday, December 8, 2011 12:01 PM
    Friday, November 11, 2011 10:13 AM
  • Hi Luke,

    Any update for your issue?

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, November 14, 2011 7:44 AM
  • Hi Luke,

    I would close the case, if you have any update, you could reopen the case.

    Regards!

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Gavin

    TechNet Community Support

    Monday, December 5, 2011 8:20 AM
  • This specific issue is now resolved following the latest removal/re-creation of the federated trust.  

    The only change made prior to this was that we enabled WSSecurityAuthentication on the EWS virtual directory (a discrepancy identified by Microsoft Support - my thanks to them) using the following powershell command:

    Set-WebServicesVirtualDirectory –Identity “%computername%\EWS (Default Web Site)” –WSSecurityAuthentication $true

    The above command alone didn't get it working however even after restarting IIS, Exchange services and finally the CAS server itself.

    Since the federated trust was re-created the Test-FederationTrust cmdlet has consistently run successfully.

     

    Regards, 
    Luke

    • Marked as answer by Luke Maslany Thursday, December 8, 2011 12:14 PM
    Thursday, December 8, 2011 12:14 PM
  • Hi All,

    I have faced the same issue in test-federationtrust, to solve this issue i have  tried mentioned links only. it works for me !!!

    Issue Description:

    Issue1:

    Id         : FederationMetadata
    Type       : failed

    Issue 2:

    Id         : TokenRequest
    Type       : Error
    Message    : Failed to request delegation token.

    http://russburden.wordpress.com/category/microsoft-federation-gateway/

    http://vanhybrid.com/2014/01/12/freebusy-in-a-hybrid-environment-fail-and-test-federationtrust-returns-error-failed-to-validate-delegation-token/

    http://support.microsoft.com/kb/2555008

    http://community.office365.com/en-us/f/158/t/5598.aspx

    First of all, we are facing this issue, where Internet connectivity of Exchange Hybrid Server is coming from Webproxy, so need to define Webproxy in Exchange Powershell

    First Exchange Powershell will be

    Set-ExchangeServer -Identity Exchhub01 -InternetWebProxy http://10.10.10.10:3120/

    Note: Change Exchange Servername and Proxy IP and Port no as per your enviornment.

    Second Command will be

    Get-FederationTrust | Set-Federationtrust -RefreshMetaData

    Third Command Will be

    Test-FederationTrust

    or

    Test-FederationTrust -UserIdentity <OnPremisesMailbox> -verbose

    Note: Test-federation trust will show you the status of Federation Certificate, it should be valid, it takes 5-8 hours to become valid from Expiry

    Thanks


    Kirpal Singh






    Sunday, October 26, 2014 1:54 PM
  • If refreshing the metadata does not work as mentioned in some of the links then you can remove and recreate the trust itself. I had a couple of instances where refreshing the metadata did not work. Keep in mind that you will need to validate the domains again. But it does not take very long.

    Steps here:

    https://supertekboy.com/2017/02/11/the-delegation-token-is-null-hybrid-freebusy/


    Practical help for Exchange & Office 365 - SuperTekBoy | Twitter | LinkedIn


    Thursday, February 16, 2017 1:15 PM