Finally here is the continuation of previous article about Exchange federation trust. So we have established the trust between Microsoft Federation Gateway and our organizations. Next step is to configure inter-organizational behavior. It is a mesh-like net, where 1:1 organization relationship is established.
Prerequisites
- Autodiscover service must be accessible to at least one CAS server from the internet
- EWS should be accessible to at least one server and External URL should match the name accessible from internet and 3rd party certificate SN or SAN name
Organization Relationship
Once we have configured our organizations to trust MS Federation Gateway, we can use it to create organization relationship. We will use
command Get-FederationInformation about opposite organization and pipe it to create new organization relastionship. Access level on both side of relationship should be the same.
In our organization:
Get-FederationInformation -DomainName metrosys.cz | New-OrganizationRelationship -Name "Metrosys" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel -LimitedDetails
Or directly:
New-OrganizationRelationship -Name <foreignorganizationname> -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails - Enabled $true -PhotosEnabled $true -TargetAutodiscoverEpr https://email.foreigndomain.cz/autodiscover/autodiscover.svc/wssecurity - DomainNames .cz -TargetApplicationURI http://fydibohf25spdlt.foreigndomain.cz/ -TargetSharingEpr https://email.foreigndomain.cz/EWS/Exchange.asmx
Note: Domain names are CASE SENSITIVE!
Result of creation test:
Test-OrganizationRelationship -identity <ForeignOrganizationname> -UserIdentity primarysmtpaddress@salonovi.cz -Verbose
In foreign organization:
Get-FederationInformation -DomainName salonovi.cz | New-OrganizationRelationship -Name "Salonovi" -FreeBusyAccessEnabled $true - FreeBusyAccessLevel LimitedDetails
Or directly:
New-OrganizationRelationship -Name -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -Enabled $true -PhotosEnabled $true -TargetAutodiscoverEpr https://mail.salonovi.cz/autodiscover/autodiscover.svc/wssecurity -DomainNames salonovi.cz -TargetApplicationURI http://fydibohf25spdlt.salonovi.cz/ -TargetSharingEpr https://mail.salonovi.cz/EWS/Exchange.asmx
Note: Domain names are CASE SENSITIVE!
Finally result of proper configuration is, that you can see Free/Busy limited details of users in foreign organization
Errors you might face
Index error is cause by Case sensitive domain name inserted (in my case Metrosys.cz instead of metrosys.cz or wrong URLs for EWS or Autodiscover.
Errors from the following picture are caused by wrongly or misspelled URLs (Self explaining)
Usually autodiscover URL is created in format https://autodisvocer.domianname.cz/autodiscover/autodiscover.xml, however Federation trust use autodiscover service, which is created as URL: https://autodisvocer.domianname.cz/autodiscover/autodiscover.svc/WSSecurity where WSSecurity is authentication used by federeation trust:
Links:
- Configuring Federation Trust http://technet.microsoft.com/en-us/library/jj657462(v=exchg.150).aspx
- Configure OrganizationRelationship http://technet.microsoft.com/en-us/library/jj657451(v=exchg.150).aspx