cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
How to Configure Certificate Based Authentication for OWA - Part I
By
The_Exchange_Team
Published Oct 07 2008 08:10 PM 32K Views
The_Exchange_Team
Microsoft
‎Oct 07 2008 08:10 PM

How to Configure Certificate Based Authentication for OWA - Part I

‎Oct 07 2008 08:10 PM

Lately we have seen more interest in certificate based authentication with Exchange 2007 Outlook Web Access. Using certificates for authentication can be considered more secure because a user cannot gain access to the mailbox simply by knowing the user name and password. The certificate option prevents key loggers or other malware on a client machine capturing keystrokes to identify user account and passwords. With a combination of a Certificate Authority, Exchange Server 2007 and ISA Server 2006 you can provide a certificate based authentication configuration with minimum changes to your current environment. A Windows 2003 Certificate Server, or your own trusted third party certificate provider can be used to provide user certificates. The advantage of the Windows certificate server is it allows for the auto-enrollment and publishing of certificates to Active Directory. This post will not cover more advanced topics on how to properly set up a PKI infrastructure, or install and configure ISA server. It assumes these prerequisites are already in place and functioning. This document covers configuring Exchange 2007 client access server to Exchange 2007 mailbox servers. The steps for configuring Exchange 2003 configuration can be found at http://technet.microsoft.com/en-us/magazine/cc137993.aspx. I will post a follow up to outline the steps needed for Exchange Server 2007 on Windows 2008 with IIS 7.

Requirements

PKI environment

  • The user certificate must be issued for Client Authentication. The default User template from a Windows certificate server will work in this scenario.
  • The certificate can be on a Smart Card or in the in the personal certificate store of the client operating system.
  • All Certificate Authorities must be included in the NTAuthCertificates Container. Knowledge base article KB 295663 describes the process. http://support.microsoft.com/kb/295663 .
  • The User Principle Name (UPN) value for each user account must match the Subject Name field on the user's certificate.
  • All servers must trust the entire Certificate Authority chain. This includes the ISA, CAS, and client workstation. The Certificate Authority Root certificate must be in the Trusted Root Certification Authorities store on all of these systems.

Active Directory

  • The domain must be set to the Windows Server 2003 Domain Functional Level.
  • Kerberos Constrained Delegation will be configured between the ISA and CAS computer accounts.

Exchange Configuration

  • The Exchange CAS role server must require SSL at 128 bit strength on the Default Web Site.
  • Forms Based Authentication cannot be used with certificate based authentication.
  • Integrated authentication must be set on the OWA virtual directory.

ISA 2006 Server

  • All ISA Servers and Exchange Servers must be members of the same Active Directory domain. Kerberos Constrained Delegation only works within the same domain.
  • The ISA Server must be able to perform Certificate Revocation Checking. This is commonly called the CRL (pronounced Krill) list.
  • OWA publishing rule must have the correct service principal name for the internet facing CAS servers. You can verify service principal names with the SetSPN utility. This utility is included with the Windows 2003 support tools.
 

Configure ISA Server 2006

Configure Kerberos Constrained Delegation

  1. Open Active Directory Users and Computers
  2. Go to the properties of the ISA computer account and click the delegation tab.
  3. Select the Trust this computer for delegation to specified services only option and then select the Use any authentication protocol option. Click the Add button.
  4. This will open the Add Services window. Click the Users or Computers button.
  5. Enter the name of your internet facing CAS server and click OK.
  6. After clicking OK a list of Service Principal Names (SPN) will be displayed for your server.
  7. Select the appropriate HTTP SPN for your internet facing CAS server. You will need to add your Internet facing CAS role servers to this list. By default you will only see the HTTP/FQDN SPNs.
In my example I created a custom SPN record http/mail.fourthcoffee.com with the SetSPN.exe utility. This utility is included with the Windows Server 2003 support tools. Here is the TechNet document that covers the creation of SPN records and how they are used for constrained delegation: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-83c6-6...

Modifying the OWA Web Publishing Rule

  1. This section assumes you already have an OWA publishing rule in place. We will only make the necessary changes to allow for certificate based authentication.
  2. Open the ISA server management console
  3. In the left pane expand Arrays/Server Name and highlight the Firewall Policy.
  4. Open the properties of your Exchange 2007 Web Publishing rule.
  5. Click on the Authentication Delegation tab.
  6. Set the Method used by ISA Server to authenticate to the published web server to Kerberos Constrained Delegation.
  7. Enter the correct SPN value for Kerberos Constrained Delegation. This needs to match the SPN you selected for the computer account delegation.
  8. Click on the Users Tab. All Authenticated users should be listed.

Configure the Web Listener for the OWA publishing rule

You need to know what ISA rules are using the OWA listener before making this change. Setting the authentication as I do below could impact other websites or services that are published with this listener.
  1. Go to the Listener tab of the OWA publishing rule.
  2. Click the properties button.
  3. Go to the Authentication tab.
  4. Set Method client uses to authenticate to ISA server to SSL Client Certificate Authentication.
6. Click the Advanced button on the Web Listener button 7. Check the box for Require all users to authenticate.
8. Click OK for all of the Web listener property pages. 9. Click OK the web publishing rule property page. 10. Click the Apply button to update the ISA configuration.

Exchange Server 2007 CAS Configuration

You must enable integrated authentication on /OWA virtual directory. When you do this it will disable Forms Based Authentication. This can be done either trough the management console or the management shell.

Configure Integrated Windows Server Authentication

Just to remind you these steps are for a CAS to Exchange 2007 mailbox servers. Setting integrated authentication on the /Exchange virtual directory requires configuring additional Kerberos constrained delegation. This means mailboxes Exchange 2003 server will not work until KCD is configured correctly.
  1. Open the Exchange management Console.
  2. Expand Server configuration in the left pane, and highlight Client Access.
  3. In the middle pane highlight the internet facing CAS name.
  4. Open the properties of the OWA (Default Web Site).
  5. Select the User one or more standard authentication methods: radio check box.
  6. Select the Integrated Windows Authentication check box.
  7. Click OK.
  8. You will then be shown a dialog box that states IISReset /noforce must be run before changes become effective. Click OK to this box.
  9. From a command prompt, run iisreset /noforce. This will restart the IIS services.

User Configuration in Active Directory

The user accounts that will use certificate based authentication must have the user certificate published to the Active Directory account. If you are using a Windows 2003 PKI Root Certificate Authority this is done by default.

Verify the published User certificate in Active Directory

  1. Open Active Directory Users and Computers.
  2. Open the properties of the user account in question and click on the Published Certificate tab.
  3. Double click the certificate to open it. Verify the following:
    1. General tab:
      1. The valid from data must not be expired.
    2. Details Tab
      1. Subject field must have the UPN matching the user account.
      2. Enhanced key Usage field must have Client Authentication.
      3. CRL Distribution Points must be accessible by the ISA server (either LDAP or HTTP)
    3. Certification Path tab
      1. The icons for the certificate chain must be green. If they are yellow or red then there is a problem with that certificate. You can double click the individual certificates to view them.

What the clients see after these changes

When the user browses to the OWA URL, they will be prompted to supply their certificate. If the certificate is in the Personal certificate store, they can choose it from the list. Or they can have the certificate stored on a smartcard. At this point they would insert it into the smartcard reader. After clicking OK, the user will be taken to the OWA page just as if they had entered the user name and password. If they do not have a certificate, or supplied a wrong or invalid certificate, the client would receive a 401 Unauthorized page with an ISA 12209 error code.

Windows Server 2003

  • Public Key Infrastructure for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
  • Managing a Windows Server 2003 Public Key Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
  • Service principal names with Windows 2003
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-83c6-6...

Microsoft ISA Server 2006

  • Microsoft ISA Server 2006: Enterprise Edition Installation Guide
http://www.microsoft.com/technet/isa/2006/deploy/ee_install_guide.mspx
  • Publishing Exchange Server 2007 with ISA Server 2006
http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx
  • Using ISA Server 2006 with Exchange 2007
http://technet.microsoft.com/en-us/library/aa998036.aspx
  • Configuring ISA Server 2006 for Exchange Client Access
http://technet.microsoft.com/en-us/library/aa997148.aspx - DJ Ball
0 Likes
Like
7 Comments
Not applicable
‎Oct 13 2008 04:52 PM
‎Oct 13 2008 04:52 PM
You said: "Requirements... A Windows 2003 Certificate Server"
Why not 2008?  Will this also work?
0 Likes
Like
Not applicable
‎Oct 14 2008 01:58 AM
‎Oct 14 2008 01:58 AM
When will the Outlook client support certificate based authentication with Outlook Anywhere?
0 Likes
Like
Not applicable
‎Oct 15 2008 08:19 AM
‎Oct 15 2008 08:19 AM
but users accessing OWA from public places will have trouble, rather cannot make use of this certificate authentication. right? assuming these public computers do not have smart card readers
0 Likes
Like
Not applicable
‎Oct 18 2008 04:29 AM
‎Oct 18 2008 04:29 AM
Could you get this to work on SBS 2008 which will not have ISA in it?
0 Likes
Like
Not applicable
‎Oct 23 2008 06:21 AM
‎Oct 23 2008 06:21 AM
I have used MS and non-MS certificate servers with this and it works.  WS2008/Longhorn issued certificates work just fine.  ...whether or not they have been tested and supported is up to the Microsoft Exchantge Team to reply.

Users in public places can still utilize their user credentials with password and risk having keystroke loggers capture those credentials.  In many cases companies have Windows Mobile users and  That's the risk.  The other option is to have the kiosk in the public location install the smartcard reader and the software.  Some actually will as long as you are paying the time on the machine.

This solution still does not mitigate any analog attacks or prevent digital attacks such as screen scrapers or keystroke loggers, from capturing screenshots or prevent keystroke loggers from capturing and assembling keystrokes.  In all honesty if most companies require two-factor auth they may have policies against using public systems to access their network.  I don't know of many companies that force smart card authentication but there may be some in healthcare and banking that require it.  The US government does require it with the published HSPD-12 directives signed into law a few years back.

It would be a perfect world if Outlook and OCS could support SC logons like IE could, would it not?  Granted the paranoid admin in me really likes having VPN solutions for home users that sequester a machine until after it passes NAC checks allowing them access to only required servers (such as E-mail, and NAC/NAP remediation servers) as well as requiring anything downloaded to their home machine be rights protected (lots of people are getting laid off nowadays...)

/soapbox

Have a great afternoon!,

Chris
0 Likes
Like
Not applicable
‎Nov 12 2008 03:52 PM
‎Nov 12 2008 03:52 PM
Is it necessary to have ISA Server 2006 in front of CAS or can we get it to work without an advanced firewall?
0 Likes
Like
Not applicable
‎Nov 12 2008 07:22 PM
‎Nov 12 2008 07:22 PM
This can be configured to work without ISA server. You just need to configure IIS to accept client certificates. Look at the following articles for IIS 6 configurations.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/751c99bd-9657-41a5-b541-5...

and

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/096519f4-3079-4571-9d28-8...

In my follow up post I will document how to set up IIS 7 for certificate based authentication.
0 Likes
Like
Version history
Last update:
‎Jul 01 2019 03:40 PM
Updated by: