Client Certificate-based Authentication in Entourage 2008

Recently Microsoft released Service Pack 1 (SP1) for Office 2008 for Mac. There are some new features in SP1 for Entourage 2008 users, one of them is 'Client Certificate-based Authentication'. In this post we will walk thru the setup on server & client sides so that it will be helpful to those who want to use this feature in Entourage.

Introduction
Entourage connects to an Exchange mailbox thru 'Exchange' virtual directory under 'Default Website' in IIS (Internet Information Server) installed on an Exchange Server. IIS provides several authentication methods and they are all discussed here & here. One of them is 'Client Certificate-based Authentication' (CCA) which works thru 'Client Certificate Mapping' on server side. Most conventional ways of authentication require the provision of username, domain & password (3-tier credentials) but CCA does not require users to provide their domain credentials. It works thru a mapping of user certificates to their accounts in Windows Active Directory. It is used where high level of security is required and domain password policies are very strict or administrators simply do not want their users to remember/enter their domain credentials for any kind of access. In those environments 'Two Factor Authentication' (RSA, Smart Card) is also used & CCA helps in its implementation. Now with the new support for CCA in Entourage, you can have your Entourage users utilize 'Two Factor Authentication' when they connect to their Exchange mailbox. Let's see how we can set it up.

Setup Details
To keep things simple, I have a single box server with Windows 2003 SP2 & Exchange 2003 SP2 (most common versions out there). It also has 'Certificate Services' (a Windows component) installed on it to act as my 'Private Root Certification Authority' (one can go with Public Root CAs like VeriSign, etc.). You can install an 'Enterprise Root CA' or a 'Standalone Root CA' (steps with screenshots), if you want to read more before installation, go here.

I installed an 'Enterprise Root CA' on my server. I used it to issue an identity certificate to IIS (Default Website) so that secured connections (SSL) can be established over port 443 by Entourage clients when they connect to 'Exchange' virtual directory to get access to their Exchange mailbox. This is a pre-requisite for CCA, steps are here.

I also used it to issue client certificates to individual Entourage users so that they can use it for CCA when connecting to their Exchange mailbox (more details later in 'Client Side Setup' section below).

Server Side Setup
There are several ways to set 'Client Certificate Mapping' on IIS, they are all discussed here. I used the 'Windows Directory Service Mapper' for my setup, as its most popular & simple to setup. I followed the steps listed here.

Note: I tested this feature successfully with '1-to-1 Mapping' as well, no issues, however I didn't test it with 'Many-to-1 Mapping', I assume that scenario will also work without any issues.

After that I went to 'Exchange' virtual directory and enabled the requirement of client certificates for authentication. To do that:

  1. Go to IIS Manager : Default Website : Exchange : Properties : Directory Security : Secure Communications : Edit : Check the 2 boxes for 'Require secure channel (SSL)' & 'Require 128 bit encryption'
  2. On the same window, under 'Client certificates' section, select 'Require client certificates'
  3. Also check the box for 'Enable client certificate mapping'
  4. The final configuration will look like this

That's it, click OK twice to get back to IIS Manager.

Now when we are set to use CCA for authentication on 'Exchange' virtual directory, we can go and turn off all other authentication methods. To do that, go to IIS : Default Website : Exchange : Properties : Directory Security : Authentication & Access Control : Edit : Uncheck all boxes here (screenshot), click OK twice to get back to IIS Manager.

Repeat the above steps now for 'Public' virtual directory which is used by Entourage to access public folders on Exchange Server.

Client Side Setup
To begin with Entourage users should follow these steps for obtaining and installing a user certificate on their Mac. I used a Mac with Tiger (Mac OS 10.4.11) and Entourage 2008 SP1 installed on it.

  1. Launch Safari browser and go to https://<server-name>/certsrv (where 'server-name' is the name of the server where 'Private Root CA' is installed) (screenshot)
  2. Enter your username and password when prompted (screenshot)
  3. On the 'Welcome' page of your Root CA Server, click on 'Request a certificate' link (screenshot)
  4. On the 'Request a certificate' page, click on 'User Certificate' link (screenshot)
  5. On the 'User Certificate – Identifying Information' page, keep the 'Key Strength' field set to '2048 (High Grade)', click on 'Submit' button (screenshot)
  6. On the 'Certificate Issued' page, click on 'Install this certificate' link (screenshot)
  7. You will see the 'Downloads' window from Safari and a file by the name of 'certnew.cer' will be downloaded to your desktop (screenshot)
  8. Double click on the 'certnew.cer' file on your desktop (screenshot)
  9. The 'Keychain Access' application will launch and you will see the 'Add Certificates' window, keep the 'Keychain' field set to 'login' and click 'OK' (screenshot)
  10. The user certificate will then be imported in the Keychain (screenshot)
  11. You can double click on it to view the user certificate (screenshot)
  12. You can also launch 'Microsoft Cert Manager' application (from Mac Hard Drive : Applications : Microsoft Office 2008 : Office) to view the certificate in 'Digital Identities' container. This is a good indication that the user certificate will work fine with CCA or digital signing and encryption of outgoing mail.

Quick Admin Check: Now in order to make sure that Entourage user account is setup properly in Windows Active Directory, take a look at its properties (thru 'Active Directory Users & Computers' or 'ADUC'), you should see the user certificate there under 'Published Certificates' tab (screenshot). If not then you can also import it (use the 'cer' file from user's Mac, see Step 7 above) using the 'Add from file' button there. Another way to add & map user certificate is to do a right click on user object in ADUC, choose 'Name Mappings', then add the user certificate there under 'X.509 Certificates' tab (screenshot).

Now let's configure Exchange account settings in Entourage, this screenshot depicts how 'Account Settings' tab should look like. Note that you do not need to provide user's domain credentials, i.e. username, domain & password. The 'Advanced' tab is where you need to select user certificate under 'Client Certificate-based Authentication' section. Clicking on 'Select' button there will provide you with the 'Choose an Identity' window which will list the user certificate there. That's it, you are done.

After that Entourage will try to connect to Exchange mailbox utilizing 'Client Certificate-based Authentication', user will see a prompt 'Confirm Access to Keychain', choose 'Always Allow' on that. This allows Entourage to access 'Keychain' in Mac OS where user certificate is stored. Entourage will then go and talk to 'Exchange' virtual directory on server. User certificate will be used for CCA and connection to Exchange mailbox will be established in seconds. We are done!

But What About GAL Access?
After some research I found that currently it is not possible in Windows Server 2003 to require CCA for LDAP connections & queries. Thus if you want your Entourage users to access your Windows Global Catalog Server (LDAP Server) for 'GAL Access' (Global Address List) feature, you will need to configure it appropriately (non-SSL over ports 3268 & 389 or SSL over ports 3269 & 636) and also provide domain credentials in Exchange account settings in Entourage. Entourage uses the same set of domain credentials provided on first tab (screenshot) for authentication against Exchange & LDAP Server. The authentication processes are separate for IIS (for Exchange mailbox & public folder access) & LDAP Server (for 'GAL Access' feature). If CCA is required for authentication by IIS (at 'Exchange' & 'Public' virtual directories), then Entourage will use client certificate for that and will only use domain credentials for authentication against LDAP Server for 'GAL Access' feature.

Smart Cards
Some organizations out there use Smart Cards to store user certificate which is generally used by them for digital signing and encryption of outgoing mail. They will continue to work in the same way for CCA feature as well. Just select the same user certificate over here as well.