Lately we have seen more interest in certificate based authentication with Exchange 2007 Outlook Web Access. Using certificates for authentication can be considered more secure because a user cannot gain access to the mailbox simply by knowing the user name and password. The certificate option prevents key loggers or other malware on a client machine capturing keystrokes to identify user account and passwords.
With a combination of a Certificate Authority, Exchange Server 2007 and ISA Server 2006 you can provide a certificate based authentication configuration with minimum changes to your current environment. A Windows 2003 Certificate Server, or your own trusted third party certificate provider can be used to provide user certificates. The advantage of the Windows certificate server is it allows for the auto-enrollment and publishing of certificates to Active Directory.
This post will not cover more advanced topics on how to properly set up a PKI infrastructure, or install and configure ISA server. It assumes these prerequisites are already in place and functioning. This document covers configuring Exchange 2007 client access server to Exchange 2007 mailbox servers. The steps for configuring Exchange 2003 configuration can be found at http://technet.microsoft.com/en-us/magazine/cc137993.aspx. I will post a follow up to outline the steps needed for Exchange Server 2007 on Windows 2008 with IIS 7.
- The user certificate must be issued for Client Authentication. The default User template from a Windows certificate server will work in this scenario.
- The certificate can be on a Smart Card or in the in the personal certificate store of the client operating system.
- All Certificate Authorities must be included in the NTAuthCertificates Container. Knowledge base article KB 295663 describes the process. http://support.microsoft.com/kb/295663 .
- The User Principle Name (UPN) value for each user account must match the Subject Name field on the user’s certificate.
- All servers must trust the entire Certificate Authority chain. This includes the ISA, CAS, and client workstation. The Certificate Authority Root certificate must be in the Trusted Root Certification Authorities store on all of these systems.
- The domain must be set to the Windows Server 2003 Domain Functional Level.
- Kerberos Constrained Delegation will be configured between the ISA and CAS computer accounts.
- The Exchange CAS role server must require SSL at 128 bit strength on the Default Web Site.
- Forms Based Authentication cannot be used with certificate based authentication.
- Integrated authentication must be set on the OWA virtual directory.
- All ISA Servers and Exchange Servers must be members of the same Active Directory domain. Kerberos Constrained Delegation only works within the same domain.
- The ISA Server must be able to perform Certificate Revocation Checking. This is commonly called the CRL (pronounced Krill) list.
- OWA publishing rule must have the correct service principal name for the internet facing CAS servers. You can verify service principal names with the SetSPN utility. This utility is included with the Windows 2003 support tools.
Configure ISA Server 2006
Configure Kerberos Constrained Delegation
- Open Active Directory Users and Computers
- Go to the properties of the ISA computer account and click the delegation tab.
- Select the Trust this computer for delegation to specified services only option and then select the Use any authentication protocol option. Click the Add button.
- This will open the Add Services window. Click the Users or Computers button.
- Enter the name of your internet facing CAS server and click OK.
- After clicking OK a list of Service Principal Names (SPN) will be displayed for your server.
- Select the appropriate HTTP SPN for your internet facing CAS server. You will need to add your Internet facing CAS role servers to this list. By default you will only see the HTTP/FQDN SPNs.
In my example I created a custom SPN record http/mail.fourthcoffee.com with the SetSPN.exe utility. This utility is included with the Windows Server 2003 support tools. Here is the TechNet document that covers the creation of SPN records and how they are used for constrained delegation:
Modifying the OWA Web Publishing Rule
- This section assumes you already have an OWA publishing rule in place. We will only make the necessary changes to allow for certificate based authentication.
- Open the ISA server management console
- In the left pane expand Arrays/Server Name and highlight the Firewall Policy.
- Open the properties of your Exchange 2007 Web Publishing rule.
- Click on the Authentication Delegation tab.
- Set the Method used by ISA Server to authenticate to the published web server to Kerberos Constrained Delegation.
- Enter the correct SPN value for Kerberos Constrained Delegation. This needs to match the SPN you selected for the computer account delegation.
- Click on the Users Tab. All Authenticated users should be listed.
Configure the Web Listener for the OWA publishing rule
You need to know what ISA rules are using the OWA listener before making this change. Setting the authentication as I do below could impact other websites or services that are published with this listener.
- Go to the Listener tab of the OWA publishing rule.
- Click the properties button.
- Go to the Authentication tab.
- Set Method client uses to authenticate to ISA server to SSL Client Certificate Authentication.
6. Click the Advanced button on the Web Listener button
7. Check the box for Require all users to authenticate.
8. Click OK for all of the Web listener property pages.
9. Click OK the web publishing rule property page.
10. Click the Apply button to update the ISA configuration.
Exchange Server 2007 CAS Configuration
You must enable integrated authentication on /OWA virtual directory. When you do this it will disable Forms Based Authentication. This can be done either trough the management console or the management shell.
Configure Integrated Windows Server Authentication
Just to remind you these steps are for a CAS to Exchange 2007 mailbox servers. Setting integrated authentication on the /Exchange virtual directory requires configuring additional Kerberos constrained delegation. This means mailboxes Exchange 2003 server will not work until KCD is configured correctly.
- Open the Exchange management Console.
- Expand Server configuration in the left pane, and highlight Client Access.
- In the middle pane highlight the internet facing CAS name.
- Open the properties of the OWA (Default Web Site).
- Select the User one or more standard authentication methods: radio check box.
- Select the Integrated Windows Authentication check box.
- Click OK.
- You will then be shown a dialog box that states IISReset /noforce must be run before changes become effective. Click OK to this box.
- From a command prompt, run iisreset /noforce. This will restart the IIS services.
User Configuration in Active Directory
The user accounts that will use certificate based authentication must have the user certificate published to the Active Directory account. If you are using a Windows 2003 PKI Root Certificate Authority this is done by default.
Verify the published User certificate in Active Directory
- Open Active Directory Users and Computers.
- Open the properties of the user account in question and click on the Published Certificate tab.
- Double click the certificate to open it. Verify the following:
- General tab:
- The valid from data must not be expired.
- Details Tab
- Subject field must have the UPN matching the user account.
- Enhanced key Usage field must have Client Authentication.
- CRL Distribution Points must be accessible by the ISA server (either LDAP or HTTP)
- Certification Path tab
- The icons for the certificate chain must be green. If they are yellow or red then there is a problem with that certificate. You can double click the individual certificates to view them.
- General tab:
What the clients see after these changes
When the user browses to the OWA URL, they will be prompted to supply their certificate. If the certificate is in the Personal certificate store, they can choose it from the list. Or they can have the certificate stored on a smartcard. At this point they would insert it into the smartcard reader.
After clicking OK, the user will be taken to the OWA page just as if they had entered the user name and password. If they do not have a certificate, or supplied a wrong or invalid certificate, the client would receive a 401 Unauthorized page with an ISA 12209 error code.
- Public Key Infrastructure for Windows Server 2003
- Managing a Windows Server 2003 Public Key Infrastructure
- Service principal names with Windows 2003
Microsoft ISA Server 2006
- Microsoft ISA Server 2006: Enterprise Edition Installation Guide
- Publishing Exchange Server 2007 with ISA Server 2006
- Using ISA Server 2006 with Exchange 2007
- Configuring ISA Server 2006 for Exchange Client Access
– DJ Ball