Disable Smart Card Authentication for Outlook Anywhere - Exchange 2013


Special Thanks to Krishna Kumar Thirumalai Nambi who worked on this issue and prepared Draft for this blog.

Scenario/Symptoms

If want to disable smart card authentication for Outlook anywhere for any business requirements or due to any problems encountered after enabling smart card authentication, you can use below to revert back the changes to disable smart card authentication for Outlook Anywhere in exchange server 2013.

Cause

Requirement / Misconfigurations/Corruptions

Resolution

 

Follow the instructions below to perform the task…

·         Copy the below script to a notepad file and save it as 'DisableOutlookSmartCardAuth.ps1' to '<Exchange install drive>:\Program Files\Microsoft\Exchange Server\V15\Scripts\'

·         Launch Exchange Management Shell and navigate to '<Exchange install drive>:\Program Files\Microsoft\Exchange Server\V15\Scripts\'

·         Run 'DisableOutlookSmartCardAuth.ps1'

·         Navigate to 'HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\RPC' and remove 'EnableSmartcard' - DWORD-32bit value

·         Delete and then recreate IIS Binding, also ensure a valid SSL certificate is selected (IIS --> Default Web Site --> Bindings… - 'https_ipport=0.0.0.0:443')

·         Reboot the Exchange Server.

Caution: Changes are made in IIS, application host configurations and registries… | (Backup Recommended)

Please see summary below to see what below script does.

Find the script below

====================================================================================================

#Script Begins 

# Globals

$ComputerName = [string]$Env:computername

$setupRegistryPath = Get-ItemProperty -path 'HKLM:SOFTWARE\Microsoft\ExchangeServer\v15\Setup'

$exchangeInstallPath = $setupRegistryPath.MsiInstallPath 

$AutoDiscoverPath =  "Default Web Site/Autodiscover"

$EwsPath = "Default Web Site/EWS"

$EcpPath = "Default Web Site/ECP"

$OabPath = "Default Web Site/OAB"

$MapiPath = "Default Web Site/Mapi" 

# Initialize IIS metabase management object

$InitWebAdmin = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration")

$Iis = new-object Microsoft.Web.Administration.ServerManager  

# Changes/removes a registry value under HKLM\Software\Microsoft\Rpc\RpcProxy to disable RpcWithCert

function DisableRpcWithCert

{

    $registry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', '.')                

    $RpcProxyKey = $registry.OpenSubKey("Software\Microsoft\Rpc\RpcProxy", $true)

    $RpcProxyKey.SetValue("EnableRpcWithCert", 0)

    Write-Output "Registry updated, servicelet should disable RpcWithCert"

# Updates path SSL Flags and disables the client-cert AD mapping

function DisableClientCertAuthForPath ([string]$IisPath)

{

    Write-Output "Disabling Require-Client-Certs + AD Cert Mapping for: $IisPath."

    $config = $Iis.GetApplicationHostConfiguration();   

    # Set SslFlags to require SSL and ignore client certificate

    $accessSection = $config.GetSection("system.webServer/security/access", $IisPath)

    $accessSection["sslFlags"] = "Ssl, Ssl128"   

    # Disable certificate-to-AD object mapping

    $clientCertificateMappingAuthenticationSection = $config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", $IisPath)

    $clientCertificateMappingAuthenticationSection["enabled"] = $false

    $Iis.CommitChanges()

# Updates path to disable client-cert AD mapping

function DisableAdClientCertAuthForPath([string]$IisPath)

{

    $config = $Iis.GetApplicationHostConfiguration();

    if ($IisPath -eq "")

    {

        Write-Output "Disabling AD Cert Mapping feature in IIS."

        $clientCertificateMappingAuthenticationSection = $config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication")

    }

    else

    {

        Write-Output "Disabling AD Cert Mapping for: $IisPath."

        $clientCertificateMappingAuthenticationSection = $config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", $IisPath)

   

    $clientCertificateMappingAuthenticationSection["enabled"] = $false

    $Iis.CommitChanges()

# Removes OAB auth module by updating web.config for OAB virtual directory

function UpdateOabWebConfig()

{

    if (Get-WebManagedModule -PSPath "iis:\sites\Default Web Site\OAB" -Name Microsoft.Exchange.OABAuth)

    {

Write-Output "OABAuthModule is present in OAB's web.config."

Begin-WebCommitDelay

Remove-WebManagedModule -PSPath "iis:\sites\Default Web Site\OAB" -Name "Microsoft.Exchange.OABAuth"

Write-Output "Removed OABAuthModule in OAB's web.config."

End-WebCommitDelay

    }

  

# Look for SslBinding's DefaultFlags and update as necessary

function FixSslDefaultFlags

{

    $registry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', '.')                

            # Need to reset value to $HTTP_SERVICE_CONFIG_SSL_FLAG_USE_DS_MAPPER and then restart IIS and HTTP.SYS

            Write-Output "SChannel AD certificate mapping registry setting needs to be updated. Shutting down IIS and HTTP.SYS."

            iisreset /stop

            net stop http -force

            $defaultSslBinding = $registry.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\HTTP\\Parameters\\SslBindingInfo\\0.0.0.0:443", $true)

            $defaultSslBinding.SetValue("defaultflags", 0)

            Write-Output "Registry updated, Restarting IIS and HTTP.SYS."

            iisreset /start

# Look for valid port entries

function FixValidPorts

{   

    $registry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', '.')                

    $rpcProxyKey = $registry.OpenSubKey("SOFTWARE\\Microsoft\\Rpc\\RpcProxy")   

    if ($rpcProxyKey -eq $Null)

    {

        # RPC/HTTP component is not correctly installed

        Write-Warning "RPC over HTTP Proxy feature is not correctly installed.  Please use Server Manager to reinstall this Windows Feature."

        break

   

    $validPorts = $rpcProxyKey.GetValue("Validports_Autoconfig_Exchange")    

    if ($validPorts -eq $null)

    {

        # enable-OutlookAnywhere was likely only recently enabled, add stub value and restart dependent services

        $rpcProxyKey = $registry.OpenSubKey("SOFTWARE\\Microsoft\\Rpc\\RpcProxy", $true)

        $rpcProxyKey.SetValue("Validports_Autoconfig_Exchange", "")  # set a stub value

        restart-service MSExchangeServiceHost

        restart-service MSExchangeFBA

    }

# Main

Write-Output "Disables Smart Card Authentication for Outlook Anywhere"

Write-Output "Configuring authentication for Outlook Anywhere on $ComputerName..." "" 

# Test for Outlook Anywhere on current machine

if (Get-OutlookAnywhere -Server $ComputerName)

{

    Write-Output "Outlook Anywhere is configured on current machine."

    FixValidPorts

}

else

{

    Write-Warning "Enable-OutlookAnywhere must be run before configuring authentication.  Exiting."

    break

# IIS: Disables server-wide Client certificate-to-AD authentication mapping

DisableAdClientCertAuthForPath ("")                                         # Global

DisableClientCertAuthForPath($AutoDiscoverPath)                 # AutoDiscover

DisableClientCertAuthForPath($EwsPath)                                 # EWS

DisableClientCertAuthForPath($EcpPath)                                 # ECP

DisableClientCertAuthForPath($OabPath)                                 # OAB

DisableClientCertAuthForPath($MapiPath)                                # Mapi 

# IIS: Outlook Anywhere: Disables Client certificate-to-AD authentication mapping

DisableRpcWithCert 

# Check on Schannel settings to ensure the DefaultFlags

FixSslDefaultFlags 

# Update OAB add web.config to add OABAuth module

UpdateOabWebConfig 

Write-Output "Done!  $ComputerName configured for default Outlook Anywhere and no longer configured with smart card/client certificate authentication"

$a=$Iis.Dispose() 

# End of Script. 

===================================================================================================

Summary

 

The above script (DisableOutlookSmartCardAuth.ps1) performs the following actions:

o Test if Outlook Anywhere is enabled on the current machine

o Disables server-wide Client certificate-to-AD authentication mapping from application host configurations

  · Set SSLFlags to require SSL and ignore client certificate ("system.webServer/security/access")  

  . Disables certificate-to-AD object mapping ("system.webServer/security/authentication/clientCertificateMappingAuthentication")

o Disables RPC with Cert to use /RPC virtual directory

   . Modifies/removes a DWORD 32-bit registry value 'EnableRpcWithCert' under 'HKLM\Software\Microsoft\Rpc\RpcProxy'

o Look for SSL binding's default flags and update as required

   · Modifies a DWORD 32-bit registry value 'defaultflags' under 'HKLM\CCS\services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443'

o Removes 'Microsoft.Exchange.OABAuth' module by updating 'web.config' for /OAB virtual directory

o Performs 'iisreset'

More Information

Configure Smart Card Authentication for Outlook Anywhere in Exchange 2013

https://technet.microsoft.com/en-us/library/dn960152(v=exchg.150).aspx 

Scripting with the Exchange Management Shell

https://technet.microsoft.com/en-us/library/bb123798.aspx

Query Words

smart card authentication, rpcwithcert, client certificate authentication, outlook anywhere, exchange server 2013


Comments (0)

Skip to main content