Exchange 2019 Authentication methods - security

Question

Exchange 2019 Authentication methods - security

Step to IT 125

Hello!

Can you please help me with the authentication issue in Exchange Server 2019?

I am interested in the following points:

Why do events with "Logon Type" = 8 periodically appear in the "Security" event log on Exchange servers?
1. Is this data in clear text?
2. Does it affect security?
3. Is it possible to somehow disable the transfer of data in clear text?
Why does the "Get-AuthenticationPolicy" cmdlet work in one Exchange configuration, but in another it returns "Get-AuthenticationPolicy : The term 'Get-AuthenticationPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program."? In both environments, the account has Exchange administrator rights, you can create a new policy via "New-AuthenticationPolicy" and assign it to the organization. I created it, but there is no way to check the current ones.
Does changing authentication parameters in virtual directory settings or through authentication policy have the same effect?

Thanks in advance

Accepted answer

0 additional answers

Your answer

Answer 1

Anonymous

Hi @Step to IT ,

Welcome to the Microsoft Q&A platform!

According to your description, let’s go through each of your points:

1. "Logon Type" = 8 Events in the Security Event Log on Exchange Servers

a. Is this data in clear text?

Logon Type 8 refers to a network logon where the credentials are passed in clear text. This logon type is used for SQL Server Authentication and other forms of authentication where credentials need to be verified over a network connection.

b. Does it affect security?

Yes, it can potentially affect security because transmitting credentials in clear text over a network exposes them to interception and misuse by unauthorized parties.

c. Is it possible to somehow disable the transfer of data in clear text?

To mitigate this, you can:
- Use SSL/TLS to encrypt data transmitted between clients and the server.
- Enable and enforce more secure authentication methods like Kerberos or NTLM.
- Modify your system and application configurations to prevent the use of insecure logon methods.

2. "Get-AuthenticationPolicy" cmdlet Issues

Why does the "Get-AuthenticationPolicy" cmdlet work in one Exchange configuration but not in another?

The behavior you're seeing could be due to several reasons:
- Exchange Version: "Get-AuthenticationPolicy" is available starting in Exchange Server 2019 CU6. Verify that both environments are running an appropriate version of Exchange.
- RBAC (Role-Based Access Control): Even if the account has Exchange administrator rights, there could be differences in the assigned management roles between the two environments.
- Modules and Snap-ins: Ensure that the necessary modules or snap-ins are loaded in the environment where the cmdlet is failing.

3. Changing Authentication Parameters in Virtual Directory Settings vs. Authentication Policy

Do changing authentication parameters in virtual directory settings or through authentication policy have the same effect?

Both methods aim to control how clients authenticate to the Exchange server, but they operate at different levels:
- Virtual Directory Settings: Changing authentication parameters here affects the specific protocol (e.g., OWA, EWS, ActiveSync) and the way clients authenticate against that particular endpoint.
- Authentication Policy: This is a broader approach that allows administrators to enforce authentication settings across the entire organization or specific users.

Using authentication policies could provide a more consistent and centralized method for controlling authentication methods and enhancing security. However, changing settings directly in virtual directories might be necessary for finer control over specific services.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Step to IT 125 Reputation points

2024-09-09T16:48:31.4233333+00:00

Thank you very much for such a detailed answer!

Can you please tell me:

Use SSL/TLS to encrypt data transmitted between clients and the server.

I have TLS configured everywhere, a proxy server is used, external clients connect through it, internal ones directly. There are certificates in both places, but not everything is encrypted. Why is that?

Also, if clients use ActiveSync, OWA, MAPI, AnyWhere, then they are forced to enter their credentials (i.e. NTLM), is it possible to disable old authentication protocols in this case so that everything continues to work as it does now? If so, what exactly... Or maybe you have a link to a similar article where this is discussed? On Microsoft, I only find information about Exchange Online :(
Anonymous

2024-09-10T06:39:59.2266667+00:00
Hi @Step to IT ,

Thanks for your response!

It sounds like you have a complex setup with a mixture of direct and proxied connections, and you're running into issues with ensuring that all data transmitted is encrypted as well as modernizing your authentication protocols. Let’s break down your queries:

TLS Configuration and Encryption Issues Even though you have TLS configured, there are a few reasons why not all data might be encrypted:

Some parts of your communication might still be using HTTP instead of HTTPS. Ensure all endpoints are configured to use HTTPS.

The proxy server might not be correctly configured to enforce TLS for all traffic. Double-check the proxy settings to ensure it mandates TLS for both incoming and outgoing connections.

Ensure that the certificates are correctly installed and trusted by all clients and servers. Sometimes, a misconfigured certificate can cause fallback to unencrypted communication.

Ensure that all clients and servers are using compatible versions of TLS. Older versions might not support the latest encryption standards.

Disabling Old Authentication Protocols To disable old authentication protocols like NTLM while ensuring that everything continues to work, you can follow these steps:

Ensure that Hybrid Modern Authentication (HMA) is enabled in your environment. This allows clients to use more secure authentication methods.

Use authentication policies to block legacy authentication methods. For example, you can create a policy to block NTLM and other older protocols.

Ensure all clients are updated to versions that support modern authentication methods. This includes Outlook 2013 or later, Outlook for iOS and Android, etc.

Here is a basic example of how to create an authentication policy in Exchange Server 2019:

New-AuthenticationPolicy -Name "Block Legacy Auth" -BlockLegacyAuthProtocols

Then, assign this policy to users:

Set-User -Identity <UserIdentity> -AuthenticationPolicy "Block Legacy Auth"

For more detailed steps, you can refer to the Microsoft documentation on disabling legacy authentication.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang
Step to IT 125 Reputation points

2024-09-10T18:56:16.2866667+00:00

Thanks for the answer.

I checked everything, everything is fine. The only thing I haven't tried is Hybrid Modern Authentication (HMA). I'll try it when I have time and opportunity. Thanks for the advice.

I tried to create an authentication policy and apply it to a test user. The result - nothing worked even within the corporate network, bypassing the external proxy. The password was constantly requested, i.e. authentication did not pass.
Anonymous

2024-09-12T08:43:12.49+00:00
Hi @Step to IT ,

Thanks for your response!

Hybrid Modern Authentication (HMA) could indeed be a key factor. When you get a chance to try it, it might resolve the issue.

Regarding the authentication policy, constant password prompts can be frustrating. Here are a few things you might want to check:

Ensure that the authentication policy is correctly configured and applied to the test user.

Verify that there are no network issues or misconfigurations that might be affecting the authentication process.

Make sure SPNs are correctly set up for the services involved.

Check if there are any certificate issues that might be causing the authentication to fail.

Review logs for any errors or warnings that could provide more insight into why the authentication is failing.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang
Step to IT 125 Reputation points

2024-09-12T19:51:08.57+00:00

Hello!

Sorry for the long reply.

Thanks for the answers, I'll try to find the problem area.

Share via

Exchange 2019 Authentication methods - security

1. "Logon Type" = 8 Events in the Security Event Log on Exchange Servers

2. "Get-AuthenticationPolicy" cmdlet Issues

3. Changing Authentication Parameters in Virtual Directory Settings vs. Authentication Policy

0 additional answers

Your answer