How to Configure Outlook Web Access to Use a Smart Card
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic explains how to use the Exchange Management Console or the Exchange Management Shell and Internet Information Services Manager to configure Microsoft Office Outlook Web Access to use smart cards for user authentication.
Smart cards are a tamper-resistant and portable way to help provide security solutions for tasks such as client authentication, code signing, and securing e-mail.
Smart cards provide the following capabilities:
Tamper-resistant storage for protecting private keys and other forms of personal information.
Isolation of security-critical computations involved in authentication, digital signatures, and key exchange from other parts of the computer that do not require this data. These operations are all performed on the smart card.
Portability of credentials and other private information between computers at work, home, or on the road.
Before You Begin
Smart card authentication requires Secure Sockets Layer (SSL) encryption. By default, Outlook Web Access uses SSL. If you have configured Outlook Web Access not to require SSL and you want your users to be able to use smart cards, you must reconfigure Outlook Web Access to require SSL. See How to Configure Outlook Web Access Virtual Directories to Use SSL.
You will also have to obtain and configure a certificate from a certification authority (CA). See the following resources for information about how to implement and manage smart cards:
The first step is obtaining and configuring a certificate from a CA. For information about how to obtain and configure a certificate from a CA, see the Secure Access Using Smart Cards Planning Guide.
For an overview of requirements for using smart cards, see Chapter 4 - Using Smart Cards to Help Secure Remote Access Accounts.
For links to information about how to use and administer smart cards, see Smart Card How To.
You may have to update your clients to enable them to use smart cards. For detailed information about how to achieve this, see Description of the software update for Base Smart Card Cryptographic Service Provider.
Smart cards provide a special kind of certificate authentication. After you have verified that the Client Access server has been configured to require SSL, and have obtained and configured a certificate from a CA, you must configure the Client Access server to use certificate authentication.
To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Procedure
To use IIS Manager 6.0 to configure the Outlook Web Access virtual directories to use certificate authentication
In IIS Manager, right-click Web Sites, and then click Properties.
On the Directory Security tab, verify that the Enable the Windows directory service mapper check box is selected.
Click OK to close Web Sites Properties.
Expand the Web site where you host your Outlook Web Access virtual directories. This is usually the Default Web Site. Right-click the Outlook Web Access virtual directory that you want to configure to use certificate authentication, and then click Properties.
On the Directory Security tab, in Secure Communications, click Edit.
In the Secure Communications section, select Require Secure Channel (SSL) if it is not already selected.
Note
If you are using an SSL certificate that was created during Microsoft Exchange Setup, an error message will appear to notify you that the certificate is not a trusted certificate. Make sure that you trust the certification authority (CA) that issued the certificate or use an SSL certificate that was issued by your trusted CA.
In the Client Certificates section, select Require Client Certificates.
Select Enable client certificate mapping.
Click OK to save your changes.
After you configure IIS Manager to use certificate authentication, you must disable all authentication methods on the Outlook Web Access virtual directories in Exchange. You can use the Exchange Management Console or Exchange Management Shell to do this.
To use the Exchange Management Console to configure Outlook Web Access to have no authentication method
In the Exchange Management Console, click Server Configuration, and then click Client Access.
Note
To enable Outlook Web Access to accept anonymous access, you must disable all forms of authentication.
On the Outlook Web Access tab, open the properties of the virtual directory that you want to configure to use anonymous access.
Click the Authentication tab.
Select Use one or more standard authentication methods.
Do not select an authentication method. If any authentication method is selected, click the check box to clear it.
Click OK.
You will receive a warning that you have not chosen an authentication method and that directs you to use the Exchange Management Shell to set an authentication method. Click OK to close the warning.
Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.
To use the Exchange Management Shell to configure Outlook Web Access to have no authentication method
Open the Exchange Management Shell on the Client Access server that is hosting the Outlook Web Access virtual directories that you must configure.
Note
To enable Outlook Web Access to accept anonymous access, you must disable all forms of authentication.
To disable forms-based authentication on the /owa virtual directory and the site named Default Web Site, run the following command.
Set-owavirtualdirectory -identity "owa (Default Web Site)" -FormsAuthentication:$false
To disable all forms of standard authentication on the /owa virtual directory and the site named Default Web Site, run the following command.
Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -WindowsAuthentication $false Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -BasicAuthentication $false Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -DigestAuthentication $false
When the last active authentication method has been disabled, you will receive a warning that no authentication method is specified for the virtual directory and that directs you to use the Set-OwaVirtualDirectory cmdlet to specify an authentication method. Ignore this warning.
Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.
For more information about syntax and parameters, see Set-OwaVirtualDirectory.
For More Information
For more information about authentication methods for Outlook Web Access, see Managing Outlook Web Access Security.