Configure Smart Card Authentication for Outlook Anywhere

  • Article

[This topic is in progress.]

Smart cards and their associated personal identification numbers (PINs) provide an increasingly popular, reliable, and cost-effective form of two-factor authentication. When users access network resources using a smart card, they must both have the physical smart card and know the PIN associated with it. This combined requirement significantly reduces the likelihood of unauthorized access to an organization’s network resources.

Previous versions of Outlook Anywhere didn’t support smart card authentication. With Exchange Server 2010 SP1 and Outlook 2007 SP2, smart card authentication can now be used with Outlook Anywhere.

Prerequisites

Before you can use smart card authentication for Outlook Anywhere, you need to make sure your environment meets the following client and server requirements:

  • A client computer running Windows Vista SP1 or a later version, or Windows 7, as well as Microsoft Office 2007 SP2.

    Note

    Install the following hotfixes for Outlook 2007: Outlook 2007 Hotfix Package and Hotfix for inability to download files by using the BITS service in Windows Server 2008 or in Windows Vista using certificate authentication.

  • Exchange 2010 SP1 running on Windows Server 2008 R2 on your Client Access servers and Mailbox servers.

  • SSL terminates on the Client Access server. The use of a network device that pre-authenticates SSL sessions in front of Microsoft Exchange isn’t supported.

  • All your client Outlook connections must use Outlook Anywhere. After you’ve enabled smart card authentication for Outlook Anywhere, other connections, such as Outlook connecting over MAPI, won’t work.

  • A physical smart card for each user that contains their user certificate. You can’t use software certificates stored in the local computer’s registry for this feature.

  • Split DNS may also be required if you’ve configured different namespaces for internal and external client access. When you enable this feature, all clients will use Outlook Anywhere. Therefore, Outlook will use the Outlook Anywhere settings provided by the Autodiscover service. Typically, these are the values used by clients when they connect externally.

Enable smart card authentication

To enable smart card authentication, perform the following steps on the Client Access server.

  1. Enable Outlook Anywhere, and then confirm that NTLM authentication is selected as the client authentication method. Verify that Outlook Anywhere connects successfully with these settings.
  2. Ensure that the ExternalURL for the Outlook Address Book and Exchange Server Web Services virtual directories are configured to use HTTPS.
  3. Run the following PowerShell script to configure the virtual directories.
    1. C:\Program Files\Microsoft\Exchange Server\V14\Scripts\Enable-OutlookCertificateAuthentication.ps1
  4. At the command prompt, set the IIS workaround by using the following command.
    1. Cscript adsutil.vbs set w3svc/1/SSLAlwaysNegoClientCert true
  5. Restart the ExFBA service.
  6. On each client machine, edit the registry and navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC.
    1. Add a new DWORD value named EnableVistaCredUI and set the value to 00000001

The OutlookCertificateAuthentication.ps1 script performs the following actions:

  1. Determines whether Outlook Anywhere is enabled

  2. Ensures that the Validports_Autoconfig_Exchange registry key is present

    Warning

    This would only be missing if Outlook Anywhere was enabled very recently.

  3. Ensures that the Outlook Address Book virtual directory has HTTPS access enabled

  4. Checks to confirm that the Active Directory Client Certificate authentication module is installed

  5. Changes the SSL certificate authentication requirements for all required virtual directories to enable SSL Client Certificate authentication

  6. Restarts IIS to enable the changes to take effect

  7. Restarts the MSExchangeFDS service

  8. Creates or updates the Outlook Address Book web.config file, as required

  9. Create the Outlook Address Book AppPool

Warning

After smart card authentication has been enabled, Outlook client connections for mail and directory services are made to the RcpWithCert virtual directory on the Client Access server instead of to the RPC virtual directory.

Disable smart card authentication

If you encounter problems after enabling smart card authentication, you can disable smart card authentication by using a script. Follow the instructions detailed in Scripting with the Exchange Management Shell, and include the following code in your script.

# Globals
$ComputerName = [string]$Env:computername
$setupRegistryPath = Get-ItemProperty -path 'HKLM:SOFTWARE\Microsoft\ExchangeServer\v14\Setup'
$exchangeInstallPath = $setupRegistryPath.MsiInstallPath


$AutoDiscoverPath =  "Default Web Site/Autodiscover"
$EwsPath = "Default Web Site/EWS"
$EcpPath = "Default Web Site/ECP"
$OabPath = "Default Web Site/OAB"
$RpcHttpWithCertPath = "Default Web Site/RpcWithCert"

# Initialize IIS metabase management object
$InitWebAdmin = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration") 
$Iis = new-object Microsoft.Web.Administration.ServerManager 

# Sets SSL Flags back to Ignore and disables client-cert AD mapping 
function EnableClientCertAuthForPath ([string]$IisPath)
{
    Write-Output "Disabling Request-Client-Certs + AD Cert Mapping for: $IisPath."
    $config = $Iis.GetApplicationHostConfiguration();
    
    # Set SslFlags to require SSL and allow - not require client certificate auth 
    $accessSection = $config.GetSection("system.webServer/security/access", $IisPath)
    $accessSection["sslFlags"] = "Ssl"
    
    # Enable certificate-to-AD object mapping
    $clientCertificateMappingAuthenticationSection = $config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", $IisPath)
    $clientCertificateMappingAuthenticationSection["enabled"] = $false
    $Iis.CommitChanges()
}

# Disables client-cert AD mapping at the root level and on the rpcwithcert Vdir 
function EnableAdClientCertAuthForPath([string]$IisPath)
{
    $config = $Iis.GetApplicationHostConfiguration();
    if ($IisPath -eq "")
    {
        Write-Output "Disabling AD Cert Mapping feature in IIS."
        $clientCertificateMappingAuthenticationSection = $config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication")
    }
    else
    {
        Write-Output "Disabling AD Cert Mapping for: $IisPath."
        $clientCertificateMappingAuthenticationSection = $config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", $IisPath)
    }

    $clientCertificateMappingAuthenticationSection["enabled"] = $false
    $Iis.CommitChanges()
}


# Main
Write-Output "Disabling client certificate authentication for OutlookAnywhere on $ComputerName..." ""

# Test for OutlookAnywhere on current machine
if (Get-OutlookAnywhere -Server $ComputerName)
{
    Write-Output "OutlookAnywhere is configured on current machine. Proceeding"
    
}
else
{
    Write-Warning "Outlook Anywhere is not enabled on this machine.  Exiting."
    break
}

# IIS: Disable server-wide Client certificate-to-AD authentication mapping
EnableAdClientCertAuthForPath ("") # Global
EnableClientCertAuthForPath($AutoDiscoverPath) # AutoDiscover
EnableClientCertAuthForPath($EwsPath) # EWS
EnableClientCertAuthForPath($EcpPath) # ECP
EnableClientCertAuthForPath($OabPath) # OAB

# IIS: OutlookAnywhere: Disable Client certificate-to-AD authentication mapping (client cert auth already *required* on this vdir)
EnableAdClientCertAuthForPath ($RpcHttpWithCertPath)    #RpcWithCert

# Restart of FDS will update default ACLs, and include a Deny read for the Anonymous account
Write-Output "Restarting Microsoft Exchange File Distribution Service"
restart-service MSExchangeFDS


Write-Output "Done!  $ComputerName no longer configured for OutlookAnywhere with client certificate authentication."
$a=$Iis.Dispose()