Configure certificate based authentication in Exchange 2016

Exchange 2016
 

Applies to: Exchange Server 2016

Topic Last Modified: 2017-04-11

Learn how to configure Exchange 2016 CU1 or later to use certificate based authentication for Outlook on the web and ActiveSync.

Certificate based authentication (CBA) in Exchange allows Outlook on the web (formerly known as Outlook Web App) and Exchange ActiveSync clients to be authenticated by client certificates instead of entering a user name and password.

Before you configure Exchange, you need to issue a client certificate to each user. Because of the sheer number of certificates involved, you should use an automated internal public key infrastructure (PKI) to issue and manage the client certificates. An example of an automated internal PKI is Active Directory Certificate Services (AD CS). For more information about AD CS, see Active Directory Certificate Services Overview. Here's more information about the certificate requirements:

  • The client certificate must be issued for client authentication (for example, the default User certificate template in AD CS).

  • The client certificate must contain the user principal name (UPN) of the user (in the certificate's Subject or Subject Alternative Name fields).

  • The client certificate must be associated with the user account in Active Directory.

  • All servers and devices that are involved in access to Outlook on the web and ActiveSync (including proxy servers and client devices) must trust the entire chain of trust for the client certificates (the root certificate of the certification authority, and any intermediate CAs that were used to issue certificates).

For CBA in Outlook on the web, the client certificate needs to be installed on the local computer, device, or on a smart card. For CBA in ActiveSync, the client certificate needs to be installed on the local device. You can automate the installation of certificates on devices by using a mobile device management (MDM) solution like Intune. For more information about Intune, see Overview of Microsoft Intune.

tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

All Exchange servers that share the same namespace and URLs need to use the same authentication methods. You need to install the Client Certificate Mapping Authentication feature on all of your Exchange servers.

In the Exchange Management Shell, run the following command:

Install-WindowsFeature Web-Client-Auth

For detailed syntax and parameter information, see Install-WindowsFeature.

  1. Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to press Windows key + Q, type inetmgr, and select Internet Information Services (IIS) Manager in the results.

  2. Select the server, and verify Features View is selected at the bottom of the page.

  3. In the IIS section, double-click Authentication.

    In IIS, select the Server, then select Authentication
  4. On the Authentication page that opens, select Active Directory Client Certificate Authentication from the list, and in the Actions pane, click Enable.

    Authentication page of the server in IIS

    You'll see a warning that SSL must be enabled to use Active Directory Client Certificate Mapping.

Note: You need to require client certificates, because accepting client certificates (to support both CBA and regular user name and password authentication) doesn't work consistently across all types of ActiveSync devices.

  1. In IIS Manager, expand the server, expand Sites, and then expand Default Web Site.

  2. Select the owa virtual directory, and verify Features View is selected at the bottom of the page.

  3. In the IIS section, double-click SSL Settings.

  4. On the SSL Settings page, verify Require SSL is checked, and select the Client certificates value Require.

  5. In the Actions pane, click Apply.

    In IIS, in the SSL settings of the virtual directory, select Require under Client certificates
  6. Select the Microsoft-Server-ActiveSync virtual directory.

  7. In the IIS section, double-click SSL Settings.

  8. On the SSL Settings page, verify Require SSL is checked, and select the Client certificates value Require.

  9. In the Actions pane, click Apply.

Note: To perform these procedures on the command line, open an elevated command prompt on the Exchange server (a Command Prompt window you open by selecting Run as administrator) and run the following commands:

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/owa/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-ActiveSync/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost

After you require client certificates for authentication, you need to disable all other authentication methods on the Outlook on the web and ActiveSync virtual directories. By default, only Basic authentication and Forms authentication are enabled.

  1. In the Exchange Management Shell, replace <ServerName> with the name of your Exchange server, and run the following command to disable all other authentication methods on the Outlook on the web virtual directory:

    Set-OwaVirtualDirectory "<ServerName>\owa (Default Web Site)" -BasicAuthentication $false -WindowsAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -AdfsAuthentication $false -OAuthAuthentication $false
    

    For detailed syntax and parameter information, see Set-OwaVirtualDirectory.

  2. Replace <ServerName> with the name of your Exchange server, and run the following command to disable all other authentication methods on the ActiveSync virtual directory:

    Set-ActiveSyncVirtualDirectory "<ServerName>\Microsoft-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled $false -WindowsAuthEnabled $false
    

    For detailed syntax and parameter information, see Set-ActiveSyncVirtualDirectory.

importantImportant:
After you perform this step, running the Set-ActiveSyncVirtualDirectory cmdlet might disable the client certificate mapping for ActiveSync.
  1. In IIS Manager, expand the server, expand Sites, and then expand Default Web Site.

  2. Select the owa virtual directory, and verify Features View is selected at the bottom of the page.

  3. In the Management section, double-click Configuration Editor.

  4. On the Configuration Editor page, click the drop down on Section, and navigate to system.webServer > security > authentication > clientCertificateMappingAuthentication.

    Select clientCertificateMappingAuthentication in Configuration Manager in IIS for the owa virtual directory
  5. Set the enabled value to True, and in the Actions pane, click Apply.

    Enable clientCertificateMappingAuthentication value in Configuration Editor in IIS for the owa virtual directory
  6. Select the Microsoft-Server-ActiveSync virtual directory.

  7. In the Management section, double-click Configuration Editor.

  8. On the Configuration Editor page, click the drop down on Section, and navigate to system.webServer > security > authentication > clientCertificateMappingAuthentication.

  9. Set the enabled value to True, and in the Actions pane, click Apply.

Note: To perform these procedures on the command line, open an elevated command prompt on the Exchange server and run the following commands:

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/owa/" -section:system.webserver/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-ActiveSync/" -section:system.webserver/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost

You only need to perform this step if you aren't using AD CS to issue the client certificates. This setting indicates that the certification authority (CA) is trusted to issue client certificates for Active Directory authentication.

  1. Export the CA's root certificate to a Base-64 encoded or DER binary encoded X.509 .cer file. In this example, we'll use C:\Data\CARoot.cer.

  2. On any domain member server (for example, a domain controller or an Exchange server), open an elevated command prompt run the following command:

    %windir%\system32\certutil.exe -enterprise -addstore NTAuth "C:\Data\CARoot.cer"
    

    Note that this step requires membership in the Enterprise Admins group.

If your clients receive errors, you might need to increase the uploadReadAheadSize values in the IIS metabase to allow for the request headers. For more information, see Client cannot renegotiate request and returns an HTTP 413 error.

  1. In IIS Manager, expand the server, expand Sites, and then expand Default Web Site.

  2. Select the owa virtual directory, and verify Features View is selected at the bottom of the page.

  3. In the Management section, double-click Configuration Editor.

  4. On the Configuration Editor page, click the drop down on Section, and navigate to systemwebServer > serverRuntime.

    Select serverRuntime in Configuration Editor in IIS for the owa virtual directory
  5. Set the uploadReadAheadSize value to 49152, and in the Actions pane, click Apply.

    Change the uploadReadAheadSize value in Configuration Editor in IIS for the owa virtual directory
  6. Select the Microsoft-Server-ActiveSync virtual directory.

  7. In the Management section, double-click Configuration Editor.

  8. On the Configuration Editor page, click the drop down on Section, and navigate to systemwebServer > serverRuntime.

  9. Set the uploadReadAheadSize value to 49152, and in the Actions pane, click Apply.

Note: To perform these procedures on the command line, open an elevated command prompt on the Exchange server and run the following commands:

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/owa/" -section:system.webserver/serverRuntime /uploadReadAheadSize:49152
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-ActiveSync/" -section:system.webserver/serverRuntime /uploadReadAheadSize:49152
 
Show: