Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Restrict access to Exchange 2010 OWA by using Client Certificates

Introduction

Recently, I got to a customer that wanted to protect access to Outlook Web App (OWA) with more than just the credentials of the user. At that moment they had already considered other options like using a token (e.g. RSA) or integrating a captcha on the OWA login form. However, these options required them to obtain additional licenses and products and was not really an option.

Although my first choice would have been to use a TMG, I had to look for alternatives and could come up with one that was relatively simple yet very effective: client certificates.

Client Certificates

Since OWA is basically a web page that is published through IIS you can easily protect the server, website or separate virtual directories using client certificates. If you enable the option, users/devices who are not able to “provide” a valid certificate will be denied access.

The solution based on client certificates requires you to have already deployed the following components (if not, you will have to deploy them):

  • Internal PKI
  • (automated) way of ‘pushing’ these certificates to the clients (preferably GPO).

Note: clients can also manually request the certificate if you use web enrollment on your internal CA.

There are some great resources on TechNet that explain and show how to setup such an infrastructure:

 

How does it work?

The principle behind Client certificate authentication is relatively simple and works in pretty much the same way as a web server proving it’s identity to client computers.
The internal root CA will generate a unique certificate for each computer/user. That certificate gets installed on the client’s computer. Upon authentication, the client will present that certificate to the web server. If the server can validate the certificate the computer will be granted access to the resource. In order for the web server to accept and check the validity of the certificate that is presented, it should trust the CA that created the certificate. Since our Exchange server is also a domain-joined computer, it will also trust the internal CA and is therefore able to check/validate the certificates presented by the clients. Alternatively, you can also use public SSL certificates, bought from a trusted third party CA:

1. The internal CA creates a certificate and also stores information about the certificate in Active Directory (maps certificate to a user).

2. The client stores this certificate in its local store.

3. Upon connection to the resource (OWA), the server will request the clients’ certificate after which the client will present the certificate that was stored locally earlier.

4. The web server (CAS) will lookup the client certificate to confirm it’s validity. If confirmed, the client is granted access.

image

Configuring IIS7

Assuming that your Exchange 2010 (SP1) is installed on a Windows Server 2008 R2, here are the steps that you need to take to configure certificate based authentication:

1. Open up the IIS Manager and navigate to the server node. Click ‘Authentication’ and enable Active Directory Client Certificate Authentication.

image

2. Navigate to the virtual directories you want to protect and double click ‘SSL Settings’. In this example, we’ll use OWA and ECP:

image

3. From within the SSL Settings windows, click “Require” under Client certificates:

image

Repeat steps 2 and 3 for each virtual directory you want to protect.

4. Run an ‘iisreset /noforce’ to apply the settings:

image

Authentication

We still need to configure the type of authentication we want to use in combination with the client certificates. If you don’t want your users to type in a password at all, you could enable Integrated Windows Authentication by running the following cmdlet from the Exchange Management Shell:

image

Or, if you still want forms based authentication:

image

Note: Make sure that you disable authentication methods you don’t want to be available.

By going to the authentication-options of the virtual directory (in the IIS manager), you can review what authentication options have been enabled:

image

Client experience

In the scenario that the user’s computer has got no client certificate, the following warning/error will be displayed:

image

However, if the client computer has a certificate stored, the user will be prompted to select the a certificate:

image

After selecting the appropriate certificate, the user will be transferred to the login page (in case FBA is enabled):

image

From there, users can continue by providing their credentials and logging in into OWA.


Posted 11-27-2011 7:59 by Michael Van Horenbeeck

Comments

toni.vervloet wrote re: Restrict access to Exchange 2010 OWA by using Client Certificates
on 12-06-2011 1:24

hey Michael,

ik vond die Captcha oplossing wel ok (vooral omdat het ook op TMG kan). Goedkoop en het werkt. Management van client certs kan moeilijk zijn, zeker in geval van problemen. Eenmalige cost voor captcha is in dit geval te verwaarlozen.

Catpcha: www.ixpdata.com

groeten,

Toni Vervloet (hp)

Michael Van Horenbeeck wrote re: Restrict access to Exchange 2010 OWA by using Client Certificates
on 12-06-2011 6:38

Absoluut mee eens. Zo een captcha is relatief gemakkelijk te implementeren (evenals de integratie met bv. een Token).

Anderzijds lost dat niet meteen het probleem van de domain-joined PC's op.

Bedankt voor de link!

FilipDossche wrote re: Restrict access to Exchange 2010 OWA by using Client Certificates
on 04-19-2012 12:00

Michael,

Het enablen van "Active Directory Client Certificate Authentication" is een nieuwe optie in E2K10? Die vindt ik niet in E2K7.

Verder selecteer je "require client certificates", hoe word dit geconfigureerd in combinatie met een TMG?

Gr

Michael Van Horenbeeck wrote re: Restrict access to Exchange 2010 OWA by using Client Certificates
on 04-19-2012 3:02

Filip,

het gebruiken van client certificates om te authenticeren is geen functie binnen Exchange 2010 maar wel van IIS.

In IIS7 is dit gemakkelijk te doen (zie hierboven). Voor Exchange 2007 zou het - in theorie - dus ook moeten werken, al zal je wat meer effort moeten doen omdat je de client certificates zélf aan een gebruiker zal moeten mappen:

technet.microsoft.com/.../cc758379%28v=ws.10%29.aspx

Heb het zelf echter nooit geprobeerd met E2K7...

Hopelijk heb je er wat aan!

Grts,

Michael

Koen Vermoesen wrote re: Restrict access to Exchange 2010 OWA by using Client Certificates
on 04-20-2012 1:35

Ik wil een steentje bijdragen aan de discussie aangezien ik net de juiste screenshots kan nemen:

De eerste optie is terug te vinden onder "authentication"

 

en de opties voor client certificates in TMG zijn terug te vinden in de authentication properties van de listener:

mvg,

 

Koen

Michael Van Horenbeeck wrote re: Restrict access to Exchange 2010 OWA by using Client Certificates
on 04-22-2012 6:47

Zoals Koen aanhaalt kan je - indien je een TMG hebt uiteraard - ook client certificates opvragen via de TMG. Dan hoef je niet per sé dat nog eens te doen op de Exchange server zelf.

Natuurlijk als je TMG niet domain-joined is, ga je daar weer wat extra werk mee hebben... :-)

Grts,

Michael