In my last post I showed how to set up OWA certificate based authentication on a Windows 2003 CAS with ISA 2006. In this post, I will cover how to set this up when your Client Access server is running on Windows 2008 server without being published with ISA server.

Note: These steps are only for Exchange 2007 mailboxes, and will not work for the /Exchange virtual directory. Your PKI infrastructure should already be in place as well. This can be a Windows 2003 or Windows 2008 Enterprise certificate server, or your favorite third party vendor.

First up is to see if the Client Certificate Mapping Authentication [Web-Client-Auth] component of IIS is installed. This component is not required to install Exchange 2007 so will most likely need to be installed. You can add this via Server Manager or with the ServerManagerCMD like below.  A reboot of the server is required after the install.

1. ServermanagerCMD -query  will give you a list of components installed. Look at the Web Server/Security section and see if Web-Client-Auth is installed. If not, install it.
2. ServerManagerCMD -install  Web-Client-Auth

After the reboot you can begin configuring IIS.
1. Open IIS Manager and highlight the server name in the left hand pane.
2. Double click the Authentication icon in the middle pane.
3. Right click on Active Directory Client Certificate Authentication and select Enable.
4. Select the OWA virtual directory in the left pane under the Default Web Site.
5. Double click on the SSL Settings icon.
6. Set the Client Certificates radio button to Require.
7. Click Apply.

The next settings for IIS need to be done using the appcmd.exe command line utility. This is located in the windows\system32\inetsrv directory. This command allows you to unlock the XML configuration file to allow Client Certificate Mapping Authentication to be enabled.

1. appcmd unlock config /section:clientCertificateMappingAuthentication
2. appcmd set config "Default Web Site/OWA" -section:clientCertificateMappingAuthentication /enabled:true

Now just configure the OWA virtual directory from the Exchange Management shell. This will turn off forms based authentication, set Windows Authentication and Basic Authentication to false. Users will be required to present a certificate to access OWA after this step.

1. set-owavirtualdirectory -identity "server-name\OWA (Default Web Site)" -WindowsAuthentication:$false -BasicAuthentication:$false FormsAuthentication:$False
2. IISreset /noforce

More information:

There is a new IIS 7 Administration Pack that has been released. This tool adds a configuration editor to the feature view in IIS manager. This will allow you to make the certificate mapping changes in IIS manager instead of using the AppCmd.exe utility. This tool is still a technical preview tool so I did not cover the steps. If you are interested you can get more details over on the iis.net page here, and download the tool here.

-- DJ Ball