How to Configure Certificate Based Authentication for OWA - Part I

re: How to Configure Certificate Based Authentication for OWA - Part I

DJ Ball — Wed, 12 Nov 2008 19:22:59 GMT

This can be configured to work without ISA server. You just need to configure IIS to accept client certificates. Look at the following articles for IIS 6 configurations.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/751c99bd-9657-41a5-b541-569d305872ef.mspx?mfr=true

and

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/096519f4-3079-4571-9d28-8e5d286c5ab9.mspx?mfr=true

In my follow up post I will document how to set up IIS 7 for certificate based authentication.

re: How to Configure Certificate Based Authentication for OWA - Part I

Abdul — Wed, 12 Nov 2008 15:52:12 GMT

Is it necessary to have ISA Server 2006 in front of CAS or can we get it to work without an advanced firewall?

re: How to Configure Certificate Based Authentication for OWA - Part I

Chris — Thu, 23 Oct 2008 05:21:47 GMT

I have used MS and non-MS certificate servers with this and it works. WS2008/Longhorn issued certificates work just fine. ...whether or not they have been tested and supported is up to the Microsoft Exchantge Team to reply.

Users in public places can still utilize their user credentials with password and risk having keystroke loggers capture those credentials. In many cases companies have Windows Mobile users and That's the risk. The other option is to have the kiosk in the public location install the smartcard reader and the software. Some actually will as long as you are paying the time on the machine.

This solution still does not mitigate any analog attacks or prevent digital attacks such as screen scrapers or keystroke loggers, from capturing screenshots or prevent keystroke loggers from capturing and assembling keystrokes. In all honesty if most companies require two-factor auth they may have policies against using public systems to access their network. I don't know of many companies that force smart card authentication but there may be some in healthcare and banking that require it. The US government does require it with the published HSPD-12 directives signed into law a few years back.

It would be a perfect world if Outlook and OCS could support SC logons like IE could, would it not? Granted the paranoid admin in me really likes having VPN solutions for home users that sequester a machine until after it passes NAC checks allowing them access to only required servers (such as E-mail, and NAC/NAP remediation servers) as well as requiring anything downloaded to their home machine be rights protected (lots of people are getting laid off nowadays...)

/soapbox

Have a great afternoon!,

Chris

re: How to Configure Certificate Based Authentication for OWA - Part I

Peter — Sat, 18 Oct 2008 03:29:37 GMT

Could you get this to work on SBS 2008 which will not have ISA in it?

re: How to Configure Certificate Based Authentication for OWA - Part I

Firoz — Wed, 15 Oct 2008 07:19:34 GMT

but users accessing OWA from public places will have trouble, rather cannot make use of this certificate authentication. right? assuming these public computers do not have smart card readers

re: How to Configure Certificate Based Authentication for OWA - Part I

Matt — Tue, 14 Oct 2008 00:58:49 GMT

When will the Outlook client support certificate based authentication with Outlook Anywhere?

re: How to Configure Certificate Based Authentication for OWA - Part I

Mike — Mon, 13 Oct 2008 15:52:11 GMT

You said: "Requirements... A Windows 2003 Certificate Server"
Why not 2008? Will this also work?