Exchange 2010 PKI Configuration Guide
Overview
1. Summary 2. Environment 3. Configuration
a) Active Directory Configuration b) CA Configuration
c) Exchange Server IIS Configuration d) Exchange Configuration
4. Testing on Exchange OWA PKI access
1. Summary
This guide describes how to configure Exchange 2010 authentication using PKI
2. Environment
This document was written with Single Domain environment. The CA server was located in the domain controller.
Item Operating System IP Address Host Role
1 Windows Server 2008 R2 10.100.5.181 Win2k8dc.c6f1r1.cloud Domain Controller 2 Windows Server 2008 R2 10.100.5.181 Win2k8dc Enterprise Root CA 3 Windows Server 2008 R2 10.100.5.183 Exchange 2010 Exchange Server 4 Windows 7 Enterprise 10.100.5.180 Client computer OWA testing
3
.Configuration
:3.1 Windows Server 2008 R2 Active Directory Configuration In Active Directory Group Policy Management snap-in,
Expand Forests: c6f1r1.cloud
Expand Domains
Expand c6f1r1.cloud
Right click Default Domain Policy
Select Edit to open the Group Policy Management Editor
In the Group Policy Management Editor snap-in, go to “User Configuration” container
Expand Policies
Expand Windows Settings
Expand Security Settings
Select Public Key Policy
On the right pane, double click on Certificate Services Client – Auto-Enrollment
Check “Renew Expired Certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates”. Keep others as default, click ”OK” to save it.
3.2 Windows Server 2008 R2 CA Configuration In Certification Authority span-in,
Expand c6f1r1-WIN2K8DC-CA
Right click Certificate Templates
Select Manage
In Certificate Templates Console snap-in, --> Right click on User template
--> Select Duplicate Template
--> Choose Windows Server 2003 Enterprise and click OK
In Template display name
--> In General tab, fill in the information as follow
-->In Security tab, follow the screen below
Click OK to save and go back to Certificate Templates snap-in.
In Certificate Templates snap-in,
Right click on Certificate Templates
Select New
Select Certificate Template to Issue
Select the template the newly created template AutoEnroll-User, click OK
Now you can find the template in the right pane in the Certificate Templates snap-in.
3.3 IIS Configuration
Open Internet Information Services (IIS) Manager snap-in
Expand EXCHANGE2010 (C6F1R1\administrator)
Open Authentication in IIS section
Set Active Directory Client Certificate Authentication as Enabled
Expand Sites
Select Default Web Site
Open SSL Settings in IIS section
Check Require SSL
Choose Require for Client certificates:
To set OWA require SSL, go back to the Internet Information Services (IIS) Manager snap-in,
Expand Sites
Expand Default Web Site
Select owa
Open SSL Settings in IIS section
Check Require SSL
Choose Require for Client certificate:
To edit the Exchange OWA Client Certificate Authentication Setting that to let user use certificate to login rather than password, go back to the Internet Information Services (IIS) Manager snap-in,
Expand Sites
Expand Default Web Site
Select owa
Open Configuration Editor in Management section
In the Section drop down list,
Expand system.webServer
Expand security
Expand authentication
Select ClientCertificateMappingAuthentication and set it as True
To set the ActiveSync require SSL, go back to the Internet Information Services (IIS) Manager snap-in,
Expand Sites
Expand Default Web Site
Select Microsoft-Server-ActiveSync
Open SSL Settings in IIS section
Check Require SSL
Choose Require for Client certificate:
To edit the Exchange ActiveSync Client Certificate Authentication Setting that to let user use certificate to login rather than password, go back to the Internet Information Services (IIS) Manager snap-in,
Expand Sites
Expand Default Web Site
Select Microsoft-Server-ActiveSync
Open Configuration Editor in Management section
In the Section drop down list,
Expand system.webServer
Expand security
Expand authentication
Select ClientCertificateMappingAuthentication and set it as True
3.4 Exchange 2010 Configuration
We first generate a certificate request from Exchange Management Console, parse it to CA to issue a certificate and install the certificate back to the Exchange server.
Open Exchange Management Console
Expand Microsoft Exchange On-Premises
Expand Server Configuration
Select Client Access
In the right pane, select the tab Outlook Web App
Open owa (Default Web Site), in Authentication tab, choose use one or more standard authentication methods and select Integrated Windows authentication, then restart IIS
Open Exchange Management Console
Expand Microsoft Exchange On-Premises
Expand Server Configuration
Select Client Access
In the right pane, select tab Exchange ActiveSync
Open Microsoft-Server-ActiveSync (Default Web Site)
To enable client to use certificate to authenticate, select Require client certificates, uncheck Basic Authentication (password is sent in clear text)
Open Exchange Management Console
Expand Microsoft Exchange On-Premises
Expand Server Configuration
In the right pane, under Exchange Certificates section, right click on white space and select New Exchange Certificate. Follow the screenshot to proceed.
You will see there is a pending certificated signing request (CSR) in Exchange Management Console
Open the certificate request file in E:\certrequest.req (the path stated above) with Notepad to review the certificate request
Open Internet Explorer and connect to CA server to request the certificates for Exchange (e.g.
htt://win2k8dc.c6f1r1.cloud/certsrv)
In CA welcome front page
Under Select a task, click Request a certificate
Select Submit an advanced certificate request
Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Copy the content of E:\certrequest.req to Base-64-encoded certificated request (CMC or PKCS #10 or PKCS #7)
In Certificate Template, select Web Server
Keep others as default and click Submit
Select DER encoded and click Download Certificate save it to E:\
Open Exchange Management Console
Expand Microsoft Exchange On-Premises
Expand Server Configuration
Select the pending certificate signing request (CSR)
Right click on it and select Complete Pending Request
Click Browse button to select the certificate that just download to E:\. Click Complete.
To verify the certificate has been imported successfully, you should see The certificate is valid for Exchange Server usage.
To assign services to certificate,
Right-click on the certificate Exchange2010PKI
Select Assign Services to Certificate. Follow screenshot to proceed.
After the services were assigned successfully, you can delete other Exchange self-signed certificates by highlighting that, right-click and select Remove.
4. Testing on the Exchange OWA PKI access
First we do not join the Windows 7 Enterprise client to the domain “c6f1r1.cloud” to verify it uses certificate to authenticate. You will need to edit the host file (C:\Windows\System32\drivers\etc\hosts) to add the mapping of the IP address against the hostname of the Exchange server, such that we can always use hostname instead of IP to access the OWA.
-->Open the Internet Explorer and type the URL of OWA to access the Exchange mailbox -->https://exchange2010.c6f1r1.cloud/owa, you will encounter the following error.
Now let’s join the Windows 7 Enterprise client to the domain “c6f1r1.cloud” and test it again. You will now found a dialogue box pop up asking you to select the certificate. Click on that and it will allow you go into the mailbox.
For the Exchange Server 2007 PKI configuration, the step is the same as Exchange Server 2010 except raising the certificate request. In Exchange Server 2007, you can only generate the certificate request with exchange management shell. Please refer to the URL below for details.
http://technet.microsoft.com/en-us/library/aa995942.aspx
~END~
