Exchange 2010 PKI Configuration Guide Overview 1. Summary 2. Environment 3. Configuration a) Active Directory Configuration b) CA Configuration c) Exchange Server IIS Configuration d) Exchange Configuration 4. Testing on Exchange OWA PKI access 1. Summary This guide describes how to configure Exchange 2010 authentication using PKI 2. Environment This document was written with Single Domain environment. The CA server was located in the domain controller. Item Operating System IP Address Host Role 1 Windows Server 2008 R2 10.100.5.181 Win2k8dc.c6f1r1.cloud Domain Controller 2 Windows Server 2008 R2 10.100.5.181 Win2k8dc Enterprise Root CA 3 Windows Server 2008 R2 10.100.5.183 Exchange 2010 Exchange Server 4 Windows 7 Enterprise 10.100.5.180 Client computer OWA testing 3. Configuration: 3.1 Windows Server 2008 R2 Active Directory Configuration In Active Directory Group Policy Management snap-in, Expand Forests: c6f1r1.cloud Expand Domains Expand c6f1r1.cloud Right click Default Domain Policy Select Edit to open the Group Policy Management Editor In the Group Policy Management Editor snap-in, go to User Configuration container Expand Policies Expand Windows Settings Expand Security Settings Select Public Key Policy On the right pane, double click on Certificate Services Client Auto-Enrollment
Check Renew Expired Certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Keep others as default, click OK to save it. 3.2 Windows Server 2008 R2 CA Configuration In Certification Authority span-in, Expand c6f1r1-win2k8dc-ca Right click Certificate Templates Select Manage
In Certificate Templates Console snap-in, --> Right click on User template --> Select Duplicate Template --> Choose Windows Server 2003 Enterprise and click OK In Template display name --> In General tab, fill in the information as follow -->In Security tab, follow the screen below
Click OK to save and go back to Certificate Templates snap-in. In Certificate Templates snap-in, Right click on Certificate Templates Select New Select Certificate Template to Issue Select the template the newly created template AutoEnroll-User, click OK
Now you can find the template in the right pane in the Certificate Templates snap-in. 3.3 IIS Configuration Open Internet Information Services (IIS) Manager snap-in Expand EXCHANGE2010 (C6F1R1\administrator) Open Authentication in IIS section Set Active Directory Client Certificate Authentication as Enabled Expand Sites Select Default Web Site Open SSL Settings in IIS section Check Require SSL
Choose Require for Client certificates: To set OWA require SSL, go back to the Internet Information Services (IIS) Manager snap-in, Expand Sites Expand Default Web Site Select owa Open SSL Settings in IIS section Check Require SSL Choose Require for Client certificate: To edit the Exchange OWA Client Certificate Authentication Setting that to let user use certificate to login rather than password, go back to the Internet Information Services (IIS) Manager snap-in, Expand Sites
Expand Default Web Site Select owa Open Configuration Editor in Management section In the Section drop down list, Expand system.webserver Expand security Expand authentication Select ClientCertificateMappingAuthentication and set it as True To set the ActiveSync require SSL, go back to the Internet Information Services (IIS) Manager snap-in, Expand Sites Expand Default Web Site Select Microsoft-Server-ActiveSync Open SSL Settings in IIS section Check Require SSL Choose Require for Client certificate:
To edit the Exchange ActiveSync Client Certificate Authentication Setting that to let user use certificate to login rather than password, go back to the Internet Information Services (IIS) Manager snap-in, Expand Sites Expand Default Web Site Select Microsoft-Server-ActiveSync Open Configuration Editor in Management section In the Section drop down list, Expand system.webserver Expand security Expand authentication Select ClientCertificateMappingAuthentication and set it as True
3.4 Exchange 2010 Configuration We first generate a certificate request from Exchange Management Console, parse it to CA to issue a certificate and install the certificate back to the Exchange server. Open Exchange Management Console Expand Microsoft Exchange On-Premises Expand Server Configuration Select Client Access In the right pane, select the tab Outlook Web App Open owa (Default Web Site), in Authentication tab, choose use one or more standard authentication methods and select Integrated Windows authentication, then restart IIS
Open Exchange Management Console Expand Microsoft Exchange On-Premises Expand Server Configuration Select Client Access In the right pane, select tab Exchange ActiveSync Open Microsoft-Server-ActiveSync (Default Web Site) To enable client to use certificate to authenticate, select Require client certificates, uncheck Basic Authentication (password is sent in clear text)
Open Exchange Management Console Expand Microsoft Exchange On-Premises Expand Server Configuration In the right pane, under Exchange Certificates section, right click on white space and select New Exchange Certificate. Follow the screenshot to proceed.
You will see there is a pending certificated signing request (CSR) in Exchange Management Console
Open the certificate request file in E:\certrequest.req (the path stated above) with Notepad to review the certificate request Open Internet Explorer and connect htt://win2k8dc.c6f1r1.cloud/certsrv) to CA server to request the certificates for Exchange (e.g. In CA welcome front page Under Select a task, click Request a certificate Select Submit an advanced certificate request Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Copy the content of E:\certrequest.req to Base-64-encoded certificated request (CMC or PKCS #10 or PKCS #7) In Certificate Template, select Web Server Keep others as default and click Submit Select DER encoded and click Download Certificate save it to E:\
Open Exchange Management Console Expand Microsoft Exchange On-Premises Expand Server Configuration Select the pending certificate signing request (CSR) Right click on it and select Complete Pending Request Click Browse button to select the certificate that just download to E:\. Click Complete.
To verify the certificate has been imported successfully, you should see The certificate is valid for Exchange Server usage. To assign services to certificate, Right-click on the certificate Exchange2010PKI Select Assign Services to Certificate. Follow screenshot to proceed.
After the services were assigned successfully, you can delete other Exchange self-signed certificates by highlighting that, right-click and select Remove. 4. Testing on the Exchange OWA PKI access First we do not join the Windows 7 Enterprise client to the domain c6f1r1.cloud to verify it uses certificate to authenticate. You will need to edit the host file (C:\Windows\System32\drivers\etc\hosts) to add the mapping of the IP address against the hostname of the Exchange server, such that we can always use hostname instead of IP to access the OWA.
-->Open the Internet Explorer and type the URL of OWA to access the Exchange mailbox -->https://exchange2010.c6f1r1.cloud/owa, you will encounter the following error. Now let s join the Windows 7 Enterprise client to the domain c6f1r1.cloud and test it again. You will now found a dialogue box pop up asking you to select the certificate. Click on that and it will allow you go into the mailbox.
For the Exchange Server 2007 PKI configuration, the step is the same as Exchange Server 2010 except raising the certificate request. In Exchange Server 2007, you can only generate the certificate request with exchange management shell. Please refer to the URL below for details. http://technet.microsoft.com/en-us/library/aa995942.aspx ~END~