Configure Smart Card Authentication for Outlook Anywhere in Exchange 2013

 

Applies to: Exchange Server 2013

Associating user smart cards with personal identification numbers (PINs) provides a reliable and cost-effective form of two-factor authentication. When two-factor authentication is configured, users accessing network resources must have both their physical smart card and a PIN associated with that smart card. This smart card/PIN combination reduces the likelihood of unauthorized access to an organization’s network resources.

Prerequisites for using smart card authentication with Outlook Anywhere

Before you can use smart card authentication for Outlook Anywhere, you need to make sure your environment meets the following client and server requirements.

  • A domain joined client computer running Windows 8, plusMicrosoft Office 2013 or Microsoft Office 2010, with all publically available updates.

  • Exchange Server 2013 SP1 or later.

  • A correctly installed and configured PKI for issuing smart card certificates. The PKI needs to be linked to Active Directory and able to issue certificates for the purposes of smart card logon.

  • SSL must terminate on the Client Access server. The use of a network device that pre-authenticates SSL sessions in front of Microsoft Exchange isn’t supported.

  • All your client Outlook connections must use Outlook Anywhere. After you’ve enabled smart card authentication for Outlook Anywhere, other connections, such as an Outlook connection over MAPI-HTTP, won’t work.

  • A physical or TPM chip-embedded virtual smart card for each user, which contains each user's user certificate. You can’t use software certificates stored in the local computer’s registry for this feature.

Enabling smart card authentication

To enable smart card authentication, follow these steps on each Client Access server in your organization.

  1. Install certificates with all relevant names. Make sure that the issuer of the certificates is trusted by both clients and servers.

  2. Configure Outlook Anywhere for internal and external access (you can use the same name spaces for both), and then confirm that NTLM authentication is selected as the client authentication method. Verify that Outlook Anywhere connects successfully with these settings (see Testing Outlook Anywhere connectivity for more information).

  3. Make sure that the ExternalURL for the Offline Address Book and Exchange Web Services virtual directories are configured to use HTTPS.

  4. Run the following PowerShell script to configure the virtual directories.

    <Exchange install drive>:\Program Files\Microsoft\Exchange Server\V14\Scripts\Enable-OutlookCertificateAuthentication.ps1
    
  5. Edit IIS by using the Netsh command line utility.

    1. At a command prompt or PowerShell prompt, enter netsh.

    2. At the netsh prompt, enter http, and then press Enter.

    3. At the netsh http prompt, enter show ssl, and then look for the default Web site binding. This is indicated by the IP:port value of 0.0.0.0:443.

    4. Note the Certificate Hash and Application ID values.

      Example:

      IP:port          : 0.0.0.0:443
      
      Certificate Hash        : f4d5419255e87004b2ec8bacd33a38e1cfebdaea
      
      Application ID      : {4dc3e181-e14b-4a21-b022-59fc669b0914}
      
    5. Delete the default site certificate binding by running the following command:

      delete sslcert ipport=0.0.0.0:443
      
    6. Re-create the binding by using the Hash and App ID noted earlier, and include all of the following parameters:

      Add sslcert ipport=0.0.0.0:443 certhash=f4d5419255e87004b2ec8bacd33a38e1cfebdaea appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=MY verifyclientcertrevocation=Enable verifyrevocationwithcachedclientcertonly=Disable UsageCheck=Enable clientcertnegotiation=Enable DSMapperUsage=Enable
      
  6. Restart the server.

  7. In Internet Information Services (IIS) Manager, increase the uploadReadAheadSize value.

    1. In IIS Manager, expand the node for your Exchange Server, expand Sites, and select Default Web Site.

    2. On the Features View tab, select Configuration Editor.

    3. Under Actions, select Open Feature.

    4. On the Section drop-down menu, click to expand system.webServer, and then select serverRuntime.

    5. Change the value of uploadReadAheadSize to 10485760.

  8. On each client computer, edit the registry. To do this, follow these steps:

    1. Locate HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\RPC.

      Note:

      • If your clients are using Outlook 2010, substitute "14.0" for "15.0."

      • If your clients are using Outlook 2016, substitute "16.0" for "15.0."

    2. Add a DWORD value that's named EnableSmartcard, and then set the value to 00000001.

    3. Locate HKEY_CURRENT_USER\Software\Microsoft\Exchange.

    4. Add a DWORD value for the appropriate Outlook version.

      For Outlook 2010 and 2013

      Add a DWORD value that's named MsoAuthDisabled, and then set the value to 1.

      For Outlook 2016

      Add a DWORD value that's named AlwaysUseLegacyAuthForAutodiscover, and then set the value to 1.

When complete, all new profiles should prompt for a certificate for the AutoDiscover connection, and prompt again for the Exchange Server connection. Any profiles that existed before this configuration was enabled will require repairing, which may require restarting Outlook several times to properly take effect.

Verifying that smart cards have been enabled

After the configuration is applied and Outlook is connected, the Outlook connection status dialog box shows the authentication that's being used as Cert, similar to the following example:

Screen shot of Outlook connection status dialog box

After smart card authentication has been enabled, Outlook client connections for mail and directory services are made to the /RPCWithCert virtual directory on the Client Access server, instead of to the /RPC virtual directory. Therefore, you must ensure that these paths are published accordingly.

Migrating from earlier versions of Exchange

If you previously enabled smart card authentication for your Exchange Server 2010 deployment and want to migrate to Exchange Server 2013, you need to make sure all Exchange 2010 servers are running Service Pack 3 CU 11 or later.

In addition, on every Exchange Server 2010 Client Access server, you need to edit the following entry in the Web.config file located in the AutoDiscovery virtual directory folder:

  • <add key="SmartCardAuthenticationEnabled" value="false"/>

The default value is "false." Change this value to "true."

After you make this change, you should ensure all clients in your organization are configured to use Exchange 2013 for AutoDiscover, either by updating DNS or your load balancer.

After these changes are made, a user that has an Exchange Server 2010 mailbox still receives the correct settings from AutoDiscover and will be able to authenticate. Without these changes, the user that has an Exchange 2010 mailbox receives the default settings for the Outlook Anywhere endpoint (NTLM, in this case) and that user will be unable to aauthenticate after the AutoDiscover endpoint is moved.