Microsoft Professional Advisory Services is a support option that provides short-term, proactive, consultative support beyond break-fix product maintenance needs. This includes working with the same technician for assistance with issues like product migration, code review, or new program development and is a remote, phone-based support option. This service is typically used for shorter engagements, and is designed for developers and IT professionals who do not require the traditional onsite consulting or sustained account management services that are available from other Microsoft support options.

For additional information on Microsoft Advisory Services, including on how to engage, refer to this Microsoft web page:

http://support.microsoft.com/gp/AdvisoryService (http://support.microsoft.com/gp/AdvisoryService)

Configuring Certificate/Smartcard Based Authentication for Outlook Web Access

This professional advisory scenario covers Configuring Certificate/Smartcard Based Authentication for Outlook Web Access in Exchange Server 2003 and/or Exchange Server 2007.  The following items are handled by this scenario:

• Outlook Web Access
• IIS Authentication settings
• Kerberos Constrained Delegation 
• ISA Server configuration

Scoping questions

Assumptions

Microsoft makes the following assumptions as part of this Configuring Certificate Based Authentication for Outlook Web Access Professional Advisory Support Scenario:

• The current Exchange environment is healthy and configured per Microsoft’s Best Practice Recommendations as determined by a full Exchange Best Practice Analyzer (ExBPA) health check.
• Any pre-existing configuration, or other issues that might prevent a successful OWA Certificate Based Authentication deployment, must be resolved prior to beginning work on the Professional Advisory offering as scoped.  It is highly recommended the customer perform the ExBPA health check and resolve any issues prior to beginning work on the Case Scope stage itself.
• Should the customer request assistance with bringing the current environment to a healthy state separate, break-fix support incidents will need to be opened to address each subordinate issue.  Further, should any issues arise while performing scoped tasks, a maximum of thirty (30) minutes will be spent troubleshooting those issues. This troubleshooting will be billed within the current advisory case.  If the issue is not resolved in these thirty (30) minutes a new, charged break-fix, support incident must be opened to address the problem.  The Advisory Support Engineer may work the support incident at their discretion.
• At the conclusion of this service the Support Engineer and the customer will verify the functionality of the configuration before the delivery can be considered fully complete.
• ISA Server 2006 basic configuration is already complete & publishing rules already exist for at least Outlook Web Access.

This scenario is based on MSExchangeTeam blogs and Microsoft TechNet/KB articles.

Questions that choose the deployment option

The following questions will determine the CBA deployment option and ultimately cost.  If the customer is unable to answer these questions, or is unfamiliar with them; please recommend they read the following blogs and documents:

• Description of the new feature in Exchange Server 2003 that supports Smart Card authentication to Outlook Web Access (http://kbalertz.com/Feedback.aspx?kbNumber=920209)
   
• How to Configure Certificate Based Authentication for OWA - Part I (http://msexchangeteam.com/archive/2008/10/07/449942.aspx)
  
• How to Configure Certificate Based Authentication for OWA - Part II (http://msexchangeteam.com/archive/2008/11/12/450094.aspx)

1. Is this a first time you are configuring CBA for OWA in your environment?
   
   Yes = This qualifies as an advisory scenario - proceed to question 2.
   No = STOP - This is not an Advisory scenario.  Case will be worked as a normal break-fix.
   
2. Do you have more than one domain or forest?
   
   Yes = STOP - Not supported due to limitations of Kerberos Constrained Delegation.
   No = Proceed to question 3.
   
3. Is the Active Directory (AD) domain set to the Windows Server 2003 Domain Functional Level?
   
   Yes = Proceed to question 4.
   No = STOP - Not supported due to the requirement that the AD domain must be set to Windows Server 2003 Domain Functional Level.
   
4. Do you have, or are you planning to have, ISA Server 2006 installed in your environment?
   
   Yes = Proceed to question 5.
   No = STOP - Not supported since ISA Server 2006 is required for this advisory scenario.
   
5. What type of environment is this?
   1. Is this a pure Exchange Server 2003 SP2 environment with ISA Server 2006 configured?
      
      Yes = Follow Option 1: Configuring Certificate Based Authentication for Outlook Web Access in Exchange Server 2003 (http://bemis/143/_layouts/ArticlePages/EditArticlePage.aspx?List=e2328f74%2Db33d%2D4ad3%2D96c4%2Dc8d5952a31b7&ID=1819&state=none#Option1) .  This option is based on the following articles:
      • KB article: Description of the new feature in Exchange Server 2003 that supports Smart Card authentication to Outlook Web Access (http://kbalertz.com/Feedback.aspx?kbNumber=920209)
      • TechNet article: Kerberos Constrained Delegation in ISA Server 2006 (http://technet.microsoft.com/en-us/library/bb794858.aspx)
      • TechNet article: Log onto Outlook Web Access with Smart Cards (http://technet.microsoft.com/en-us/magazine/2007.07.smartcards.aspx)
        
      
      No = Proceed to question B.
   2. Is this a mixed Exchange Server 2003 SP2 back-end (BE) and Exchange Server 2007 Client Access Server (CAS) environment with ISA Server 2006? 
      
      Yes = Follow Option 2: Configuring Certificate Based Authentication for Outlook Web Access in Exchange Server 2007 Client Access Server with Exchange Server 2003 Back End Servers (http://bemis/143/_layouts/ArticlePages/EditArticlePage.aspx?List=e2328f74%2Db33d%2D4ad3%2D96c4%2Dc8d5952a31b7&ID=1819&state=none#Option2) .  This option is based on the following articles:
      • MSExchangeTeam blog How to Configure Certificate Based Authentication for OWA - Part I (http://msexchangeteam.com/archive/2008/10/07/449942.aspx)
      • MSExchange Team blog How to Configure Certificate Based Authentication for OWA - Part II  (http://msexchangeteam.com/archive/2008/11/12/450094.aspx)
      
      No = Proceed to question C.
   3. Is this a pure Exchange Server 2007 environment with ISA Server 2006?
      
      Yes = Follow Option 3: Configuring Certificate Based Authentication for Outlook Web Access in Exchange Server 2007 (http://bemis/143/_layouts/ArticlePages/EditArticlePage.aspx?List=e2328f74%2Db33d%2D4ad3%2D96c4%2Dc8d5952a31b7&ID=1819&state=none#Option3) .  This option is based on the following articles:
      • MSExchange Team blog How to Configure Certificate Based Authentication for OWA - Part I (http://msexchangeteam.com/archive/2008/10/07/449942.aspx)
      • MSExchange Team blog How to Configure Certificate Based Authentication for OWA - Part II  (http://msexchangeteam.com/archive/2008/11/12/450094.aspx)
        
        
      
      No = Restart at A. or this is an unsupported scenario.
      
      
          

Option 1: Configuring Certificate Based Authentication for Outlook Web Access in Exchange Server 2003

Reasons to use this method:  This option is for environments running only Exchange Server 2003 SP2 and ISA Server 2006.  The AD domain is set to Windows Server 2003 Domain Functional Level.  This is typically a single domain with ISA Server 2006 joined to the domain.

Scope (includes any combination of the following)

• Configure Certificate Based Authentication for OWA using a deployment strategy that uses a supported 3rd party or internally issued (self-signed) certificate.
• Configure Windows client machines by adding the user certificate to the local certificate store. The certificate can also be added to an External accessible storage device e.g. flash drive, USB reader.
• Configuring the correct authentication methods on the /Exchange virtual directory.
• Configuring the correct bit strength for the IIS Default Web Site.
• Configuring the ISA Server 2006 Web Listener.

Footnotes:

• If we review the steps with the customer, instead of doing the steps with the customer, then the time can be reduced to 40% of total.
• SSL Certificates: Customer is responsible for procurement of certificate(s) from a third-party company.  Customer may also use an internal Certificate Authority (CA) to generate the required certificates.  If using an internal CA, all systems must trust the entire CA chain.  This includes the ISA Server, CAS, and client workstations.  The CA Root certificate must be in the Trusted Root Certification Authorities store on all systems.
• Firewalls: Assistance in configuring firewalls only includes giving the required ports to the customer.  We do not support configuring firewalls.  If ISA Server is used, and the customer needs assistance with this, then a separate case must be opened with the ISA Server support team.
• Networking issues: If issues arise that are caused by networking issues which cannot be resolved within 30 minutes, then a separate case must be opened with the Networking support team for more extensive troubleshooting.
• Smartcard issues: If issues arise that are caused by the smartcard readers/writers, this will be referred to the respective vendor(s). Microsoft will assist the customer to install the required client certificate but if this cannot be done within 30 minutes, then a separate case must be opened with the Directory Services support team for more extensive troubleshooting.

Option 2: Configuring Certificate Based Authentication for Outlook Web Access in Exchange Server 2007 Client Access Server with Exchange Server 2003 Back End Servers

Reasons to use this method:  This option is only for environments running a mixture Exchange Server 2007 CAS and Exchange Server 2003 SP2 BE servers with ISA Server 2006.  The AD domain is set to Windows Server 2003 Domain Functional Level.  This is typically a single domain with ISA Server 2006 joined to the domain.

Scope (includes any combination of the following)

• Configure Certificate Based Authentication for OWA using a deployment strategy that uses a supported 3rd party or internally issued (self-signed) certificate.
• Configure Windows client machines by adding the user certificate to the local certificate store. The certificate can also be added to an External accessible storage device e.g flash drive, USB reader.
• Configuring the correct authentication methods on the /Exchange virtual directory.
• Configuring the correct bit strength for the IIS Default Web Site.
• Configuring the ISA Server 2006 Web Listener.

Footnotes:

• If we review the steps with the customer, instead of doing the steps with the customer, then the time can be reduced to 40% of total.
• CAS: Work may take less time if Exchange Management Shell is used to configure multiple servers.
• SSL Certificates: Customer is responsible for procurement of certificate(s) from a third-party company.  Customer may also use an internal Certificate Authority (CA) to generate the required certificates.  If using an internal CA, all systems must trust the entire CA chain.  This includes the ISA Server, CAS, and client workstations.  The CA Root certificate must be in the Trusted Root Certification Authorities store on all systems.
• Firewalls: Assistance in configuring firewalls only includes giving the required ports to the customer.  We do not support configuring firewalls.  If ISA Server is used, and the customer needs assistance with this, then a separate case must be opened with the ISA Server support team.
• Networking issues: If issues arise that are caused by networking issues which cannot be resolved within 30 minutes, then a separate case must be opened with the Networking support team for more extensive troubleshooting.
• Smartcard issues: If issues arise that are caused by the smartcard readers/writers, this will be referred to the respective vendor(s). Microsoft will assist the customer to install the required client certificate but if this cannot be done within 30 minutes, then a separate case must be opened with the Directory Services support team for more extensive troubleshooting.

Option 3: Configuring Certificate Based Authentication for Outlook Web Access in Exchange Server 2007

Reasons to use this method:  This option is only for environments running only Exchange Server 2007 with ISA Server 2006.  The AD domain is set to Windows Server 2003 Domain Functional Level.  This is typically a single domain with ISA Server 2006 joined to the domain.

Scope (includes any combination of the following)

• Configure Certificate Based Authentication for OWA using a deployment strategy that uses a supported 3rd party or internally issued (self-signed) certificate.
• Configure Windows client machines by adding the user certificate to the local certificate store. The certificate can also be added to an External accessible storage device e.g. flash drive, USB reader.
• Configuring the correct authentication methods on the /Exchange virtual directory.
• Configuring the correct bit strength for the IIS Default Web Site.
• Configuring the ISA Server 2006 Web Listener.

Footnotes:

• If we review the steps with the customer, instead of doing the steps with the customer, then the time can be reduced to 40% of total.
• CAS: Work may take less time if Exchange Management Shell is used to configure multiple servers.
• SSL Certificates: Customer is responsible for procurement of certificate(s) from a third-party company.  Customer may also use an internal Certificate Authority (CA) to generate the required certificates.  If using an internal CA, all systems must trust the entire CA chain.  This includes the ISA Server, CAS, and client workstations.  The CA Root certificate must be in the Trusted Root Certification Authorities store on all systems.
• Firewalls: Assistance in configuring firewalls only includes giving the required ports to the customer.  We do not support configuring firewalls.  If ISA Server is used, and the customer needs assistance with this, then a separate case must be opened with the ISA Server support team.
• Networking issues: If issues arise that are caused by networking issues which cannot be resolved within 30 minutes, then a separate case must be opened with the Networking support team for more extensive troubleshooting.

Smartcard issues: If issues arise that are caused by the smartcard readers/writers, this will be referred to the respective vendor(s). Microsoft will assist the customer to install the required client certificate but if this cannot be done within 30 minutes, then a separate case must be opened with the Directory Services support team for more extensive troubleshooting.

Below is a list of self-help resources or this scenario. These resources may also be used by Microsoft Support Engineers during an Advisory Services engagement.

Certificate Based Authentication:

Description of the new feature in Exchange Server 2003 that supports Smart Card authentication to Outlook Web Access (http://kbalertz.com/Feedback.aspx?kbNumber=920209)

Log onto Outlook Web Access with Smart Cards (http://technet.microsoft.com/en-us/magazine/2007.07.smartcards.aspx)

How to Configure Certificate Based Authentication for OWA - Part I (http://msexchangeteam.com/archive/2008/10/07/449942.aspx)

How to Configure Certificate Based Authentication for OWA - Part II (http://msexchangeteam.com/archive/2008/11/12/450094.aspx)

Certificates:

White Paper: Exchange 2007 Client Access and SSL (http://technet.microsoft.com/en-us/library/cc164344.aspx)

Understanding the Self-Signed Certificate in Exchange 2007 (http://technet.microsoft.com/en-us/library/bb851554.aspx)

Windows Server 2003

Public Key Infrastructure for Windows Server 2003 (http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx)

Managing a Windows Server 2003 Public Key Infrastructure (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx)

Service principal names with Windows 2003 (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-83c6-676bb005b13e.mspx?mfr=true)

ISA Server 2006

Microsoft ISA Server 2006: Enterprise Edition Installation Guide (http://www.microsoft.com/technet/isa/2006/deploy/ee_install_guide.mspx)

Publishing Exchange Server 2007 with ISA Server 2006 (http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx)

Using ISA Server 2006 with Exchange 2007 (http://technet.microsoft.com/en-us/library/aa998036.aspx)

Configuring ISA Server 2006 for Exchange Client Access (http://technet.microsoft.com/en-us/library/aa997148.aspx)