Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-03-19

This topic explains how to use the Exchange Management Console or the Exchange Management Shell and Internet Information Services Manager to configure Microsoft Office Outlook Web Access to use smart cards for user authentication.

Smart cards are a tamper-resistant and portable way to help provide security solutions for tasks such as client authentication, code signing, and securing e-mail.

Smart cards provide the following capabilities:

Before You Begin

Smart card authentication requires Secure Sockets Layer (SSL) encryption. By default, Outlook Web Access uses SSL. If you have configured Outlook Web Access not to require SSL and you want your users to be able to use smart cards, you must reconfigure Outlook Web Access to require SSL. See How to Configure Outlook Web Access Virtual Directories to Use SSL.

You will also have to obtain and configure a certificate from a certification authority (CA). See the following resources for information about how to implement and manage smart cards:

Smart cards provide a special kind of certificate authentication. After you have verified that the Client Access server has been configured to require SSL, and have obtained and configured a certificate from a CA, you must configure the Client Access server to use certificate authentication.

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

Procedure

To use IIS Manager 6.0 to configure the Outlook Web Access virtual directories to use certificate authentication

  1. In IIS Manager, right-click Web Sites, and then click Properties.

  2. On the Directory Security tab, verify that the Enable the Windows directory service mapper check box is selected.

  3. Click OK to close Web Sites Properties.

  4. Expand the Web site where you host your Outlook Web Access virtual directories. This is usually the Default Web Site. Right-click the Outlook Web Access virtual directory that you want to configure to use certificate authentication, and then click Properties.

  5. On the Directory Security tab, in Secure Communications, click Edit.

  6. In the Secure Communications section, select Require Secure Channel (SSL) if it is not already selected.

    Note:
    If you are using an SSL certificate that was created during Microsoft Exchange Setup, an error message will appear to notify you that the certificate is not a trusted certificate. Make sure that you trust the certification authority (CA) that issued the certificate or use an SSL certificate that was issued by your trusted CA.
  7. In the Client Certificates section, select Require Client Certificates.

  8. Select Enable client certificate mapping.

  9. Click OK to save your changes.

After you configure IIS Manager to use certificate authentication, you must disable all authentication methods on the Outlook Web Access virtual directories in Exchange. You can use the Exchange Management Console or Exchange Management Shell to do this.

To use the Exchange Management Console to configure Outlook Web Access to have no authentication method

  1. In the Exchange Management Console, click Server Configuration, and then click Client Access.

    Note:
    To enable Outlook Web Access to accept anonymous access, you must disable all forms of authentication.
  2. On the Outlook Web Access tab, open the properties of the virtual directory that you want to configure to use anonymous access.

  3. Click the Authentication tab.

  4. Select Use one or more standard authentication methods.

  5. Do not select an authentication method. If any authentication method is selected, click the check box to clear it.

  6. Click OK.

  7. You will receive a warning that you have not chosen an authentication method and that directs you to use the Exchange Management Shell to set an authentication method. Click OK to close the warning.

  8. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.

To use the Exchange Management Shell to configure Outlook Web Access to have no authentication method

  1. Open the Exchange Management Shell on the Client Access server that is hosting the Outlook Web Access virtual directories that you must configure.

    Note:
    To enable Outlook Web Access to accept anonymous access, you must disable all forms of authentication.
  2. To disable forms-based authentication on the /owa virtual directory and the site named Default Web Site, run the following command.

    Copy Code
    Set-owavirtualdirectory -identity "owa (Default Web Site)" -FormsAuthentication:$false
    
  3. To disable all forms of standard authentication on the /owa virtual directory and the site named Default Web Site, run the following command.

    Copy Code
    Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -WindowsAuthentication $false
    Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -BasicAuthentication $false
    Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -DigestAuthentication $false
    
  4. When the last active authentication method has been disabled, you will receive a warning that no authentication method is specified for the virtual directory and that directs you to use the Set-OwaVirtualDirectory cmdlet to specify an authentication method. Ignore this warning.

  5. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.

For more information about syntax and parameters, see Set-OwaVirtualDirectory.

For More Information

For more information about authentication methods for Outlook Web Access, see Managing Outlook Web Access Security.