Exchange 2010 PKI configuration Guide Overview 1. Summary 2. Environment 3. Configuration a) Active Directory Configuration b) CA Configuration c) Exchange Server IIS Configuration d) Exchange Configuration 4. Exchange OWA PKI access testing 1. Summary This guide describes how to configure exchange 2010 authentication for PKI 2. Environment This is document was written with Single domain environment, the CA server was located in the domain controller.
3. Configuration: 3.1 Windows Server 2008 R2 Active Directory Configuration In active directory domain controller, --> Go to Active Directory Group Policy Management: -->Select Domains -->select domain “” -->Right click “Default Domain Policy” -->Select “Edit” -->Select “User Configuration” -->Security Settings -->Public key Policy -->On the right screen, click “Certificate Services Client – Auto-Enrollment” Chose “Renew Expired Certificates, update pending certificates, and remove revoked certificates” and “update certificates that use certificate templates”, then click ”OK” to save it. 3.2 Windows Server 2008 R2 CA Configuration Certification Authority --> Certificate Templates -->Manage In Certificate Templates Console --> User -->Duplicate Template -->Windows Server 2003 Enterprise In Template Display Name --> General Tab: AutoEnroll-User -->In the Security tab: Click “OK” to save it. And then go back to “Certificate Templates’ Certificate Templates -->New -->Certificate Template Issue Select the template that just create “AutoEnroll-User”, click “OK” Now you can find the template in the right of the “Certificate Templates” 3.3 IIS Configuration Go to “Internet Information Services (IIS) Manager” -->EXCHANGE2010 (C6F1R1\administrator) -->Authentication -->Enable “Active Directory Client Certificate Authentication” Select “Sites” -->Default Web Site -->SSL Settings -->Chose “Require SSL” --> Client certificate, select “Require” Exchange OWA SSL Setting: --> go back to Site -->Default Web Site -->owa Exchange OWA Client Certificated
Authenticate Setting -->OWA -->Configuration
Editor -->Section,
in the drop down -->System.webserver -->Security -->Authentication -->ClientCertificateMappingAuthentication -->Enable: Change the key from False to True Exchange Microsoft-Server-ActiveSync Setting -->Site -->Default Web Site --> Microsoft-Server-ActiveSync Exchange Microsoft-Server-ActiveSync Client
Authenticate Setting -->Microsoft-Server-ActiveSync -->Configuration
Editor -->Section,
in the drop down -->System.webserver -->Security -->Authentication -->ClientCertificateMappingAuthentication
3.4 Exchange 2010 Configuration Open Exchange Management Console -->Select “Client Access” -->Select the tab “Outlook Web App” in the right screen -->in owa (default web site) Properties, select “use one or more standard authentication methods”, -->select “integrate Windows Authentication”, then restart IIS Select tab “Exchange ActiveSync” -->in Microsoft-Server-ActiveSync (default Web Site) Properties -->Client certificate authentication -->select “Require client certificates” In Exchange Management Console -->Select “Server Configuration” -->Click “New Exchange Certificate” in Actions panel You will see there have one pending certificated signing request (CSR) in Exchange Management Console Open the certificate request file in E:\certrequest.req with windows notepad Open windows internet explorer(IE), and connect to CA server to request the certificates for Exchange In CA welcome page -->Select a task -->Request a certificate -->Submit an advanced certificate request -->copy the content of “certrequest.req” to “Base-64-encoded certificated request (CMC or PKCS #10 or PKCS #7)” -->Certificate Template -->select “Web Server” -->click “submit -->click “Download Certificate” save it to E:\ Go back to Exchange Management Console -->Select “Server Configuration” -->Select the pending certificate signing request(CSR) -->Right click it and select “Complete Pending Request” -->select the certificate that just download to E:\ driver After the certificate import successfully, -->Right the certificate “Exchange2010PKI” -->Assign Services to Certificate After the service assigned complete successfully, you can delete the other Microsoft Exchange self-signed certificates: 4. Exchange OWA PKI access testing Before the Win7 client joined into the domain “” -->change the hosts file as below -->Open the IE and type the OWA address to access the Exchange mailbox -->https://exchange2010./owa, you will find as below Now let’s join the client to domain “” to test it again After type the user name and password, you can success to access your mailbox. For the Exchange 2007 PKI configuration, the step is the same as Exchange server 2010. The difference only was in Exchange server certificate request. In Exchange server 2007, you only can request the certificate with exchange management shell. For detail, please refer below link: |
|