Exchange 2010 PKI configuration Guide

zengzb 2012-10-23

展开全文

Exchange 2010 PKI configuration Guide

Overview

1. Summary

2. Environment

3. Configuration

a) Active Directory Configuration

b) CA Configuration

c) Exchange Server IIS Configuration

d) Exchange Configuration

4. Exchange OWA PKI access testing

1. Summary

This guide describes how to configure exchange 2010 authentication for PKI

2. Environment

This is document was written with Single domain environment, the CA server was located in the domain controller.

Item	Operation System	IP address	Host Name	Function
1	Windows Server 2008 R2	10.100.5.181	Win2k8dc.	Domain Controller
2	Windows Server 2008 R2	10.100.5.181	Win2k8dc	Enterprise Root CA
3	Windows Server 2008 R2	10.100.5.183	Exchange 2010	Exchange Server
4	Windows 7 Enterprise	10.100.5.180	Client	OWA Access testing

3. Configuration:

3.1 Windows Server 2008 R2 Active Directory Configuration

In active directory domain controller,

--> Go to Active Directory Group Policy Management:

-->Select Domains

-->select domain “”

-->Right click “Default Domain Policy”

-->Select “Edit”

-->Select “User Configuration”

-->Security Settings

-->Public key Policy

-->On the right screen, click “Certificate Services Client – Auto-Enrollment”

Chose “Renew Expired Certificates, update pending certificates, and remove revoked certificates” and “update certificates that use certificate templates”, then click ”OK” to save it.

3.2 Windows Server 2008 R2 CA Configuration

Certification Authority

--> Certificate Templates

-->Manage

In Certificate Templates Console

--> User

-->Duplicate Template

-->Windows Server 2003 Enterprise

In Template Display Name

--> General Tab: AutoEnroll-User

-->In the Security tab:

Click “OK” to save it. And then go back to “Certificate Templates’

Certificate Templates

-->New

-->Certificate Template Issue

Select the template that just create “AutoEnroll-User”, click “OK”

Now you can find the template in the right of the “Certificate Templates”

3.3 IIS Configuration

Go to “Internet Information Services (IIS) Manager”

-->EXCHANGE2010 (C6F1R1\administrator)

-->Authentication

-->Enable “Active Directory Client Certificate Authentication”

Select “Sites”

-->Default Web Site

-->SSL Settings

-->Chose “Require SSL”

--> Client certificate, select “Require”

Exchange OWA SSL Setting:

--> go back to Site

-->Default Web Site

-->owa

Exchange OWA Client Certificated Authenticate Setting

-->OWA

-->Configuration Editor

-->Section, in the drop down

-->System.webserver

-->Security

-->Authentication

-->ClientCertificateMappingAuthentication

-->Enable: Change the key from False to True

Exchange Microsoft-Server-ActiveSync Setting

-->Site

-->Default Web Site

--> Microsoft-Server-ActiveSync

Exchange Microsoft-Server-ActiveSync Client Authenticate Setting

-->Microsoft-Server-ActiveSync

-->Configuration Editor

-->Section, in the drop down

-->System.webserver

-->Security

-->Authentication

-->ClientCertificateMappingAuthentication

-->Enable: Change the key from False to True

3.4 Exchange 2010 Configuration

Open Exchange Management Console

-->Select “Client Access”

-->Select the tab “Outlook Web App” in the right screen

-->in owa (default web site) Properties, select “use one or more standard authentication methods”,

-->select “integrate Windows Authentication”, then restart IIS

Select tab “Exchange ActiveSync”

-->in Microsoft-Server-ActiveSync (default Web Site) Properties

-->Client certificate authentication

-->select “Require client certificates”

In Exchange Management Console

-->Select “Server Configuration”

-->Click “New Exchange Certificate” in Actions panel

You will see there have one pending certificated signing request (CSR) in Exchange Management Console

Open the certificate request file in E:\certrequest.req with windows notepad

Open windows internet explorer(IE), and connect to CA server to request the certificates for Exchange

In CA welcome page

-->Select a task

-->Request a certificate

-->Submit an advanced certificate request

--> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

-->copy the content of “certrequest.req” to “Base-64-encoded certificated request (CMC or PKCS #10 or PKCS #7)”

-->Certificate Template

-->select “Web Server”

-->click “submit

-->click “Download Certificate” save it to E:\

Go back to Exchange Management Console

-->Select “Server Configuration”

-->Select the pending certificate signing request(CSR)

-->Right click it and select “Complete Pending Request”

-->select the certificate that just download to E:\ driver

After the certificate import successfully,

-->Right the certificate “Exchange2010PKI”

-->Assign Services to Certificate

After the service assigned complete successfully, you can delete the other Microsoft Exchange self-signed certificates:

4. Exchange OWA PKI access testing

Before the Win7 client joined into the domain “”

-->change the hosts file as below

-->Open the IE and type the OWA address to access the Exchange mailbox

-->https://exchange2010./owa, you will find as below

Now let’s join the client to domain “” to test it again

After type the user name and password, you can success to access your mailbox.

For the Exchange 2007 PKI configuration, the step is the same as Exchange server 2010. The difference only was in Exchange server certificate request. In Exchange server 2007, you only can request the certificate with exchange management shell. For detail, please refer below link:

http://technet.microsoft.com/en-us/library/aa995942.aspx