Microsoft KB Archive/920209

= Description of the new feature in Exchange Server 2003 that supports Smart Card authentication to Outlook Web Access =

Article ID: 920209

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition

-



INTRODUCTION
This article describes a software update that adds a new feature in Microsoft Exchange Server 2003. This new feature supports Smart Card authentication to Microsoft Office Outlook Web Access. When this new feature is installed, users are no longer required to supply a username and password.



Software update information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
To install this software update, you must have the following network configuration:
 * Microsoft Windows Server 2003 must run in Native mode for the domain in which Kerberos Constrained Delegation (KCD) is configured.
 * You must raise each domain controller's domain level to Windows Server 2003 Domain Functional Level.
 * On the Exchange front-end servers, the KCD list must contain only back-end servers. The KCD list is maintained automatically after this software update is installed. Front-end servers must not be used to host other KCD-enabled programs. This is because the entries for the other programs will be removed if a missing Server Principle Name (SPN) is detected.
 * All front-end servers, back-end servers, and ISA servers for a configuration must be in the same domain.
 * No more than 600 back-end servers can be in the same domain as the front-end server.

To install this software update, you must have the following programs installed:
 * Microsoft Exchange Server 2003 Service Pack 2 (SP2)
 * Microsoft Windows Server 2003-based domain controllers

Additionally, we recommend that you include Microsoft Internet Security and Acceleration (ISA) Server 2006 as part of the solution. ISA Server 2006 can use KCD to securely publish the Outlook Web Access service.

KCD helps reduce potential attack vectors. It also provides several features to reduce the cost of ownership and administration of this solution.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

836993 How to obtain the latest service packs for Exchange Server 2003

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.



MORE INFORMATION
Windows Server 2003 supports the KCD authentication method. A server can use KCD to authenticate as a user over Kerberos. The term &quot;constrained&quot; refers to the fact that the list of servers to which an account can authenticate and the ports to which it can authenticate are limited.

The KCD list is stored in Active Directory and is composed of a list of Service Principle Names (SPNs). An SPN is a port number or service name that is combined with a host name in some format. The three components of a full SPN are PORT/HOST/REALM. For more information about KCD, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/c312ba01-318f-46ca-990e-a597f3c294eb1033.mspx?mfr=true

For the constrained delegation to work correctly, an accurate mapping of front-end servers to back-end servers must be maintained within the Active Directory directory service. After this software update is installed, the Exchange System Attendant service maintains the SPN list. The System Attendant behavior is controlled by a bit value that is set on the heuristic attribute of the server object in the Active Directory directory service.

The KCD list is monitored and maintained by adding all the back-end servers that are in the domain to the KCD list. No more than 600 back-end servers can be in the same domain as the front-end server because of the limit on the size of the msDS-AllowedToDelegate attribute in the Active Directory directory service.

The monitoring and maintenance of the KCD list occur when the server starts. The monitoring and maintenance of the KCD occur at an interval that is controlled by the following registry value:

Name: KCDPollingInterval

Type: REG_DWORD

Value:

This registry value specifies in minutes how frequently the KCD list must be validated and possibly updated. The value cannot be less than 15 minutes nor can it be later than one week. By default, the value is 15 minutes.

To install the new feature that enables Microsoft Exchange Server 2003 to support Smart Card authentication to Outlook Web Access, follow these steps:

Configure Exchange Server 2003
 Install hotfix 920209 on all Exchange front-end Servers that you want to enable as KCD front-end servers. Verify that the Exchange front-end servers support Integrated Authentication. To do this, follow these steps:  Start Exchange System Manager. To do this, click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager. Expand the following folder:

Servers/ / Protocols/HTTP/Exchange Virtual Server

 Right-click Exchange, and then click Properties. On the Access tab, click Authentication. Click to select the Integrated Windows Authentication check box.</li> Click to clear the Basic Authentication check box.</li> Click OK, and then click OK.</li> Repeat steps c to g for the Public virtual directory.</li></ol> </li> Enable KCD in Exchange System Manager. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> In System Manager, locate the administrative group in which you want to enable KCD.</li> Right-click the administrative group, and then click Properties.</li> Click to select the Enable Kerberos Constrained Delegation check box, and then click Modify.</li> Type the credentials for the KCD Service account.

Note The KCD Service account must have the Enable computers and user accounts to be trusted for delegation attribute configured in the Domain Group Policy object (GPO).</li> Click Apply, and then click OK.</li></ol> </li> On each front-end server that you want to enable as a KCD front-end server, follow these steps: <ol style="list-style-type: lower-alpha;"> In Exchange System Manager, right-click the server, and then click Properties.</li> On the General tab, verify that the This is a front-end server check box is selected to confirm that you are configuring a front-end server.</li> On the KCD-FE tab, click This server is a KCD- FE server for the organization.</li> Click Apply, click OK, and then restart the Exchange System Attendant Service.</li> Repeat these steps on each front-end server that you want to enable as a KCD front-end server.</li></ol> </li> <li>Restart Microsoft Internet Information Services (IIS) on all front-end and back-end computers to propagate the change in authentication mechanisms. To do this, type iisreset at a command prompt, and then press ENTER.</li></ol>

Configure ISA Server 2006
If you include ISA Server 2006 as part of the solution, follow these steps to configure ISA Server 2006: <ol> <li>Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.</li> <li>Expand Arrays, expand the server name, and then click Firewall Policy.</li> <li>In the Firewall Policy Tasks area, click Publish Exchange Web Client Access.</li> <li>In the Exchange Publishing rule name box, type the name that you want to use for the rule, and then click Next.</li> <li>In the Exchange version list, click Exchange Server 2003, click to select the Outlook Web Access check box, and then click Next.</li> <li>Click Publish a single Web site or load balancer, and then click Next.

Note If you want to select Publish a server farm of load balanced Web servers, the SPN that is published must be http:/* instead of http:/<FQDN>.</li> <li>Click Use SSL to connect to the published Web server or server farm, and then click Next.</li> <li>In the Internal site name box, type the internal site name, and then click Next. For example, type the NETBIOS name of your front-end server.</li> <li>In the Public name box, type the FQDN of the server that users use to reach the site, and then click Next.</li> <li>On the Select Web Listener page, click New. The New Web Listener Wizard starts.</li> <li>In the Web listener name box, type the name of the new listener, and then click Next.</li> <li>On the Client Connection Security page, click Require SSL secured connections with clients, and then click Next.</li> <li>In the Listen for incoming Web requests on these networks list, click to select the External check box, and then click Select IP Addresses.</li> <li>Click Specified IP Addresses on the ISA Server computer in the selected network.</li> <li>In the Available IP Addresses list, click the IP address that you want to use, click Add, and then click OK.</li> <li>Click Next.</li> <li>In the Listener SSL Certificates screen, click Assign a certificate for each IP Address, and then click Select Certificate.</li> <li>Click the certificate that you want to use, and then click Select.</li> <li>Click Next.</li> <li>In the &quot;Select how clients will provide credentials to ISA Server&quot; page, click SSL Client Certificate Authentication, and then click Next.</li> <li>Click Next, and then click Finish.</li> <li>When you are prompted to enable this system policy rule, click Yes.</li> <li>On the Select Web Listener page, click Next.</li> <li>In the Select the method used by ISA Server to authenticate to the published Web server list, click Kerberos constrained delegation.</li> <li>In the Type the Service Principal Name (SPN) used by ISA Server for Kerberos constrained delegation box, type the SPN that is used by ISA for KCD, and then click Next.</li> <li>Click All Authenticated Users, click Next, and then click Finish.</li> <li>When you receive the following message, click OK:

For Kerberos constrained delegation to work, you must configure Active Directory to allow ISA Server to delegate authentication to the selected service principal names (SPN).

</li> <li>Close ISA Server Management.</li> <li>When you receive the following message, click Apply.

Do you want to apply the changes before closing ISA Server Management?

</li> <li>When you are prompted that the changes have been saved, click OK.</li></ol>

To configure Active Directory to allow ISA Server to delegate authentication to the selected SPNs, follow these steps.

Note If an ISA Array of multiple servers exists, repeat this procedure for each server in the array.
 * 1) Start Active Directory Users and Computers. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Locate the Computers container, right-click the name of the computer that is running ISA Server 2006, and then click Properties.
 * 3) Click the Delegation tab, click Trust this computer for delegation to specified services only, click Use any authentication protocol, and then click Add.
 * 4) Click Users or Computers, and then click the Exchange front-end server.
 * 5) Click http in the Service list, and then click OK.
 * 6) Click OK.
 * 7) If more than one front-end Exchange server exists, repeat steps 2 to 6 for each front-end server.
 * 8) In ISA Server Manager, click the Firewall policy that you created, and then click Apply.

For more information about the ISA Authentication model, visit the following Microsoft Web site:

http://www.microsoft.com/technet/isa/2006/authentication.mspx

For more information about an issue in which SSL sites do not work with FIPS-compliant cryptography, click the following article number to view the article in the Microsoft Knowledge Base:

811834 Cannot visit SSL sites after you enable FIPS compliant cryptography

Additional query words: EX2003 OWA

Keywords: kbexpertiseinter kbqfe kbfix kbbug kbpubtypekc KB920209

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.