REF: How to use Smart Cards with OWA & ROH? – Part 1

-

 

1. Outlook Anywhere 因為NTLM 驗證的關係, 確定是無法支援, 

2. 啟用 Smar Card 驗證for Exchange 2007 OWA, 將會改變 CAS 驗證方式從 form-based authentication 改為 整合驗證方式. 在此調整確定會改變OWA 的驗證方式, 由form-based 換成pop up 驗證視窗, 若要不影響現有的存取方式, 則必須新起CAS server 讓smar card reader 使用

3. 一般而言,表格式驗證無法在啟用了智慧卡的 OWA 中使用。表格式驗證表示使用者會透過標準 Outlook 表格,提交使用者名稱和密碼。然而,有了智慧卡的雙重關卡驗證,使用者只會有智慧卡,沒有密碼。因此表格式驗證將無法接受或提交只具有認證的驗證。在鏈結中任一處使用表格式驗證 (例如在 ISA Server 後方的前端伺服器),都會破壞啟用了智慧卡的 OWA 組態。若您啟用表格式驗證,Exchange 虛擬目錄會強制設定為基本驗證,因此 IIS Metabase 也會同時設定為基本驗證。

4. 如果在您的使用者群組中,有些會用使用者名稱/密碼,有些則用智慧卡,那麼您就可以啟用 ISA Web 接聽程式的後援驗證,當使用者在出現認證提示後按下 ESC 鍵,電腦就會提示使用者輸入標準使用者名稱/密碼認證,即使 Exchange Server 的 ISA Server 已啟用整合式驗證。此外,ISA Server 可以讓 SSL 工作階段逾時,方法和表格式驗證功能大同小異。


步驟:

Exchange Server 2007 CAS Configuration

You must enable integrated authentication on /OWA virtual directory. When you do this it will disable Forms Based Authentication. This can be done either trough the management console or the management shell.

Configure Integrated Windows Server Authentication

Just to remind you these steps are for a CAS to Exchange 2007 mailbox servers. Setting integrated authentication on the /Exchange virtual directory requires configuring additional Kerberos constrained delegation. This means mailboxes Exchange 2003 server will not work until KCD is configured correctly.

  1. Open the Exchange management Console.
  2. Expand Server configuration in the left pane, and highlight Client Access.
  3. In the middle pane highlight the internet facing CAS name.
  4. Open the properties of the OWA (Default Web Site).
  5. Select the User one or more standard authentication methods: radio check box.
  6. Select the Integrated Windows Authentication check box.
  7. Click OK.
  8. You will then be shown a dialog box that states IISReset /noforce must be run before changes become effective. Click OK to this box.
  9. From a command prompt, run iisreset /noforce. This will restart the IIS services.


Blog Extended Reading
1. REF: How to use Smart Cards with OWA & ROH? – Part 1
2. REF: How to use Smart Cards with OWA & ROH? – Part 2

More Information & Reference
1. 如何設定 Outlook Web Access 以使用智慧卡 (Exchange 2007)
2. How to use Smart Cards with OWA - But Why?
3. Multi-Factor authentication with Exchange Outlook Anywhere?
4. Two-factor authentication for Outlook Anywhere?
5. 使用智慧卡登入 Outlook Web Access (Exchange 2003)
6. 支援 Outlook Web Access 的智慧卡驗證的 Exchange Server 2003 的新功能的描述
7. Deepnet Unified Authentication
8. OWA 2007 Smartcard Enabled Login (Exchange 2007)
9. How to Configure Certificate Based Authentication for OWA - Part I (Exchange 2007)

image

Comments

Post a Comment

Popular posts from this blog

E15 CU3–Update Failed–AD replicated Exceeded the tombstone lifetime.

-
Image
  Exchange 2013 CU3 The naming context is in the process of being removed or is not replicated http://technet.microsoft.com/en-us/library/replication-error-8452-the-naming-context-is-in-the-process-of-being-removed-or-is-not-replicated-from-the-specified-server(v=ws.10).aspx   C:\> REPADMIN /SHOWREPS Root\RDC01 DSA Options: IS_GC Site Options: (none) DSA object GUID: f1694974-47c4-4555-a214-db3c86854aeb DSA invocationID: f1694974-47c4-4555-a214-db3c86854aeb ==== INBOUND NEIGHBORS ====================================== CN=Schema,CN=Configuration,DC=lab7,DC=root     TW\AD02 via RPC         DSA object GUID: bfcc1053-e1da-46fd-8b9d-179c79921331         Last attempt @ 2013-12-19 17:
Read more

202301 - Exchange onpreme - PowerShell Serialization Payload Signing

-
Image
Released: January 2023 Exchange Server Security Updates https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808 https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ 1.  Update KB5022143 (Exchange SU) 2. Run latest HealthCherker 3.  PowerShell Serialization Payload Signing https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ Certificate signing of PowerShell serialization payload in Exchange Server https://support.microsoft.com/en-us/topic/certificate-signing-of-powershell-serialization-payload-in-exchange-server-90fbf219-b0dd-4b2c-8a68-9d73b3309eb1 4.  MonitorExchangeAuthCertificate    https://microsoft.github.io/CSS-Exchange/Admin/MonitorExchangeAuthCertificate/ 5.                 New-SettingOverride -Name "EnableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=true&qu
Read more

E14–Bulk Create Mail Contact & Set-Contact

-
Image
  http://community.office365.com/en-us/w/exchange/579.aspx     Get-Contact | Export-Csv c:\temp\contact.csv Get-MailContact | Export-Csv c:\temp\Mailcontact.csv   [PS] Import-Csv .\Contact_Source.csv | % {New-MailContact -Name $_.Name -DisplayName $_.DisplayName -ExternalEmailAddress $_.ExternalEmailAddress -Alias $_.Alias -PrimarySmtpAddress $_.PrimarySMTPAddress -OrganizationalUnit "Contacts" -WhatIf }   [PS] >$Contacts = Import-Csv .\Contact_final.csv [PS] >$Contacts | foreach {Set-Contact $_.Name -Company $_.Company -Department $_.Department -Office $_.Office -Phone $_.Phone }
Read more