Description of the new feature in Exchange Server 2003 that supports Smart Card authentication to Outlook Web Access

This article describes a software update that adds a new feature in Microsoft Exchange Server 2003. This new feature supports Smart Card authentication to Microsoft Office Outlook Web Access. When this new feature is installed, users are no longer required to supply a username and password.

Software update information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To install this software update, you must have the following network configuration:

• Microsoft Windows Server 2003 must run in Native mode for the domain in which Kerberos Constrained Delegation (KCD) is configured.
• You must raise each domain controller's domain level to Windows Server 2003 Domain Functional Level.
• On the Exchange front-end servers, the KCD list must contain only back-end servers. The KCD list is maintained automatically after this software update is installed. Front-end servers must not be used to host other KCD-enabled programs. This is because the entries for the other programs will be removed if a missing Server Principle Name (SPN) is detected.
• All front-end servers, back-end servers, and ISA servers for a configuration must be in the same domain.
• No more than 600 back-end servers can be in the same domain as the front-end server.

To install this software update, you must have the following programs installed:

• Microsoft Exchange Server 2003 Service Pack 2 (SP2)
• Microsoft Windows Server 2003-based domain controllers

Additionally, we recommend that you include Microsoft Internet Security and Acceleration (ISA) Server 2006 as part of the solution. ISA Server 2006 can use KCD to securely publish the Outlook Web Access service.

KCD helps reduce potential attack vectors. It also provides several features to reduce the cost of ownership and administration of this solution.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 supports the KCD authentication method. A server can use KCD to authenticate as a user over Kerberos. The term "constrained" refers to the fact that the list of servers to which an account can authenticate and the ports to which it can authenticate are limited.

The KCD list is stored in Active Directory and is composed of a list of Service Principle Names (SPNs). An SPN is a port number or service name that is combined with a host name in some format. The three components of a full SPN are PORT/HOST/REALM. For more information about KCD, visit the following Microsoft Web site: For the constrained delegation to work correctly, an accurate mapping of front-end servers to back-end servers must be maintained within the Active Directory directory service. After this software update is installed, the Exchange System Attendant service maintains the SPN list. The System Attendant behavior is controlled by a bit value that is set on the heuristic attribute of the server object in the Active Directory directory service.

The KCD list is monitored and maintained by adding all the back-end servers that are in the domain to the KCD list. No more than 600 back-end servers can be in the same domain as the front-end server because of the limit on the size of the msDS-AllowedToDelegate attribute in the Active Directory directory service.

The monitoring and maintenance of the KCD list occur when the server starts. The monitoring and maintenance of the KCD occur at an interval that is controlled by the following registry value: Name: KCDPollingInterval
Type: REG_DWORD
Value: Number_Of_Minutes_Between_KCD_List_Validation
This registry value specifies in minutes how frequently the KCD list must be validated and possibly updated. The value cannot be less than 15 minutes nor can it be later than one week. By default, the value is 15 minutes.

To install the new feature that enables Microsoft Exchange Server 2003 to support Smart Card authentication to Outlook Web Access, follow these steps:

Configure Exchange Server 2003

1. Install hotfix 920209 on all Exchange front-end Servers that you want to enable as KCD front-end servers.
2. Verify that the Exchange front-end servers support Integrated Authentication. To do this, follow these steps:
   1. Start Exchange System Manager. To do this, click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager.
   2. Expand the following folder:
      Servers/Exchange_Server_Name/ Protocols/HTTP/Exchange Virtual Server
   3. Right-click Exchange, and then click Properties.
   4. On the Access tab, click Authentication.
   5. Click to select the Integrated Windows Authentication check box.
   6. Click to clear the Basic Authentication check box.
   7. Click OK, and then click OK.
   8. Repeat steps c to g for the Public virtual directory.
3. Enable KCD in Exchange System Manager. To do this, follow these steps.
   Note The KCD Service account must have additional permissions in Active Directory.
   1. In the Domain Controller Group Policy Object, configure the Enable computer and user accounts to be trusted for delegation attribute for the KDC Service account.
   2. The KCD Service account must be granted write permission to the MSDS-AllowedToDelegateTo and userAccountControl attributes on the front end server computer objects in Active Directory. To do this, use the the Advanced permissions tab in Active Directory Users and Computers or use ADSI Edit.
   3. In System Manager, locate the administrative group in which you want to enable KCD.
      1. Right-click the administrative group, and then click Properties.
      2. Click to select the Enable Kerberos Constrained Delegation check box, and then click Modify.
      3. Type the credentials for the KCD Service account.
      4. Click Apply, and then click OK.
4. On each front-end server that you want to enable as a KCD front-end server, follow these steps:
   1. In Exchange System Manager, right-click the server, and then click Properties.
   2. On the General tab, verify that the This is a front-end server check box is selected to confirm that you are configuring a front-end server.
   3. On the KCD-FE tab, click This server is a KCD- FE server for the organization.
   4. Click Apply, click OK, and then restart the Exchange System Attendant Service.
   5. Repeat these steps on each front-end server that you want to enable as a KCD front-end server.
5. Restart Microsoft Internet Information Services (IIS) on all front-end and back-end computers to propagate the change in authentication mechanisms. To do this, type iisreset at a command prompt, and then press ENTER.

Configure ISA Server 2006

If you include ISA Server 2006 as part of the solution, follow these steps to configure ISA Server 2006:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand Arrays, expand the server name, and then click Firewall Policy.
3. In the Firewall Policy Tasks area, click Publish Exchange Web Client Access.
4. In the Exchange Publishing rule name box, type the name that you want to use for the rule, and then click Next.
5. In the Exchange version list, click Exchange Server 2003, click to select the Outlook Web Access check box, and then click Next.
6. Click Publish a single Web site or load balancer, and then click Next.
   
   Note If you want to select Publish a server farm of load balanced Web servers, the SPN that is published must be http:/* instead of http:/<FQDN>.
7. Click Use SSL to connect to the published Web server or server farm, and then click Next.
8. In the Internal site name box, type the internal site name, and then click Next. For example, type the NETBIOS name of your front-end server.
9. In the Public name box, type the FQDN of the server that users use to reach the site, and then click Next.
10. On the Select Web Listener page, click New. The New Web Listener Wizard starts.
11. In the Web listener name box, type the name of the new listener, and then click Next.
12. On the Client Connection Security page, click Require SSL secured connections with clients, and then click Next.
13. In the Listen for incoming Web requests on these networks list, click to select the External check box, and then click Select IP Addresses.
14. Click Specified IP Addresses on the ISA Server computer in the selected network.
15. In the Available IP Addresses list, click the IP address that you want to use, click Add, and then click OK.
16. Click Next.
17. In the Listener SSL Certificates screen, click Assign a certificate for each IP Address, and then click Select Certificate.
18. Click the certificate that you want to use, and then click Select.
19. Click Next.
20. In the "Select how clients will provide credentials to ISA Server" page, click SSL Client Certificate Authentication, and then click Next.
21. Click Next, and then click Finish.
22. When you are prompted to enable this system policy rule, click Yes.
23. On the Select Web Listener page, click Next.
24. In the Select the method used by ISA Server to authenticate to the published Web server list, click Kerberos constrained delegation.
25. In the Type the Service Principal Name (SPN) used by ISA Server for Kerberos constrained delegation box, type the SPN that is used by ISA for KCD, and then click Next.
26. Click All Authenticated Users, click Next, and then click Finish.
27. When you receive the following message, click OK:
    For Kerberos constrained delegation to work, you must configure Active Directory to allow ISA Server to delegate authentication to the selected service principal names (SPN).
28. Close ISA Server Management.
29. When you receive the following message, click Apply.
    Do you want to apply the changes before closing ISA Server Management?
30. When you are prompted that the changes have been saved, click OK.

To configure Active Directory to allow ISA Server to delegate authentication to the selected SPNs, follow these steps.

Note If an ISA Array of multiple servers exists, repeat this procedure for each server in the array.

1. Start Active Directory Users and Computers. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Locate the Computers container, right-click the name of the computer that is running ISA Server 2006, and then click Properties.
3. Click the Delegation tab, click Trust this computer for delegation to specified services only, click Use any authentication protocol, and then click Add.
4. Click Users or Computers, and then click the Exchange front-end server.
5. Click http in the Service list, and then click OK.
6. Click OK.
7. If more than one front-end Exchange server exists, repeat steps 2 to 6 for each front-end server.
8. In ISA Server Manager, click the Firewall policy that you created, and then click Apply.

For more information about the ISA Authentication model, visit the following Microsoft Web site: For more information about an issue in which SSL sites do not work with FIPS-compliant cryptography, click the following article number to view the article in the Microsoft Knowledge Base: