Enhance Outlook Web Access Publishing Security with Client Certificate Authentication

 

OWA Publishing can be made even more secure by requiring a client certificate from the remote OWA client. The ISA Server 2000 Incoming Web Requests listener can be configured to require a client certificate from the remote OWA user before the user even submits a user name and password to log into the OWA Web site. Client certificate authentication at the Incoming Web Requests listener prevents users without the appropriate client certificate from submitting credentials to the OWA Web site and thus effectively prevents dictionary or brute force attacks against the OWA site.

 

The client certificate can be obtained from a commercial certificate authority, or you can create a Microsoft Certificate Server (CA) and issue client certificates from it. You can issue a client certificate to each user, or you can create a “group certificate” and allow all OWA users to use the same client certificate to connect to the ISA Server’s external interface. Individual certificates can confer a high level of security and accountability, but a group certificate requires much less administrative overhead because you don’t have to map each of the individual user certificates to the user account in the Active Directory.

 

You install the client certificate (user certificate) on the Web browser connecting to the OWA Web site. The user will be requested to provide a user certificate when connecting to the OWA Web site via the ISA Server OWA Web Publishing Rule. The user selects a user certificate from the list of certificates and sends that certificate to the ISA Server. The certificate is mapped to a user account in the Active Directory. If that user is allowed to access the OWA Web site, then the user is prompted for credentials by the OWA Web site. If the credentials are valid, then access to the OWA site is granted.

 

Note that the only time the Incoming Web Requests listener can accept authentication in addition to the OWA site requesting authentication is when you use client certificate authentication. The user authenticates to the ISA Server firewall’s Incoming Web Requests listener using the client certificate. After the ISA Server firewall’s Incoming Web Requests listener authenticates the client, then the user authenticates with the OWA site using basic credentials that are protected by an SSL link. The ISA Server generates the authentication request for the client certificate; the OWA site generates the authentication request for user name and password (which are sent using basic authentication).

 

In contrast, you can not require basic or integrated authentication with the Incoming Web Requests listener on the ISA Server firewall and require authentication at the OWA site. In situations where client certificate authentication is not used on the Incoming Web Request listener, you must choose to authenticate at the firewall or at the Web site. The end result is that if you wish to authenticate at both the firewall and the OWA site, then you must use client certificate authentication at the firewall.

 

The following procedures are required to enhance OWA Web Publishing security using client certificate authentication:

 

·         Install a Microsoft enterprise CA

 

The enterprise CA allows you to easily issue certificates to users and machines. The enterprise CA also allows you to automatically issue certificates to domain members via Group Policy

 

·         Configure the Incoming Web Requests Listener to require client certificate authentication and configure the OWA Web Publishing Rule to require authentication

 

All authentication methods except client certificate authentication are disabled on the Incoming Web Requests listener. This forces remote OWA clients to present a client certificate before connection to the OWA Web site

 

·         Create a Group Certificate for the OWA Users and Configure a one-to-one mapping for a user certificate to allow a “group” certificate to be used to access the Incoming Web Requests listener

 

You can improve the security for your OWA publishing solution by requiring a client certificate before user credentials are accepted. You can create a group certificate that all users who need to connect to the OWA site can use to authenticate to the ISA Server firewall.

 

The client certificate presented by the OWA client must be mapped to a user account in the Active Directory. You can use a single “group” certificate and map this to a user account dedicated to OWA access, or you can issue a certificate to all OWA users and map their certificates to their user account. Issuing each user a certificate and mapping it to their user account allows for higher security and accountability, but there is far less administrative overhead when using a group certificate. This ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document will discuss the steps required to map a group certificate to an account in the Active Directory.

 

·         Install the group certificate into the OWA client browser

 

The group client certificate must be installed on the browser clients. You can copy the client certificate to the machines that will be OWA clients and install the client certificate in the local user’s certificate store

 

·         Test client certificate authentication to the Incoming Web Requests listener

 

At the end of this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit article you will see how the OWA client connects to the OWA Web site that’s protected by the ISA Server when using client certificate authentication

 

The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document assumes that you have already created a secure OWA Web Publishing Rule. The remainder of this document covers the detailed procedures required to enhance OWA Web Publishing using client certificate authentication on the Incoming Web Requests listener.

 

 

 

Install a Microsoft enterprise CA

 

An enterprise Certificate Authority (CA or Certificate Server) has several advantages over a standalone CA. Two of the primary advantages of using an enterprise CA are that you can use autoenrollment to automatically deploy machine and user certificates to all domain members and that you can use the Certificates MMC stand-alone snap-in to request and install a certificate from an online enterprise CA.

 

You can install an enterprise CA on a domain member in the same domain as the front-end Exchange Server and the ISA Server 2000 firewall. This configuration allows you to request Web site certificates for the OWA, SMTP, POP3 and IMAP4 sites from an online certificate authority and install them immediately.

 

In addition, all Exchange Servers and the ISA Server 2000 firewall can request certificates from the online enterprise CA and install them immediately. This simplifies the task of creating the SSL link between the ISA Server 2000 firewall and Exchange Server, as well as making it easier to create a working IPSec Policy based on certificate authentication to secure the communications between the front-end and back-end Exchange Servers.

 

Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document Creating an enterprise CA for more information on how to create an enterprise CA and ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents Issuing certificates via the MMC snap-in and Issuing certificates via autoenrollment

 

 

 

Configure the Incoming Web Requests Listener to Require Client Authentication and Configure the Web Publishing Rule to Request Authentication

 

Remote clients can authenticate with the Incoming Web Requests listener using several different methods. We want to enforce client certificate authentication by allowing only client certificate authentication on the Incoming Web Requests listener and removing all other authentication options.

 

Perform the following steps to force client certificate authentication on the Incoming Web Requests listener:

 

1. Open the ISA Management console and expand the Servers and Array node. Right click on your server name and click the Properties command (figure 1).

 

Figure 1

 

2. Click on the Incoming Web Requests tab on the server’s Properties dialog box (figure 2). Select the listener that was configured by the OWA Web Publishing Wizard and click the Edit button.

 

Note:
I have assumed that you have already run the OWA Publishing Wizard. If you have not run the OWA Publishing Wizard, please do so before making the configuration changes to the ISA Server firewall that require client certificate authentication at the Incoming Web Request listener.

 

Figure 2

 

3. Put a checkmark in the Client certificate (secure channel only) checkbox. Remove the checkmark from the Integrated, Digest with this domain and Basic with this domain checkboxes (figure 3). Leave the checkmark in the Use a server certificate to authenticate to web clients checkbox. You need that enabled so that the Incoming Web Requests listener can negotiate an SSL connection with the OWA clients.

 

Click OK.

 

Figure 3

 

4. Click Apply in the server’s Properties dialog box (figure 4).

 

Figure 4

 

5. Select the Save the changes and restart the service(s) option to restart the Web proxy service (figure 5).

 

Figure 5

 

6. Click OK on the server’s Properties dialog box (figure 6).

 

Figure 6

 

Now that the Incoming Web Requests listener is configured to accept only client certificate authentication, the next step is to configure the OWA Web Publishing Rule to limit connections to authenticated clients. When you set up the rule to allow only authenticated clients, the authentication takes place at the firewall first. After the remote OWA client authenticates to the firewall, then the OWA Web site requests authentication. This provides “two factor” authentication: one factor is certificate authentication; the second is the conventional basic user name/password authentication.

 

Perform the following steps to force authentication at the Incoming Web Requests listener on the firewall:

 

1.       Expand the Publishing node and click on the Web Publishing Rules node (figure 7). Right click on the OWA Web Publishing Rule and click Properties.

 

Figure 7

 

 

2.       In the OWA Web Publishing Rule’s Properties dialog box, click on the Applies To tab (figure 8). Select the Users and groups specified below option and click the Add button.

 

Figure 8

 

3.       Select the domain group you want to access the OWA site. In this example we have created a group named OWA Users and added user accounts for users allowed to access the OWA site. We’ll enter this group into the Select Users or Groups dialog box and click OK (figure 9).

 

Figure 9

 

4.       The OWA group now appears in the list of Applies to requests coming from list (figure 10). Click Apply and then click OK.

 

Figure 10

 

 

 

Create a Group Certificate for the OWA Users and Configure a one-to-one mapping for a User Certificate to allow the “Group” Certificate to be Used to Access the Incoming Web Requests Listener

 

The group certificate is a client certificate that all users who need to the OWA site through the ISA Server can present to the Incoming Web Requests listener to access the site. Steps involved with creating the group certificate include:

 

·         Creating a user account with the name of the group certificate

·         Logging into a machine on the internal network with the user account created for the OWA group certificate

·         Request a client certificate from the enterprise CA

·         Export the client certificate to a file

 

When a user requests a certificate, that certificate is automatically associated with the user account that requested the certificate. However, that certificate is not mapped to the user account; the certificate mapping represents a second administrative action on your part. While you have the option of mapping each user’s user certificate to his account, it is more convenient to use a group certificate and installing this “group” user certificate on each computer you wish allow OWA access.

 

It’s important to note that you must have administrative control over the machines that you install this group certificate on to. Do not let users install client certificates. Certificate authentication is a high security option and if the certificate management extends outside of your administrative control, the certificate can be used as a powerful mechanism to launch an attack against your network.

 

Note:
Certificate authentication is not an “easy access” control mechanism. It is a high security access control mechanism that requires human eyes to confirm and manage. Automation reduces the level of security. Do not allow users or automation mechanisms to subvert your certificate authentication methods.

 

Perform the following steps to create the user account for the group certificate:

 

1.       Click Start and then point to Administrative Tools. Click on Active Directory Users and Computers. Right click on your domain name, point to View and click on Advanced Features. Expand the domain name and right click on the Users node. Point to New and click User (figure 11).

 

Figure 11

 

2.       Fill in the user information for your group account in the New Object – User dialog box (figure 12). Click Next.

 

Figure 12

 

3.       On the password page, enter a complex password in the Password and Confirm password text boxes. Users will not need to enter this password, so you do not need to be concerned about them remembering a very complex password. Remove the checkmark from the User must change password at next logon checkbox. Put a checkmark in the User cannot change password and Password never expires checkboxes. Click Next (figure 13).

 

Figure 13

4.       Remove the checkmark from the Create an Exchange mailbox checkbox (figure 14). The group user account does not need a mailbox on the Exchange Server. Click Next.

 

Figure 14

 

5.       Review the settings and click Finish (figure 15).

 

Figure 15

 

The group user account can now request a user certificate. You can use the browser on the domain controller, or any other machine on the network. After you request the user certificate, you can export this certificate to a file and distribute the certificate to machines requiring access to the OWA Web site.

 

Perform the following steps to obtain the user certificate:

 

1.       Open Internet Explorer and type in the URL to the Web enrollment site for the enterprise CA. The format is http://<ip_address>/certsrv or http://<fqdn>/certsv. Fill in the user credentials for the group user account in the Enter Network Password dialog box (figure 16) and click OK.

 

Figure 16

 

2.       On the Welcome page of the Web enrollment site (figure 17), click the Request a certificate link.

 

Figure 17

 

3.       Click the User Certificate link on the Request a Certificate page (figure 18).

 

Figure 18

 

4.       On the User Certificate – Identifying Information page (figure 19), click the Submit button. Note that you do not need to enter any additional data because you are using an enterprise CA. The enterprise CA is able to query the Active Directory to determine the validity of your account and registers user certificate information into the Active Directory (figure 19).

 

Figure 19

 

5.       Click Yes on the Potential Scripting Violation dialog box warning you that the Web site is requesting a new certificate on your behalf (figure 20).

 

Figure 20

 

6.       On the Certificate issued page (figure 21), click the Install this certificate link (figure 21).

 

Figure 21

 

7.       Click Yes on the Potential Scripting Violation dialog box warning your that the site will add certificates to this computer (figure 22).

 

Figure 22

 

8.       Close Internet Explorer after the certificate is installed (figure 23).

 

Figure 23

 

The next step is to map the certificate to the group user account. Perform the following steps to map the user certificate to the group user account:

 

1.       At a domain controller, click Start and point to Administrative Tools and click on Active Directory Users and Computer (figure 24). Right click on the group user account you created and click the Properties command.

 

Figure 24

 

2.       In the account Properties dialog box, click on the Published Certificates tab (figure 25).

 

Figure 25

 

3.       Select the user certificate in the List of X509 certificates published for this user account and click the Copy to File button (figure 26).

 

Figure 26

 

4.       In the Save certificate to a file dialog box, enter a name for the certificate in the File name text box and click Save (figure 27).

 

Figure 27

 

5.       Click OK in the user account Properties dialog box (figure 28).

 

Figure 28

 

6.       Right click on the user account and click on the Name Mappings command (figure 29).

 

Figure 29

 

7.       In the Security Identify Mapping dialog box, click the X.509 Certificates tab and then click the Add button (figure 30).

 

Figure 30

 

8.       In the Add Certificate dialog box, locate your certificate and select it. Click the Open button (figure 31).

 

Figure 31

 

9.       You can review the configuration of the user certificate in the Add Certificate dialog box (figure 32). Make sure there is a checkmark in the Use Subject for alternate security identity checkbox. Click OK.

 

Figure 32

 

10.   The certificate now appears in the list of X-509 certificates. Click Apply and then click OK (figure 33).

 

Figure 33

 

Note that the certificate that you used to map the user account does not contain the private key for that account. You can not use this certificate that you copied to a file from the user accounts Published Certificates tab in the user’s Properties dialog box to authenticate to the ISA Server’s Incoming Web Requests listener.

 

You need to use the certificate you exported from the browser that requested the certificate. The user certificate you exported from the browser that requested the group account certificate contains the private key required to authenticate to the Incoming Web Requests listener.

 

Perform the following steps on the machine that requested the group user account certificate:

 

1.       Right click on the Internet Explorer icon on the desktop and click the Properties command (figure 34).

 

Figure 34

 

2.       In the Internet Properties dialog box (figure 35), click on the Content tab. Click the Certificates button in the Certificates frame.

 

Figure 35

 

3.       On the Personal tab (figure 36), click on the group user certificate, then click on the Export button.

 

Figure 36

 

4.       Click Next on the Welcome to the Certificate Export Wizard page (figure 37)

 

Figure 37

 

5.       On the Export Private Key page (figure 38), select Yes, export private key option and click Next. You need to include the private key so that the OWA clients can authenticate with the Incoming Web Requests listener on the firewall.

 

Figure 38

 

6.       On the Export File Format page (figure 39), select the Personal Information Exchange – PKCS #12 (.PFX) option. Place a checkmark in the Include all certificates in the certification path if possible checkbox. Remove the checkmarks from all other checkboxes. Click Next.

 

Figure 39

 

7.       On the Password page (figure 40), type in a strong password in the Password and Confirm password text boxes. Click Next.

 

Figure 40

 

8.       On the File to Export page (figure 41), type in a path and file name for the exported certificate file. Click Next. (Note: you do not need to include the file extension, it will be added for you).

 

Figure 41

 

9.       Review the settings in the Completing the Certificate Export Wizard page (figure 42). Click Finish.

 

Figure 42

 

10.   Click OK in the Certificate Export Wizard dialog box (figure 43).

 

Figure 43

 

11.   Click the Close button in the Certificates dialog box (figure 44).

 

Figure 44

 

12.   Click OK in the Internet Properties dialog box (figure 45).

 

Figure 45

 

This exported certificate contains the group user account’s private key. You must keep this certificate under tight administrative control because it contains the private key for the account. The next step is to install the group user certificate onto the machines that require access to the OWA Web site.

 

 

Install the group certificate into the OWA client browser

 

Copy the export group user certificate file to the machines that require access to the OWA Web site. Then perform the following steps to import the certificate into the machine’s certificate store:

 

1.       Log on with the user account the user will log in to when accessing the OWA site from this machine. Right click the Internet Explorer icon on the desktop and click the Properties command (figure 46)

 

Figure 46

 

2.       Click on the Content tab in the Internet Properties dialog box (figure 47). Click on the Certificates button in the Certificates frame.

 

Figure 47

 

3.       In the Certificates dialog box, click on the Import button (figure 48).

 

Figure 48

 

4.       Click Next on the Welcome to the Certificate Import Wizard page (figure 49).

 

Figure 49

 

5.       On the File to Import page, enter the name and location in the File name text box. Use the Browse button to simplify this task. Click Next.

 

Figure 50

 

6.       Type in the password you assigned to the certificate file in the Password text box on the Password page (figure 51). Do not put checkmarks in the Enabled strong private key protection and Mark the private key as exportable checkboxes. You do not want to enable strong private key protection because this will prevent the user from being able to log onto the OWA site. You do not want to put a checkmark in the Mark the private key as exportable checkbox because this will allow the user to export the certificate with its private key. You do not want users to have administrative control over the group user certificate. Click Next.

 

Figure 51

 

7.       Select the Automatically select the certificate store based on the type of certificate option on the Certificate Store dialog box (figure 52). Click Next.

 

Figure 52

 

8.       Review the settings on the Completing the Certificate Import Wizard page (figure 53) and click Finish.

 

Figure 53

 

9.       Click OK in the Certificate Import Wizard dialog box (figure 54).

 

Figure 54

 

10.   Close the Certificates dialog box (figure 55).

 

Figure 55

 

 

 

Test client certificate authentication to the Incoming Web Requests listener

 

Let’s see what the remote user see when he logs onto the OWA Web site using client certificate authentication.

 

Perform the following steps to log onto the OWA Web site that is protected by client certificate authentication on the Incoming Web Requests listener after you have install the group user certificate on the OWA client:

 

1.