Re: SSL sign in to OWA
- From: "processendnow" <shainefisher@xxxxxxxxxxx>
- Date: 26 Jan 2006 07:35:09 -0800
> Can you post the entire solution that you developed. I'd be interested in
> understanding what you did.
>
> Nue
>
I'm going to start this with a down note: After 4 or so hours of
getting this to work in the lab, I installed sharepoint services 2, and
basically buggered it all up, oh well, got it working again, but I
learn lots whenever I try something new!!
Anyone know if they got the sharepoint and exchange 2003 to work yet,
It's ideal for me, sharepoint takes the root of the site, cert services
and exchange take subdirs, as this is only internal for my staff I'd
love to be able to do it.
Right the whole solution as I have it now:
Install FE and BE servers for exchange 2003.
Disable FBA on the FE server
In IIS r/click the exchange directory > properties > directory security
under authentication and access control, clear basic authentication,
clear anon access
enable integrated windows authentication
OK
Secure communications
check Require SSL > check Require 128bit
check Require client certificates
Under client certificate mapping > 1-to-1 map the user certificate to
the AD user account
*In order to do this I exported all of the users certificates to a
shared folder, IIS just requires a certificate to get the data from, I
used *.cer files, if the user changes the certificate you have to do
this again, and I had to do it a lot of times, really only recommended
for small numbers of users, unless you can come up with a script that
does the mapping for you, I havn't had time yet
**You can't do many-to-1 because the certificate contains the UPN and
you add the password when you add the cert, so many to 1 can't work in
this
Restart IIS
http://www.yourdomain.com/exchange/
you get a prompt to select the certificate from your certs, click it,
bingo, accessed, and working.
***If you use multiple machines, and get a cert from the CA seperately
for each one, you WILL have problems, thhaat's why I mentioned about
the profiles and taking certss with them, but I will have to look into
this some more.
But the concept appears to be flawless.
But with all good concepts either you ot Microsoft are going to come in
tell me why this is wrong, which is why I'm testing it for a few weeks
in a lab, and while I try and find a way to do this for hundreds of
users without getting RSI.
Hope this helps, all feedback welcome, you can post to my email if you
want
Regards
Shaine
.
- Follow-Ups:
- Re: SSL sign in to OWA
- From: processendnow
- Re: SSL sign in to OWA
- References:
- SSL sign in to OWA
- From: processendnow
- Re: SSL sign in to OWA
- From: Lee Derbyshire
- Re: SSL sign in to OWA
- From: processendnow
- Re: SSL sign in to OWA
- From: processendnow
- Re: SSL sign in to OWA
- From: processendnow
- Re: SSL sign in to OWA
- From: processendnow
- Re: SSL sign in to OWA
- From: Nuevo
- SSL sign in to OWA
- Prev by Date: Block a Single IP in Exchange 2003
- Next by Date: Re: Help settle a dispute..
- Previous by thread: Re: SSL sign in to OWA
- Next by thread: Re: SSL sign in to OWA
- Index(es):
Relevant Pages
|
