Multi-Factor authentication with Exchange Outlook Anywhere?

In some organizations, in particular the Department of Defense, we are required to use CAC (SmartCard) authentication to access a variety of resources internally and externally. At my previous job I really loved using Outlook Anywhere (formerlly known as RPC over HTTP), from literally anywhere without a VPN.

Unfortunately, Microsoft does NOT support multi-factor authentication for Outlook Anywhere even if you are running Outlook 2007, Windows 7, or Exchange 2007. This is due to limitations of the RPC over HTTP implementation which can only utilize NTLM, not Kerberos or other forms of authentication. Even if you throw ISA in the mix, which can use smart card authentication, you are still limited by the Exchange server only supporting NTLM.

So how can I return to the bliss of accessing my corporate e-mail from anywhere, anytime, via any network? Well there’s a few glimmers of hope, but none are quick fixes. Microsoft is considering releasing a hotfix in the spring or summer of 2010 which will enable Windows Vista and higher in conjunction with Exchange 2010 to utilize multi-factor authentication. I say consider, because Microsoft has NOT made a firm commitment to deliver such a hotfix.

Why only Windows Vista or later and Exchange 2010? There are some significant architectural changes in Exchange 2010 that allowed Microsoft to re-write the RPC authentication mechanism to support additional protocols besides NTLM. Specifically, now that Outlook clients communicate via MAPI to a CAS server in Exchange 2010 (vice the mailbox server in 2007 and earlier), Microsoft was able to make major changes and improvements. Why only Windows Vista and later? Back porting the required changes to Windows XP was not very feasible and would have required a lot of development work. Plus the OS is nearly end of life, so it didn’t make the cut.

If you are an organization which would like multi-factor authentication for Outlook Anywhere, please, please, bug your Microsoft rep and make it known you want such a feature. The more customers complain to Microsoft, the better chance they will follow through with the hotfix.

What can you do in the mean time (before summer 2010)? Well there are a few options. One would be to use Windows 7 and Windows Server 2008 R2 with DirectAccess. DirectAccess sets up a transparent IPv6 IPsec tunnel to your corporate network which tunnels application requests directly to the intranet. DirectAccess CAN use multi-factor authentication, so before Outlook attempts to make a connection to Exchange, you are securely authenticated. Problem solved, plus DirectAccess gives you many other advantages over a traditional VPN.

Another option, which you can to TODAY, is configure ISA server for an IPSec VPN tunnel using certificates. After the IPsec tunnel is established you would launch Outlook and get your e-mail. Unlike DirectAccess, this is more a traditional VPN and comes with other down sides while the VPN is up. Not ideal, but better than being without e-mail.

The easiest option is to forget about running Outlook while on the road, and just use OWA. SmartCard enabling OWA, even with ISA in the mix, is not a monumental task. You can SmartCard enable OWA with Exchange 2003 and Exchange 2007. As a side note, OWA in Exchange 2010 is almost on par feature wise with the fat Outlook client. Microsoft has done an amazing job of bring a rich client experience to the web. Microsoft has a few good articles on Smarcard enabling OWA. See the links below.

Exchange 2003

Exchange 2007

If you are a DoD entity and want to CAC enable ISA, see this short draft document created by DISA as a configuration addendum for some pointers. CAC enabling SharePoint 2007 is much more complicated, so I won’t dip into that topic right now.

Related Posts

Subscribe
Notify of
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Rob
May 15, 2012 5:17 pm

Does Exchange 2010 OWA have native smart card auth support? I heard TMG/ISA is going away, and am wondering if it’s possible to do without TMG.